My client's cart is now non-compliant?

[rizzoid]

As a web developer, this has me very concerned. A couple of years back we made a cart for a board game company using Joomla and Virtuemart. My client's bank is now stating that the cart system is non-compliant because the credit cards are entered on the site. Even though we're using SSL, a private IP address and the money exchange is done on Authorize.net; they claim this is not good enough. Has anyone has a similar complaint about a cart they put together for a client? Her bank has threatened to shut it down if it doesn't pass the next Trustwave PCI assessment. This cart setup is used on MANY sites.

Thanks in advance!

-r

[Shift4SMS]

Many banks and processors are taking the easy route and doing exactly what you are describing. The shopping cart must qualify for PCI SAQ-A, meaning that the card information must be sent directly to a PCI certified third party processor/gateway and the shopping cart server cannot ever come in contact with real cc data, or the shopping cart must be on the PCI certified compliant list. The latter still being difficult as you must still jump through some hoops proving your hosting provider is PCI compliant.

If you're using a commercial or open source shopping carts, many have payment modules that qualify for PCI SAQ-A. If you're home grown, see if your gateway offers an API for this capability; if not, find a new gateway that does. The key is PCI SAQ-A (https://www.pcisecuritystandards.org...cument=2.0#2.0) I hope this helps.

[rizzoid]

Thanks a bundle Steve. For those interested, I'm told installing a SIM method module as opposed to the regular AIM method might insure compliance. Still researching to make sure.

[Shift4SMS]

I don't think SIM by itself insures compliance, but it appears there might be options that allow for the SAQ-A level of support I am talking about. I think their Direct Post Method (DPM) can be used with SIM -- but they are a competitor of ours and I try not to know too much about competitor API's so I'm not 100% certain. Maybe some authorize.net guru can chime in?...

[SteveGerencser]

Wait till they tell you that you have to enable SSL ftp to be compliant. The PCI rules are out of control.

[rizzoid]

I have SSL enabled, and I'm willing to go the SIM or DPM route. I have a dedicated server with very stout firewall. However I've seen conflicting information on several forums now saying even this is not enough. I'm going to advise all my customers to drop SSL and go with Paypal or Google Wallet. Authorize.net, Trustwave and GoDaddy are going to lose out big time. I'm sure I'm like tens of thousands caught in this PCI scam business.

[Shift4SMS]

...I'm going to advise all my customers to drop SSL and go with Paypal or Google Wallet...

That is a route but a little extreme. Besides, most will still need SSL for non-payment related handling of personal information. I know I don't fill out forms requesting my personal information that are not via SSL; I'm sure in this day and time that there is a significant percentage of security aware shoppers with the same thought.

There are several gateways other than PayPal and Google Wallet that offer solutions that qualify for PCI SAQ-A, and many of these solutions are not as nearly restrictive.