Safe Credit Card Handling
If you haven't been a victim of credit-card fraud yet, just wait. You probably will be at some point in your life. About 9 million Americans are victims of identity theft each year. To help protect consumers, the credit card companies (Visa, MasterCard, AmEx and Discover) have joined to form the Payment Card Industry (PCI) working group. They set standards for how credit cards and cardholder informaiton is to be handled. If you accept payments on your website, even through PayPal, you need to adhere to these guidelines to protect your customers' payment information. Now I admit, none of us need more rules and regulations to live under. We have better things to do with our energies than go through a checklist that's been handed to us by some anonymous, faceless cabal. But sometimes it's really in our best interest, and in this case, in everybody's best interest.
The PCI Security Standards Website, unfortunately, isn't well organized in my opinion. We've been getting a lot of questions lately about PCI compliance, so I'm going to try to answer them here. If you have other questions I don't cover, please contact us.
Can I take credit card numbers on my website? In general, the answer is "no," or to be more specific "you can't afford to." In the old days, websites just had to have a security certificate to encrypt the credit card information the users typed in and they were good to go. Not now. Too many sites have been hacked and payment information stolen. Now, having an SSL certificate is just one of twelve hoops you have to jump through to be able to be PCI compliant and take credit card numbers on your site. The most recent development is that the PCI people now require that your ecommerce software pass an audit and be Payment Application Data Security Standards (PA-DSS) compliant. The bad news is that getting software to pass these audits is expensive. The worse news for us is that because Joomla e-commerce software is low-cost and Open Source, there isn't money available for audits like this. So, as far as I know, there is NO PA-DSS compliant shopping cart software available for Joomla.
Can't I use PayPal Pro and collect the credit card information on my site and hand it off to PayPal? Since I'm not storing the credit card information, then I'm PCI compliant, right? Well, not really. PCI covers not just storing credit card information, but collecting and transmistting it as well. In fact, if you go to the PayPal page where PayPal talks about PayPal Pro and PCI compliance, you'd hope to see a big, friendly banner that says "using PayPal Pro is absolutely PCI compliant." But that's not what you see. They basically say "PCI compliance is important" and "hire one of our partners to tell you about PCI compliance" so they don't have to be the bearer of bad news.
Why did PayPay come out with a solution that's not PCI compliant right out of the box? Probably because PayPal Pro was introduced before the PA-DAA compliance guidelines. Maybe they figure "Hey, we were here first." I can't offer an authoritative answer as to PayPal's thinking.
So what shopping carts are PA-DSS compliant? Well, there's Magento Enterprise. But you probably can't afford it.
How much is it? Starts at $15,500 per year. I told you these software audits were expensive.
So what do I do? The simplest thing is to not touch any credit card information at all. When a customer wants to pay, the shopping cart software sends them off site to Authorize.net or PayPal.com or some such place to enter their information.
And this gets me off the PCI compliance hook? Not really. You still have to fill out an annual compliance self-assessment form that says "we don't touch credit card info, our outsourced solution is PCI compliant and we train our people not to mess the credit card info." It's about a 12-question form, and it's not too bad. If you take credit cards on your own website, the form's a bit longer, it's the "D" version of the Self Assessment Questionnaires and it's more like 225 questions. Good luck with it.
But I hate sending my customers away from my site. it's ugly and people don't like it. Is there anything else I can do? There are some ways of making it less ugly. One solution is CRE Secure. They are an Atlanta-based company that has a fairly novel solution. When the user of your site clicks the "Pay Now" button, they're taken to the CRE Secure page to enter their credit card information. So what makes them different from PayPal or Authorize.net? CRE does a "screen scrape" of your site's payment page so that the end user goes to a page that looks exactly like your website to make their payment. The only way they know they aren't still on your site is that the url in the browser address field has changed. After they pay, they are then returned to your site.
And as much as you may not like sending your customers to another site for payment, they prefer to to becoming the victim of fraud. Keep in mind that PCI DSS was ultimately designed to protect the consumer.
And this is free, right? Well, no. Their plans start at $40 per month, but it's more than just a payment piece. They completely oursource your PCI compliance, so it's one less headache for you, and considerably less expensive than doing it yourself.
How much of that do you get? Nothing. 3by400 doesn't have a business relationship with CRE Secure. I just met their Chief Technical Officer last year and thought he was pretty sharp and their product fills a gap.
Will CRE Secure work with my Joomla shopping cart? Not yet, drat it. They have a list of shopping cart software that they have modules for, and none are Joomla carts. However, they're a new company and they say they're working on modules for other e-commerce packages, so stay tuned. If there's enough interest, we may undertake writing such a module. Let us hear from us and stay tuned.
UPDATE ON 01/01/2015:
3by400 is excited to announce a new, PCI compliant payment method using Braintree Payments, HikaShop, and our new Braintree HikaShop plugin! Get more information here.
To heck with all this! I'll just run credit cards the way I have been and won't worry about this PCI stuff. What's the worst that could happen? The worst? Pretty bad. The worst that could happen is that your credit card processor revokes your right to process credit cards, or that you have to undergo an audit for each of the next three years. These audits generally run about $40,000 per year. So it's like the old Fram commercial said "Pay me now, or pay me later."
The cost of PCI compliance is high, but the cost of PCI non-compliance can be catestrophic. It could cost you your business.