As SEO/SEM consultants we deal with a lot of e-commerce so this issue came onto my radar a little while ago. It’s not current news but it seems a lot of web folk are unaware of the issue to date.
The banks and credit card companies are pushing a new compliance level for all businesses that store or carry out credit card transactions on their site. This is particularly aimed at those web sites that store card details and personal information. However you would also seem liable if you take the card details on site and transmit them instantly to the payment gateway (without storing them). This is the method used for many API e-commerce connections, including the PayPal Pro service.
The only web sites exempt that those that have the entire transaction carried out on the site of the Payment Processor.
Sites will need to be approved for PCI Compliance by an approved vendor and receive a certificate. Although the process is semi-voluntary at the moment there are some severe fines and sanctions for non-certified vendors should a breach occur.
PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.
* Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.
* You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.
* If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.
* Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.
These are the levels each business needs to meet (depending on transaction numbers). Deadlines for meeting the PCI standard seem to vary depending on your payment processor and bank but April 2008 has been mentioned several times.
With Visa/MasterCard doing the fines this is likely to be transnational but I’m only noticing the issue getting discussed in UK areas to date. There are many PCI Compliance vendors springing up on the search engines, and the prices for small businesses (level 4) seem to start at around $200 per year.
For more information visit the PCI Compliance Guide