Taking Credit Card Payments Online - Pci Compliance

[MrsDev]

I'm wondering if anyone can give me some advice. The whole idea of PCI compliance, frankly frightens me to depth and looks like it costs a fortune for small businesses.

I've been wanting to take card payments online through my virtuemart store, as more and more customers are wanting direct card payments.

My current options are paypal, cheque & postal order. I've partly solved the problem by signing up for a virtual terminal with PayATrader. Which allows me to take card details over the phone and input the details straight into the terminal (PCI compliant as long as I don't record any of the details, which I don't).

Taking orders over the phone means they must ring when I'm 'working' (self-employed),or when I'm not looking after my son (full-time carer). Which doesn't happen often!

However I've found an addon for virtuemart which takes users card details at the checkout. It states its self as PCI compliant because it stores half the card number in the database and the other half in the admin back end. Therefore at no one point is there a complete card number accessible.

I've been debating whether to get it, the last thing I want to do is get into trouble. Does it sound too good to be true? Would I still need or the server virus scans and whatever restrictions they put in place to be PCI compliant.

Being able to take card payments at the checkout will give me a distinct advantage.

Any ideas?

 

[Robert Frost]

Hmmm not heard of this to be honest. It does sound too good to be true to me, can you check with PCI if they know of it?

 

[MrsDev]

Here is the link to the exstention - http://extensions.virtuemart.net/payments/offline-credit-card-processing-detail

This is what it claims -

PCI compliance

• The offline credit card plugin is compliant to your countries local rules, regulations and requirements.
• First digits are stored in the database, with the last digits being sent via email.
• The plugin includes the option to delete the credit card information in the VirtueMart administration once the payment has been processed.

I was mistaken, the second part isn't stored in the admin panel but sent via email instead.

Would I contact PCI through here - https://www.pcisecuritystandards.org/

?

 

[MrsDev]

I've sent an email with the following -

Hi,

I run a Joomla website where I use Virtuemart as my ecommerce store. Through the website I currently only accept Paypal or cheques.


I do have the odd client ring to give card details over the phone, which I process with Payatrader through their virtual terminal - http://www.payatrader.com/


I have found an extension for Virtuemart which allows you to take credit cards details online through the store - http://extensions.virtuemart.net/payments/offline-credit-card-processing-detail

It claims to be PCI compliant -
PCI compliance

The offline credit card plugin is compliant to your countries local rules, regulations and requirements.
First digits are stored in the database, with the last digits being sent via email.
The plugin includes the option to delete the credit card information in the VirtueMart administration once the payment has been processed."

I was planning on collecting the card info through the extension where it is split into two parts (database & email),processing the details through the Payatrader virtual terminal and then deleting the details after I had processed it.

I wanted to check whether this would be ok.

They can only say no I suppose, I just hope I sent it to the right email address.

 

[MrsDev]

I've had a reply -

Thank you for your email. Any payment application that has been validated against the PA-DSS standard will be listed on our website here: https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true


As for a company’s compliance, The PCI Security Standards Council is a standards development body. We focus on developing technical security standards for merchants, acquirers and service providers to use to secure payment card data. PCI SSC does not track, enforce or validate a merchant’s compliance. The individual payment brands are responsible for their own PCI DSS compliance programs. You will need to reach out to your acquirer orcontact the credit card brands directly to determine what would be compliant in your environment.

I take it if I plan to process them through Payatrader, they would be the acquirer?

 

[Scottish Business Owner]

Dont really know much about this myself.

A timely blog post on our friends at NS Design's website might give some answers http://www.nsdesign.co.uk/blog/2013/12/taking-online-payments-have-you-considered-your-pci-dss-obligations/

 

[MrsDev]

Thank you, I'll take a look.

I had an email back from the company I would of processed the card details through their virtual terminal (Payatrader). They questioned that there was no PCI registration number available, I think that's what they called it.

I guess I'll just leave it then, it seems more hassle than it's worth. I don't fancy the idea of Sagepay or something similar either as it costs so much.

 

[MattW]

I work in the payments industry. PCI is a royal pain in the ar5e!

I've previously used SagePay, and as my online store offloaded all the payment details to their secure form (nothing was actually entered on my site),it allows you to maintain PCI compliance, and you just need to fill in a self certification form.

I've since got rid of SagePay, as the outlay for a Barclays business account, plus a sagepay account and processing fees wasn't worth it. I now just use PayPal for online orders, and again, because it's using their page for entering the card details, it still allows my site to remain PCI compliant.

EDIT: Some further information. You will only need to be subjected to scans IF you are going to be storing the card details locally on your own webserver / database. Having SagePay / PayPal do this removes the need for vulnerability scanning.

 

[MrsDev]

I use PayPal now but I get quite a lot of customers complaining they can't enter their credit card details directly or they don't want a PayPal account.

I know there is a small link somewhere at the bottom of the PayPal page which says something like 'pay with a credit card'. Yet my customers don't seem to see it and still complain! Maybe it's because they aren't so tech savvy, who knows.

I'm now instead of trying to get something PCI compliant, am searching for an extension which directs the customer directly to the Paypal credit card form (opened) when that option is selected.

I'm still searching, haha!