New E-commerce developer needing advice

[Farban]

Hello

I am a web developer looking to develop e-commerce solutions for small clients. The first part of achieving this is to research into the business side of having a e-commerce site. Areas I have discovered that have led me to some confusion is PCI compliance and the requirements to become PCI compliant.

I understand that every e-commerce site on the internet is required to be PCI compliant to avoid fines and lawsuits against them. I have read the PCI website briefly, what are the basic requirements need to fulfil PCI compliance? I was reading about payment gateways, and as they handle Card details does this mean that all the responsibilities of making a ecommerce site PCI compliant are passed onto the payment gateway rather then the e-commerce site? If a ecommerce site uses a payment gateway which is PCI compliant, is that it? or are there other things needed from the hosting or the ecommerce site that need to be done.

What are the basic legal and security fundamentals behind a successful e-commerce site that need to be fulfilled. If I want mastercard, visa and paypal options in place, what are the general things I need in order to set this up.

Really have struggled to find the basic information of what technologies e-commerce sites have in commom for payment handling.

Any books or links or references to guides are very much appreciated.

 

[edmondscommerce]

Generally the best practice these days is to make sure your clients systems and server never sees any card details directly.

Integrate with a decent payment service provider and use the equivalent of SagePay's form or server integration methods and PCI compliance becomes much less of a concern.

 

[Ali-v-8]

Isn't this what SSL is for???

 

[edmondscommerce]

no SSL is a very good idea but in no way makes you PCI compliant

 

[Sparx]

No Ali. SSL certificates encrypt data that is transferred between the client and your own website's server(s).

The point that edmondscommerce is trying to make is the best way to handle card details currently is to use hosted/redirect methods. This means no sensitive data (I.e. card details) is passed between the client and your website's servers. All card details will be transmitted between the client and the payment gateway directly, leaving less responsibility at your end in terms of PCI compliance.

 

[ITsoldUK]

Have to agree with ed

Get yourself a decent payment service provider for the PCI headache AND IF you want to add some levity to your security a SSL would look good on an account creation page/personal details stuff etc.

 

[MartCactus]

Joseph's advice to ensure your site never sees the card details is good advice.

However, strictly speaking (as Joseph suggested) it won't ensure PCI compliance (though it helps)... see eg

http://www.pcicomplianceguide.org/pcifaqs.php

1) "Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI."

2) ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010


So using a third party to process transactions does make compliance much easier (using self assessment questionnaire)

But the second issue is the payment application. Technically all payment applications (Magento, OS Commerce, our own Kartris, etc) need to be validated as PA-DSS compliant. As far as I'm aware most free open source applications (and many paid ones, including our own) haven't been PA-DSS validated. Unsurprising since its an absurdly expensive box-ticking exercise.

Bizarrely the powers that be have decided that if you build your own payment application it doesn't require PA-DSS, but if you use an off the shelf one built by experts with years of experience of coding secure payment applications, it does. So the message seems to be to have a go and building something yourself rather than using something written by experts.

Fortunately the rules are so bizarre, and so complex that most of the card gateways don't seem to enforce them to the letter.

 

[Farban]

Bizarrely the powers that be have decided that if you build your own payment application it doesn't require PA-DSS, but if you use an off the shelf one built by experts with years of experience of coding secure payment applications, it does. So the message seems to be to have a go and building something yourself rather than using something written by experts.

Is there any internet resources on this? Seems bizarre that they enforce PCI on expert Ecommerce packages yet fail to impose the same thing on homebrew Ecommerce packages.

So if I want to build Ecommerce sites for clients how far generally should I go with PCI in order to avoid any incidents. I am definitely going down the path of payment gateways with SSL, but not sure if I should take further measures to protect my reputation as a developer and my clients reputation as a merchant.

 

[seoswat]

I know you mainly asked about being compliant, but i dont really have too much extra to add onto what others have mentioned above me, what i would say if your building websites - avoid at all costs looking after hosting.

No seriously - Do not touch it!

 

[HTMLHugo]

SSL plays a major role in E-Commerce websites , it will give your customers a trust gain and a comfort to stay with you.

In my experience this is wrong most people don't notice at all.

Our ssl certificate ran out when we changed hosts and I haven't re sorted it out not one person has mentioned it and no loss of business etc.

I can't account for how many went running when realising but I suspect it's none

 

[j600com]

Isn't this what SSL is for???

Slightly worrying, don't you offer eCommerce too?

 

[Ali-v-8]

I offer websites, SEO, ecommerce, Video commerce, Mcommerce.
The transfer of that data is kept encrypted by SSL (which is the responsibility of the site owner)
My point was that the payment gateway are responsible for PCI as are visa, mastercard.....etc

At what point does the Website owner get involved with PCI??? so yep I am bit confused.

 

[cogo]

Hello

I am a web developer looking to develop e-commerce solutions for small clients. The first part of achieving this is to research into the business side of having a e-commerce site. Areas I have discovered that have led me to some confusion is PCI compliance and the requirements to become PCI compliant.

I understand that every e-commerce site on the internet is required to be PCI compliant to avoid fines and lawsuits against them. I have read the PCI website briefly, what are the basic requirements need to fulfil PCI compliance? I was reading about payment gateways, and as they handle Card details does this mean that all the responsibilities of making a ecommerce site PCI compliant are passed onto the payment gateway rather then the e-commerce site? If a ecommerce site uses a payment gateway which is PCI compliant, is that it? or are there other things needed from the hosting or the ecommerce site that need to be done.

What are the basic legal and security fundamentals behind a successful e-commerce site that need to be fulfilled. If I want mastercard, visa and paypal options in place, what are the general things I need in order to set this up.

Really have struggled to find the basic information of what technologies e-commerce sites have in commom for payment handling.

Any books or links or references to guides are very much appreciated.

Basically, don't store card details and let the banks process the transactions through SSL. If you're starting off, then it's the safest way until you learn a little more.

 

[webstore]

http://www.sagepay.com/pci-dss-compliance is a really useful resource and where SagePay state:-

Do developers need to be PCI DSS compliant?

If you're a developer that's simply integrating a client's website with our payment gateway and handing over the completed project to your client, then you don't need to become PCI DSS compliant.


However, if at any stage you build and host a back office solution for your client, you'll need to look into your PCI DSS requirements and possibly also PA DSS.

.

 

[Farban]

Yes I looked on the SagePay and noticed that messege

If you're a developer that's simply integrating a client's website with our payment gateway and handing over the completed project to your client, then you don't need to become PCI DSS compliant.
However, if at any stage you build and host a back office solution for your client, you'll need to look into your PCI DSS requirements and possibly also PA DSS.

The statement

However, if at any stage you build and host a back office solution for your client, you'll need to look into your PCI DSS requirements and possibly also PA DSS

How does this make sense? Because when developers develops a e-commerce site for a client surely you are going to build the back office solution? I haven't personally done this stage so im guessing but I suppose the easiest way to be PCI compliant is to use a payment gateway like SagePay, set up a merchant account and full fill their conditions on being PCI compliant in order to use the merchant account and not incur any fees. Is the real challenge in this case finding a payment gateway and merchant account that is cheap and PCI compliant?

 

[webstore]

Agree with what you are saying.

We take the view that if we have connected a client's ecommerce site to say SagePay and that NO credit card information passes via our server(s) then there is no duty upon us to bother about PCI compliance testing unless our client makes that a condition of purchase of our design & hosting services.
.