E-Commerce PCI DSS Compliance Myths Explained: Guest Blog by Daniel Humphries

PCI DSS (Payment Card Industry Data Security Standard) standards apply to any business that accepts credit cards, including e-commerce merchants- however many retailers are confused about how these regulations affect them. Miva Merchant president, Rick Wilson, recently spoke with Daniel Humphries, researcher for a firm that reviews IT Security software, to help define six popular e-commerce PCI DSS compliance myths.

Daniel told us, “PCI DSS can be a bit of a nightmare for retailers, especially SMBs who don’t have dedicated staff to deal with security and compliance matters. Some people leap right in there, building their own platforms with little understanding of what they’re getting themselves into. Other people choose to outsource a lot of the heavy lifting, but even then they still have responsibilities they have to be aware of when the PCI auditor comes a-calling. To cut a long story short: just because your storefront is made of pixels and not brick-and-mortar this doesn’t mean the PCI council is any less interested in how you secure your customers’ sensitive data.”

Rick offered this advice to those small and midsized e-commerce merchants who may be thinking of building  their own platforms, outlining a few of the basics they often overlook. For example:

Cheap hosting is not worth the cost-savings. “Most hosting providers are not configured to do PCI-compliant hosting. Your average commodity hosting provider [that’s] charging $7 a month for Web hosting … well, it’s OK to put your blog there, but you should not host an e-commerce site on hosting like that. Realistically, you should be paying at least $59 a month or much, much more for anything … PCI-compliant.”

Shared servers bring a lot of potential problems. “Shared servers are not expressly forbidden by PCI, but do not ever have your database on the same server as your website—that’s rule number one[, as it is much easier to hack and gain access to sensitive data]. There’s no chance you’re PCI-compliant … don’t do it.”

Craigslist is not a good place to find a Web designer. “If you go to Craigslist or hire a local agency to build you a [website] … that developer is going to build the site on his computer and then come show it to you, and when it’s done, you’ll launch it. It’s usually easier to do that, from a developer’s perspective, with some open-source software that he can install on a local computer. However, with open-source software, while it is possible to build something PCI-compliant, it is a lot more challenging than most people realize.”

PCI compliance incurs serious ongoing costs. “At Miva Merchant, we spend six figures every couple of years to make sure we stay validated.”


For more on the ‘6 Popular E-Commerce PCI DSS Compliance Myths Explained’, see the full article here.