PCI compliance is necessary given the number of hacks that have occurred worldwide. I encourage my customers to use Simple Integration Method versus Advanced Integration Method. It keeps the Self Assessment Questionnaire to a minimum since the credit card transaction occurs at the gateway.

[merchantservices.cc...]

Just for discussion's sake, why would you think SIM has this advantage over AIM? (For those unaware, these are the two integration methods of the Authorize.net API - Simple/Advanced Integration Method.)

The transactions *still* occur at the gateway with AIM. You make the connection via silent post. No local CC info needs to be stored using AIM.

Just for discussion's sake, why would you think SIM has this advantage over AIM? (For those unaware, these are the two integration methods of the Authorize.net API - Simple/Advanced Integration Method.)

The transactions *still* occur at the gateway with AIM. You make the connection via silent post. No local CC info needs to be stored using AIM.

SIM, otherwise known as a boomerang payment gateway, removes PCI obligations from you and puts it on the payment provider.

When I was researching using a cloud environment, I was told by many the only way to do so was to use SIM or other boomerang providers. Using a boomerang would take away the PCI compliance as I would not be collecting or transmitting any personal info.

> I host at rackspace and was quoted $7,000 to
> $10,000 per MONTH for PCI Compliance.

What's worse, is that Rackspaces default server offerings fail several independent PCI Compliance tests like those from mega TrustWave.

> only store

That doesn't matter when your merchant provider requires that you pass pci compliance tests.

> Why do someone like me even need to be PCI Compliant?

Because there maybe holes in your server that allow third parties to sniff/intercept your CC data as it is submitted. Even though you are not storing the data - you are handling it.

Ah, it had been so long since I used SIM I'd forgotten, it actually sends you to the gateway's server for payment. I'll stick w. AIM and PCI compliance.

rocknbil, totally agree ... SIM seems very amateur. Not saying it is, but me as a customer if im shopping and checking out and you send me off to another site I am out of there.

As if the data is protected any differently regardless of prices charged...

GaryBradshaw: and everyone I spoke has said "not meaning to scare you but you could be shut down or fined up to $100,000 if you are not compliant.

BS. If they start shutting down merchants, who's going to pay their transaction fees and bonuses that are in billions per year now?

BS #2. It is MERCHANT who get fitted with the bill when someone uses stolen credit card. How on earth do they make MERCHANT pay for this, AND make merchant pay for being PCI compliant? That's just perfect, a class action suit waiting to happen IMHO.

I think they just use a scare tactic, and can't possibly start auditing or shutting down anyone. Maybe a few bad apples just to scare the rest of you into paying more fees.


I am of course refering to the OP, where he handles less than $10K/month and is his own sole employee. I would just ingore all the hoopla in this case. Of course, it is a different story if you gross that much a day and have a building full of staff...

It looks like there's a lot of confusion here...

- if you don't ever touch, see, transmit or store the CC data, the PCI DSS requirement are very low: you just fill out a self-assessment questionnaire and attestation of compliance (SAQ A), and you're done.

E.g. if at the end of your checkout process you send the customer to a (secure) page hosted by your payment gateway provider, and the CC data is entered on that page and sent only to the payment gateway provider, then you don't have to do a thing. That's the case with solutions like Paypal (the "standard" solution at least), many gateways provided by banks in Europe, and probably quite a few solutions in the US as well (sorry, not familiar with who provides what there).

- if any part of the CC data ever touches your server(s) (even if you only send the data right away to the gateway and never store it), then you need slightly more extensive PCI DSS compliance checks. There are various levels (1-4) depending on what exactly you do, how many transactions you handle, etc. The lowest level (4), which applies to people handling under 20 000 e-commerce transactions a year, basically requires you to complete a self-assessment questionnaire (SAQ C or D depending on whether you store the data or not) and have a quarterly scan performed checking for vulnerabilities. There are many vendors providing this service:

[mcafeesecure.com...]
[comodo.com...]
etc.

We are talking a few hundred $ a year, not more.

- full assessments by a third party (in PCI DSS lingo, Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)) are only required for very large merchants (over 6 million transactions a year), payment service providers, etc. Those are the assessments that cost $$$$, though the expensive part (the On-Site PCI Data Security Assessment) is annual, so I'm not quire sure how you got a quote for several K$ per month. What was it supposed to include exactly?

Some helpful links:
- what PCI DSS level do you need:
[usa.visa.com...]
[rbsworldpay.com...]

- if level 4, what SAQ should you use:
[rbsworldpay.com...]

Hope this helps,

Jacques.

Jacques, you summed it up perfectly. Your details are dead-on accurate.

If you really do care about customer protection then your processes and process control logs will satisfy an audit with zero additional cost. The most would be an annual pen test at around $2500, which you could in-source if a staff member gained certified ethical hacker.

It sounds like you may be being quoted for fully managed security.

PCI is actually relatively easy for small merchants compared to say ISO 27000-2 compliance

They are probably legal issues for Rackspace (think liability) but $7000+ a month for a small merchant?

Maybe they are used to getting away with expensive hosting prices

We just finished the PCI compliance process for the company that I work for. As mentioned earlier, if you aren't accepting any CC details on your website, then you don't have to do server scans. SAQ is optional.

However if you do fall under Tier-2 or Tier-3 merchant category (based on the number of transactions, credit card data passing through your server to payment gateway for a charge), then its a totally different ball game.

When we initially dived into the project, we thought server scans and SAQ filing were all that are required. The truth is - that's really what is required (for Tier-2/3 merchants), however there are lots and lots of policy changes that need to be implemented with in the company and outside to comply with PCI. These changes definitely take time and there is a cost involved. For eg, it took us almost 4 months to be truly PCI compliant (software, hardware, network architecture, logging, audit, password policy, backups, change management policy, key management policy etc). And we had a very good in-house technical team to achieve it all. Had we relied totally on consultants or outside technical teams, the costs would have scaled up further.

What you should check with Rackspace is the details of their PCI compliance product. For all you know they may be selling you a PCI package that's required for Tier-2 or Tier-3 merchants. Usually costs involved for those merchants can easily touch 5 figure mark depending on the complexity and scale of operations.