AspDotNetStorefront and PCI - debunking the myth

Skip to Main Content

The following questions were asked of us recently. Please read and learn from other people's misunderstandings.

Q: I have moved to v10, which is PCI-compliant, and I use Authorize.net. I don't need to complete the Self-Assessment Questionnaire. Right?

A: Wrong. It will be a whole lot easier for you to complete the Self-Assessment Questionnaire (SAQ), but you absolutely have to do it. If anything awful happens, and credit card details that were given to you are compromised, the very first question is going to be "where is your signed SAQ?" and nobody is going to be understanding if you say "I thought I was safe, so I didn't bother to prove it."

Q: I don't store credit cards. I have the setting 'StoreCCinDB' turned to FALSE and it's always been set that way. The questionnaire only applies to companies that store credit cards. Right?

A: Wrong. People type their credit card details into your store and they trust you to take care of that data. Most likely, you transmit it to a payment gateway. You have to prove that the software you use to collect it, and the software you use to encrypt it during the transaction, and the protocol you use to transmit it ... are all trustworthy. The SAQ questionnaire allows you to prove that you have thought through the vulnerabilites and created a secure solution.

Q: I only take a few orders a month, and I don't store credit cards. I don't need to complete the Self-Assessment Questionnaire. Right?

A: Wrong. It's true that statistically the size of the vulnerability might be smaller for you, but even if you only ever take one transaction, ever, you still take on the same responsibility. When a bank, or PayPal, or another payment provider trusts you to have an account, they also trust you to take care of credit card details. You are REQUIRED to complete the SAQ questionnaire to show that you are taking good care of important information.

Q: I have a wholesale store. I don't take orders from the public. I don't need to complete the Self-Assessment Questionnaire. Right?

A: I guess it depends. PCI compliance is all about protecting CREDIT CARD data. How do your wholesale customers pay you? If they all use Purchase Orders, and then send you paper checks, then you don't need an online payment account, and you won't be using a payment gateway ... and you're in the clear. Otherwise, IF YOU ARE TAKING CREDIT CRADS ONLINE YOU MUST COMPLETE THE SAQ QUESTIONNAIRE.

Q: I use the PayPal Advanced embedded (direct post) gateway. I don't store credit cards at all. I don't need to complete the Self-Assessment Questionnaire. Right?

A: Wrong. It will be a whole lot easier for you to complete the Self-Assessment Questionnaire, and you can most likely complete SAQ-A-EP (which has fewer questions), but you absolutely have to complete a questionnaire. Think about things like telephone orders. Do your staff ever take credit card details over the phone? Do your customers ever email you a credit card number, even if you wish they didn't? Whether any of this happens in your business or not, the fact that you accept credit cards online means that you have to prove that you understand the risks and that you're taking care.

Loading...