Do-It-Yourself Ecommerce

I was working with an online business owner recently who was questioning whether he had to meet PCI DSS (Payment Card Industry Data Security Standard) standards for his online shopping cart. He has a credit card merchant account through a national bank that was telling him he had to have quarterly vulnerability scans of his web site PLUS fill out a 200 question form.

“But I don’t store credit card data”, he said. Well if you read the fine print on the PCI DSS standards it says something like the following:

PCI DSS does not apply if PANs [credit card numbers] are not stored, processed, or transmitted

It is the transmitted part that is relevant to his setup. He’s using a Zen Cart shopping cart and Authorize.net AIM as his payment gateway. With that setup, the customer enters his or her credit card information within Zen Cart and it is then forwarded to Authorize.net.

He’s not storing credit card data, but he is transmitting it over an SSL connection. That means that his web server, database and SSL connection has to be checked for vulnerabilities at least once per quarter.

Now, Authorize.net has a new gateway interface called CIM (Customer Information Manager) that will work, but no one has come up with a Zen Cart plugin for it yet.

If you find yourself in this situation here are your options:

1. Hire a programmer to connect your Zen Cart with Authorize.net CIM

2. Change shopping carts to one that will integrate with CIM

3. Change credit card merchant accounts to something like PayPal Web Merchant Pro that enters the credit card info on their site

4. Go through the hassle of answering the 200 question form and responding to any vulnerabilities found with the help of your web host tech support, if they are willing. If tech support won’t help you, you’ll have to find a PCI compliant web host.

Credit card security is vital, but also can be a real pain for online businesses.