Well, not me, really, but the customers who want it. And why wouldn’t they want it? Well….
PCI compliance is a complicated subject that credit card companies are presently using to charge most small online merchants more money.
What is PCI compliance?
Basically, PCI compliance is all about standards of protecting the credit card holder’s information. The major credit card companies created those standards and made them into hurdles. They aren’t simple even though most small businesses only do things in a very simple manner.
For instance, most brick and mortar stores use a credit card machine which handles the transaction and prints a receipt that no longer has the credit card number on it. (finally!). Then the retailer puts that receipt into a folder somewhere and holds onto it as long as they are required to. The day’s batch is processed through that terminal. End of story.
The rules / standards cover all sorts of situations that the small merchant does not encounter or practice. The biggest thing is about keeping the customer’s data somewhere so that it could be used later. That’s the no-no. It’s never a good idea to do that even if your customer insists you keep it for more charges down the line.
If you do keep it, then there are all sorts of rules/ recommendations about how it’s kept. If you’ve ever taken that online test for pci compliance, you’ve weeded your way through that stuff before. Of course, you probably didn’t understand any of it!
They don’t make those tests for small merchants – it’s a generic one test fits all problem. Good grief!
So start the test, answer the questions, fix the ones they don’t like the answers to and then you pass. There’s no checking – it’s the honor system.
So a brick and mortar store can pass that test no matter what their practices are and never pay an extra cent.
How does PCI compliance work for online merchants?
Now if you have an online shop in addition or instead, there is another test you have to pass. Actually, it has nothing to do with you – only with your hosting company and the scripting on your website.
Zen Cart is PCI compliant. If you have it installed with no mods or changes to the code, the scripting will pass. That’s the easy part.
The second part is your hosting company and the server your website resides on. The folks that your credit card company has contracted with does a real time, automated scan of your server. And then you fail.
You read the report and can’t make heads or tails out of it. You ask your web hosting company about it and either they didn’t answer or swore off any responsibility for the problems. You panic.
Stop right there.
If you don’t pass the test, small merchants may pay an extra $20 a month in processing fees. That’s the penalty. Nobody yells at you or threatens your ability to take credit card payments. It costs extra.
That’s no reason to panic. If $20 a month extra in fees is not within your ability to pay, you really don’t have a business.
The Technicalities
The scan looks at your server for what someone has decreed are vulnerabilities. It looks at the versions of the server software. It looks at what ports are open on the server and so on. The results can vary between the scan providers because I assume each create their own code/robots for doing that.
There’s a list of the approved companies on the PCI Standards Council website. But I was’t able to find a definitive list of the requirements to become an approved vendor.
Since I have my own dedicated server, I get to see the scan results from the different companies. I get to see sites that pass and sites that don’t. In the end it has more to do with the vendor doing the scan than it does the server. The company that my credit card processor uses can’t seem to able to scan my server and, therefore, fails. Don’t know why that’s so since other companies can manage it.
My alternative is to pay for a scan from another company. Uh, who? How much? Gosh darn, that’s hard. I started checking and the first company doesn’t post that info. The one that is presently doing my scans is $249 a year. Divide that by 20 = $22.50 a month. Another prices it at $699 a year. Cheaper to go without compliance!
PCI Compliant Webhosts
Okay, now we are talking about something else entirely. There may be PCI compliant servers out there but the hosting companies can’t (or aren’t supposed to) advertise themselves as PCI compliant unless their servers have passed the certification for physical PCI compliance. In other words, if the data center the servers rest in are PCI compliant.
There definitely are some and I have no experience with any of them.
The companies I recommend folks to for Zen Cart hosting that are PCI compliant or help to manage PCI compliancy are Geekhost (certified Zen Cart hosting) and Glowhost who manages my server. Glowhost has a dedicated PCI compliant server program – not shared hosting. Geekhost is a Canadian company with servers “up there” and Glowhost utilizes a datacenter in Atlanta.
The point is though in the end you pay more money for pci compliant servers. Geekhost is a minimum $20 a month for hosting, probably twice as much as shared hosting can be. Their dedicated server rates are better than Glowhost’s though.
Confused? Crazy yet?
Ha, join a very large club.
My recommendation is simple. Don’t worry about it until the credit card companies jack that monthly cost up ridiculously high or threaten to cut you off. Yeah, right, and cut their own throats!
Don’t let PCI compliance drive you crazy!