Forum Moderators: buckworks
We develop ecommerce sites for our customers, and have always tried to work within the PCI DSS.
However, we're trying to develop a lower priced offering aimed to be attractive to smaller businesses just starting out. One thing we constanlty hit is customers tell us that they don't want a merchant account or to pay gateway fees when they have a credit card machine in the shop. Why can't we just store the credit card details and either email them to the shop or show them online?
Now, those of you familiar with PCI DSS will know that this is something you really have to avoid if a) you're doing things right and b) you're doing things cheap.
What makes this harder is the amount of competition out there that blatantly flout the regulations. Our biggest local competitor even stores the CVC2 code, for example, which is STRICTLY prohibitied by PCI DSS and unnecessary.
I realise that the big players like Actinic do things correctly, but we don't have the deep pockets they do.
My question here is: does anybody know of a PCI compliant third party service similar to the functionality of Actinic that we could use to allow us to offer card number storage? I've searched Google but not found anything yet.....
Many thanks
Hedwig
Thanks
it sounds like you are already compliant (Level 4 I am guessing)? Are you wanting someone to store the CVV2 / CVC2 / CID as well - because you won't find one of those that is legally storing those. Or are you wanting a hosted cart that is PCI compliant?
-Corey
Currently, we are compliant with PCI level 4.
In the UK, Actinic offer a service for smaller retailers who already have credit card machines which is compliant with PCI.
The way it works (I think, based on conversations I've had with their clients) is that when a sale occurs on a site using their platform, the site's server posts data to Actinic's server (which is geographically remote and separate and I'm guessing held at Actinic's offices so that they can control access to it), where the data is held with the appropriate levels of encryption, physical security etc.
An email is sent to the retailer informing him/her of the new sale. The retailer has a PC based application which communicates with the Actinic server to download the card data securely. As you say, this data will not include the CVC2 number. The retailer can then process the order as if the customer were present. I am surmising that this has been audited by PCI and that they're happy with it - Actinic are too big a company not to have done this right.
What I am looking for is a someone who can offer me a similar service to that provided by the Actinic server. This isn't an integration difficulty (I'm an old software engineer and I employee another software engineer), it's just a matter of being able to find a solution to the problem.
One thing I am DEFINITELY clear is that what my local competitor is doing is commercially and financially bonkers. I am currently walking away from business because I take a firm stand on this issue. My competitor seems unperturbed by his lack of compliance and is happy to go along blindly.
All the Best
Tony
I guess what I am not understanding is that you are PCI compliant, but you don't want to store the numbers anyway?
Have you checked to see what Protx might offer as well as Barclay's / HSBC? I am not too familiar with the processors in the UK as I am for the US. I know usually that most think Barclay's is too expensive and looking for something else
-Corey
you need to go with PayPal and they want 4%
Paypal charges a maximum of 3.4% and this reduces with volume.
