“PCI Compliance” has often been a deterrent for those seeking to accept online payments. This is mostly due to confusion around what it actually is and how exactly it is applicable. Below I answer a few common questions about PCI Compliance.
What is PCI Compliance?
PCI is an abbreviation for “Payment Card Industry”. It’s essentially a set of rules and laws that you must adhere to if you receive credit card payments online, but it is not applicable in all cases.
Is PCI Compliance applicable to me?
In most cases, no. You only need to be fully PCI Compliant if you store or process credit card information on your server. Make no mistake, you are still expected to have a secure system in place or you could face other legal ramifications. But being fully PCI Compliant will require even more effort and is rarely needed for most companies. Furthermore, becoming PCI Compliant can be costly and it adds extra risk to your business. It’s almost always better to select an option where the responsibility of PCI Compliance is off-loaded to an external payment provider like VCS or Peach Payments.
How do VCS and Peach Payments accept credit card payments without requiring me to be fully PCI Compliant?
VCS and Peach Payments deal with this in two separate ways and this is actually the fundamental difference between the two payment gateways.
VCS will take the user away from the page the user is on and forward them to a page hosted by VCS (i.e. the user is taken “off-site”). This off-site page is where credit card details are entered and payment is made. Once payment is completed, the user is redirected back to the original website and VCS notifies the website whether a payment was successful or not. This is a fairly common way to deal with payments. PayPal, 2Checkout, and many others also work this way.
Peach Payments, however, does not require the user to go off-site as VCS does. They have that option too, but they have an even better option known as the “CopyandPay” solution. This is the solution that Namhost uses on most of its company websites. What this essentially does is allow you to place a payment widget anywhere on your website. There is no redirecting you off-site to another portal. The payment can happen directly on your page. This means you have complete freedom as to how the payment page will look and more importantly, users aren’t pushed off to another site that they are unfamiliar with. The entire payment process can be completed on your own website.
Although VCS does not currently have this in place, they are expected to have this feature ready within the first 3 months of 2018.
But if the submission is happening on my site, does that not mean I must be PCI Compliant?
PCI Compliance is not just about storing credit card information. If you have a form that allows someone to enter credit card details and this form submits those details to the server, even if it is not stored after submission, then you must still be PCI Compliant. So how is Peach Payments able to have a widget on your website where you can clearly enter a credit card number, but it doesn’t break PCI Compliancy Rules?
The widget might appear on your page with fields where you can enter a credit card number. But those fields are manipulated by javascript as the user starts typing his credit card details, expiry date, and CVV. So when submit is pressed, those 3 values that were entered are not submitted to the server. What instead is happening is that the Javascript library encrypts the information before submitting the encrypted result to Peach Payments. In other words, no credit card details were submitted to your server, nor were any credit card details saved on your server, which means you are not required to be fully PCI Compliant. All that happened was that the user submitted an encrypted string directly to Peach Payments, which they are able to interpret in order to perform the actual transaction.
Would I ever want to be PCI Compliant?
It depends on the solution you are trying to implement and the degree of control you want. Most people are happy just being able to receive online payments in a simple manner without adding too much risk to their business. But there are cases where you might need more than that. If your product requires that you have direct access to all credit card details on your own system, then you would need to be fully PCI Compliant. You will also need to be fully compliant if you want to avoid the VCS off-site page and allow payments directly on your site.
Recurring payments are often a good reason to consider being PCI Compliant. Then you can store credit card details and charge them again at a later date. But again, there are ways around this which means you do not have to be PCI Compliant to implement recurring payments. So it really boils down to how much control you want. You need to ask yourself, is there really any reason for my business to store credit card details? You’ll find that if you really think about it, in most cases you won’t or you can find a way around it. Only consider being PCI Compliant if you absolutely do not have any other choice.
Is it expensive to become PCI Compliant?
Yes, but not necessarily in ways you might think.
If you have a decent web host (like Namhost), chances are your server will pass PCI Compliancy checks on a server level and you will get 100% on a PCI Compliance report. But PCI Compliance is not just about making sure the server is secure. Your company workflow might have to change to become fully PCI Compliant. For example, only those who require direct access to credit card details may have access to them. If your current system gives administrators full access, you might have to re-adjust to limit access, or you won’t be PCI Compliant. That is just one of many requirements to become fully PCI Compliant. While not specifically relevant to Namibia, this article gives you a really good idea of what it takes to become truly PCI Compliant.
As I have already mentioned, there is also a large amount of risk involved when opting for a PCI Compliant solution. If you have a database of credit card details, it is your responsibility to ensure that it is kept safe. A breach can ruin your company and quite possibly the lives of some of your clients. It’s not a decision that should be taken lightly. If you just want to receive payments online, keep it simple and avoid a solution that requires PCI Compliance. (In my 15 odd years of being involved with e-commerce solutions, there has not been one single viable case for implementing a solution that requires PCI Compliance and I’ve seen very big companies who could easily go for the PCI Compliant option, remain with a solution that doesn’t require PCI Compliance).
How do I become PCI Compliant?
Becoming PCI Compliant will involve developing a strategy from top to bottom. An audit will have to be done on the server where the solution is hosted and you will have to make various policy changes within your company. This can be a huge task.
Namhost offers a service whereby we can get an external audit of your hosting solution that will verify if your server is PCI Compliant. We can also advise you on how to insure you are PCI Compliant on a software level. If you are serious about going this route, I highly recommend getting in touch with us directly, so we can discuss your specific scenario and possible options.