If you are an online merchant, and you haven’t heard about PCI Compliance yet, you probably will soon.  Credit card companies are slowly pushing online retailers to tighten up their security to reduce fraud.

Maintaining PCI DSS compliance is a potentially a huge obstacle for online retailers.  This document provides some links to understand the basics of what you will need to do.  Essentially this requires two main steps: a questionnaire, and an external scan of your server.  Some scanning vendors are providing an “all in one” spot for you to handle both of these requirements.  We’re partnered with ControlScan, which provides this service for $249/ year.

Here are some links that will help you learn more about PCI compliance:

PCI FAQ: Click here – seems like most merchants will be level 4, which means you need to run quarterly scans from an “approved scanning vendor”.

Here’s a short blog post with video that explains PCI DSS.  It explains that this movement is largely to contain fraud, and stem losses being incurred by banks, businesses, and consumers.

Approved Scanning vendors: Click here

At this point it seems like few gateway providers are “pressuring” their merchants to be PCI compliant, which makes sense – the cost of becoming and maintaining compliance will cause many “hobby” merchants to pack it in, or move to a third party payment system (paypal, google, etc.), and cancel their merchant accounts altogether.  In the long term, I expect more hosting companies to offer and tout “PCI Compliant” server platforms.  Shopping cart vendors are also moving this way.  However, the burden will always be ultimately on the merchant to prove they are using a compliant setup, so I believe now is the time to get your site moving in that direction.

My recommendation at this point (if you are an online merchant) is to go through the process at least one time, to see how close you are to compliance.  Make changes based on the results to get as close as you reasonably can, then keep the documentation until your provider asks.  Then you’ll have a quicker path to pci compliance if you are required to be so.