PCI Compliance and Accepting Credit Cards

I was recently in a thread at WHT discussing a small “home” based internet startup and mentioned PCI compliance. I did not get quite the response I get from my larger customers so I figured I would post something regarding how it affects the “little guys”. I am sure PCI compliance is nothing new here and most everyone here is aware of the impact it will have on their business.

As of October 1, 2008 the PCI Data Security Standard version 1.2 became active. There are a number of changes to PCI DSS since version 1.1. Version 1.2 removes much of the ambiguity from earlier versions and provides additional details on items such as the use wireless devices.

One of the largest and possibly most hard hitting change is how the the certification process is placing an increasing amount of scrutiny on level 3 and 4 merchants. If you process credit cards and have not received any notification from your merchant bank regarding PCI DSS compliance, you will soon.

I mention this here because I am quite certian most here are either level 3 or 4 merchants. Until recently they were not really paid attention to as there were bigger fish to fry.

In general, a level 3 merchant processes between 20k and 1M credit card e-commerce transactions per year. A level 4 merchant is one who processes fewer than 20K credit card e-commerce transactions per year.

Businesses currently processing credit card transactions have a little bit of time but any business that tries to aquire a new merchant account must be able to show either PCI certification or that they are using PABP compliant software. The only real way around this is to use a card processor like paypal where your software will not handle or store any cardholder data.

If you do process and store cardholder data, expect to make changes to adapt to the regulations. If you are using open source software to manage your billing, you have 2 options. 1 get an audit and become pci certified, $$$, 2 purchase a PABP certified software program, 3 do not process credit card transactions. Below is a link to the list of currently PABP certified software.


The list is pretty short and does not really have anything in it that fits the hosting industry. So far the only company I have received confirmation that PABP was coming was Parallels Billing.

A final caveat regarding being PCI compliant is it gets more expensive to be online. Some of the minimum requirements are quite a bit more robust than shared web hosting. There are items such as firewalls, network segmentation, Intrusion detection, Application firewalls, log monitoring and retention, etc, etc. All of these items are required for any online merchant.

While being more expensive to operate and adding another level of complexity to running our online businesses, being PCI compliant does provide a safe haven that you will not get should you be non compliant and have a data breach of some kind.