FN-FORUM: PCI DSS Merchant Compliance -(All sites have to comply by June 30, 2005)

date posted 30th July 2005 19:09

Hi
{{THE PROBLEM}}
I am creating an eCommerce site for a client and I have come across the
problem called 'PCI DSS Merchant Compliance'.

{{THE PICTURE}}
My client owns a high street shop and requires an online e-shop to
support the shop sales. He has made it clear that he doesn't want to use
paypal or a worldpay system, as he has a merchant account which he uses
in the shop.

{{MY OFFERING}}
Before I knew about 'PCI DSS Merchant Compliance' I had suggested to my
client that I use 'ZEN-CART' plugged into an 'SSL' and have the credit
card info emailed to their shop for them to process by hand.

{{MY HOSTING PROVIDER STATES}}
Accepting online payments via credit card must be done securely. It is
not adequate to take credit card details via SSL then to email the
results to yourself or the administrator. There are at least three
issues with this method:

1. Sending sensitive details via email is not secure.
2. Storage of credit card details must be kept secure.
3. Detection of fraud - how do you check if the credit card
details are stolen?

{{MY PROBLEMS REGARDING THIS}}

Is there away I can get round this security compliance program without
costing too much?

Who tests the line for compliance?

I have quoted the client for the site, without taking this into
consideration? I was unaware of this merchant compliance. What could I
do?

Craig