For many ecommerce developers, the thought of designing a system to store the credit card data of their clients’ customers is chilling.

For good reason. Determined hackers can compromise the most sophisticated network by combining simple, free tools with a little effort. In fact, the cyber-criminals behind the famed TJ Max and Heartland Payment Systems breaches used novice techniques like War Driving and SQL Injections to access the retailers’ networks.

If hackers can penetrate the network of a global enterprise, imagine what they can do to your clients’ small businesses. It’s a scary proposition, no doubt, but it shouldn’t keep you from going down that path when a project requires it.

Managing Credit Card Data

The first (and perhaps most important challenge) you’ll face with such an ecommerce development project is credit card collection, storage, and handling. One of the easiest and least risky options is to offload, via an API, the storage and handling of credit card numbers to a payment gateway that “hides” credit card data – Authorize.net, PayPal, BluePay or the like. If the credit card data is passed directly from the client (browser) to the gateway, without passing through your client’s web server, you’ll reduce your liability as the developer and help keep your client’s ecommerce site protected.

However, this solution many not work in all situations or for all clients for, at least, a few reasons.

1. Complicated recurring billing. If your client has a complicated recurring billing structure wherein payments vary in time, frequency, amount, or purpose; or if your client’s customers use purchase orders, your client may need to keep the raw credit card numbers available for the flexibility. Your client can still use tokens and offload the recurring billing to some credit-card-obscuring payment gateways as mentioned above, but again the need to process or manage customer data can be project specific.
2. Save on Interchange fees. All credit-card merchant-account providers charge an Interchange fee, and these fees can and do vary from provider to provider. So for some potential clients managing customer credit card data can be well worth the risk if doing so allows them to get a significantly better fee structure.
3. Offloading credit-card-storage is not enough. If credit card data passes through your client’s web server, whether the business stores that data or not, the system you develop needs to be PCI compliant. In short, whenever possible, choose a solution that never exposes your web server and your client’s ecommerce business to customer data. But when a project does call for credit data transfer or storage, you’ll need to build a Payment Card Industry compliant system that hackers cannot easily overcome.

Understanding the Requirement for PCI compliance

The Payment Card Industry (PCI) Security Standards Council has established twelve mandatory practices and precautions that must be taken when handling, processing, storing, and transmitting credit card data. The effort necessary to achieve PCI compliance will vary depending on the state of your development and hosting environment in which the ecommerce application will reside. While the specific details of becoming PCI compliant would merit a separate article, it is important to remember that when a project calls for “touching” credit card information, PCI compliance is a must. Your ecommerce client cannot do business without being compliant.

Cutting the Cost of PCI Compliance

PCI compliance can be expensive. For example, building a PCI compliant system from the ground up may require enlisting the help of a Qualified Security Assessor (QSA) to shape the scope of your PCI compliance undertaking; a number of audits; and monthly scans. All of this may cost a Level 3 merchant—those that process between 20,000–and–1,000,000 transactions each year—up to $155,000, according to the PCI DSS Compliance Blog .

The cost for smaller, Level 4 merchants, processing less than 20,000 transactions each year, varies greatly, but could cost $2,500 or more according to a payment gateway provider.

As a savvy developer, you may be able to help your client defray some of these costs.

1. Find a compliant host. Choose a web hosting environment that is already PCI compliant. If your client doesn’t need to own servers, consider a qualified, PCI compliant host.
2. Encourage processing in the client. The points above notwithstanding, choosing a solution that captures credit card data in the client, passing a token to your client’s web server, may be the best option.
3. Small merchants can do it themselves. Consider taking the “self assessment.” Level 2 and smaller merchants can self-assess rather than hiring a third-party to do the assessment, which can be a money saver.

PCI Compliance: You Need to Do It

Achieving PCI compliance is not only mandatory for all ecommerce merchants, it also assures that you and your client have taken all the steps necessary to provide a safe shopping experience for your client’s website users. Taking the steps to secure your client’s environment before a security breach may go a long way with Visa, Mastercard, the PCI Council, and forensic auditors who will be performing due diligence should disaster strike.

In fact, mitigating a security breach may be more challenging and expensive for non-compliant companies. Forrester Research estimates that mitigation will cost an average of $200 for each person/credit card account that is compromised.

This article is filed under PCI Compliance & Security and has the following keyword tags: PCI, hosting, server.

2 Comments