In the UK at least, there are rules outlining how merchants deal with credit cards and other secure information. This set of rules is maintained by the PCI Security Standards Council.
The main credit card issuers have all agreed to implement these standards when issuing their compliance requirements to merchants. This means that merchants have to heed these requirements when taking cards over the internet, face-to-face, or over the phone.
Depending on how the merchant takes your card details dictates the ‘level’ of compliance they need.
For example, at 3DPixel.netÂ we send the customer to RBS Worldpay to process the payment. We (or more importantly, our servers) never ‘see’ the credit card number. In this respect, 3DPixel is not required to be PCI compliant. Of course in this situation, RBS worldpay is required to be PCI Compliant.
Another customer of ours,Â piccadillyrecords.comÂ has a different requirement. With recent changes to the PCI standards and how they specifically deal with credit card numbers, they were required to change their setup. Piccadilly Records actually need to store the credit card information because they have pre-orders, backorders and such. With our assistance, they migrated to individual servers for web and database (hidden from the internet), full encryption, up to date server daemons that pass their required quarterly scan and a myriad of other measures to ensure PCI compliance. It’s expensive. They needed to move from a single server to multiple servers, and pay to have a company set it up, secure it etc etc..
Another client, who shall remain nameless, approached us with a similar situation but refused to comply with the requirements citing the costs involved. They are a relatively small business and the cost of complying with PCI is high, especially after recent rulings. The threat from the credit card issuers of hefty fines was a risk they were willing to take. There is no real punishment for non-PCI compliance. Banks may charge a non-compliance fee (I’ve heard Â£80 a month) and they may get fined <strong>IF</strong> there is a breach.
I should point out here, that this attitude is not uncommon amongst small online retailers. Naturally, they have the best intentions with your credit card number and other secure details, but you may be surprised how many companies are handling your details, and are not PCI compliant.
PCI compliance, if you read their documents, is a fluffy mess with no real ‘set’ rules. It’s more a guideline that merchants need to follow and draw their own conclusions on how compliant they need to be. It’s no wonder that merchants a) don’t know about it and b) shy away from the technical fluff. They just want to get paid.
The basic rules (from my perspective) are:
1. If your server, company or staff ever physically TOUCH a credit card number (server means, if they’re inputting the details in to <strong>your</strong> site, even if it’s sent ‘securely’ to a gateway) then you need basic PCI compliance.
2. If your server, company or staff are storing or keeping hold of credit card numbers, then you need a higher level of PCI compliance.
You may think there would be a mechanism to report non-compliance. There isn’t.
You may think that having an SSL certificate (turns your browser bar green etc) means your data is secure. It doesn’t.
You are totally within your rights to ask the merchant what measures they have in place to deal with your information and if they are PCI compliant.