Accepting payment on your website - PCI-DSS Compliance

Accepting payment on your website - PCI-DSS Compliance

Accepting payment on your website - Is your business PCI-DSS Compliant?

Whether your website has a shop, membership system or takes payment for other goods and services, it's important that you know and understand your requirements as a merchant and the consequences that may be imposed. Most businesses will offer direct deposit (bank transfer) & credit card payments via companies such as Paypal or Stripe.  Others will go to the effort of setting up an online merchant account via E-Way or directly with their bank. However, what are your options when it comes to collecting credit card details on your website?  Do you know what your obligations are?  How are you allowed to store or transfer them (say, via email)? Well, as many businesses have discovered, if you need to receive regular payments via credit card for a goods or service such as a membership or layby, then Paypal is not the best option.  Unfortunately if there are any complications, such as insufficient funds, missed payment or changes, it involves manually re-creating the payment schedule. So for those businesses who already have a merchant but not an online merchant account, or a credit card collection point (such as app for their phone) it would seem obvious to have the customer complete a form online, which would either be stored on the website or sent to the business via email. Easy, but NO!  This is what you need to know! The PCI-DSS - Payment Card Industry Data Security Standards are applicable to all Australian Banks and therefore when you become a merchant, by taking payments via credit card, you must abide by these as well. These include PCI-DSS Standards   So, what does this mean for your business and website if handling credit card payments manually? You must not:
  • Store Credit card details on your website
  • Send credit card details via email
  • Collect or store the CCV number with the credit card number/expiry date
You MUST:
  • Ensure your firewall is functional & test on a regular basis
  • Keep all software up to date for security/Malware purposes on the website & any PC that accesses it
  • Each user must have a unique user ID & Strong/secure password
  • Perform regular tests on your website, and software used
  • Have a policy (that meets the PCI-DSS standards) visible on your website that explains how you handle (& store) confidential details, make sure all staff abide by these policies.

What happens if my business is found to breach PCI-DSS standards?

Each bank has their Merchant terms and conditions posted on their website (sample links posted below) with penalties ranging in the hundreds of thousands of dollars, as well as being responsible for any funds that have been stolen.  These penalties apply to not only the merchant, but any other business involved including your web host.  Therefore, it's important that you read the terms and conditions of not only your bank, but your hosting provider closely & return to read them on a regular basis for any updates. Here's an example of Westpac Australia's penalties Westpac PCIDSS breach penalties   Read more from other banking institutions Commonwealth Bank National Australia Bank The Global PCI Security Standards Council Website  

Are there options other than storing credit card details manually and being PCI-DSS compliant?

Yes, there are a range of options. Payment gateways such as Stripe and eWay allow credit card details to be stored within their gateway (which is PCI-DSS compliant) for recurring charges. Depending on the gateway, you can either login to the gateway website and place recurring charges manually to a stored credit card, or you can place charges to a stored credit card via a "payment token", which is a unique identifier generated by the gateway for the combination of your website and the stored credit card. Your e-commerce system (such as Woocommerce) can present this payment token to the gateway to make recurring charges against a stored credit card without having the credit card details stored on your website - great for subscription based products. We can assist you with the setup of these options.              

Open Source Software

Open Source Software

Guy Designs use a number of open source software or platforms to create our websites. Wordpress logo We're constantly looking out for & testing the best platforms to represent your company that are user-friendly, attractive, provide the most features and are secure. Currently for a CMS (Content Management System) we recommend Wordpress. For e-commerce or shopping sites we recommend Woocommerce.   The reasons we use open source platforms:  They are reliable, used by millions and as the name suggests "open" allowing you to approach any developer who understands the technology to update your website.  These platforms are constantly being updated and improved for the latest trends such as SEO (Search Engine Optimisation) & security. They do not cost a fortune to update, which means that saves you money.woocommerce-logo  You're not tied into the web-designer who created your site to continue the development if you so choose or stand the risk of the site not being able to updated because the software originally used no longer exists.  There are a lot of developers creating add-ons, modules, widgets, plugins daily, giving you the best features for your website at reasonable prices.  Can update your website from any PC with an internet connection and a web browser.  The administration section of your website is as easy to use as MS Word with WYSIWYG editors. We believe that your website needs to be not only impressive and attractive to your customers, but be able to update as you need it.  After all, you don't want to have to re-design your site every year or so.  

Woocommerce & Magento E-Commerce

Woocommerce & Magento E-Commerce

Guy Designs recommends Woocommerce for most E-commerce sites. Woocommerce runs on top of the WordPress Content Management System and more information can be found at www.woothemes.com. Guy Designs has also been using Magento for our customers for many years. We have (and can) designed e-commerce sites in other platforms such as OS-Commerce, ZenCart, Virtuemart, and X-Cart.  

A little about Magento

Magento was developed in 2008 by a number of the developers of OSCommerce (another e-commerce platform). It's had 7 major releases of the community edition (they also produce a professional & enterprise edition - both costing $10K+ each per year, which have had similar number of releases).  It's had more than 4 million downloads and is currently the most popular e-commerce platform in the world.   Magento was bought out by Ebay (who already had a major stake in it) in early 2011, which at that point it was made even more user friendly than the original editions.  

Magento E-Commerce (www.magento.com) software allows you to;

 Add & update products yourself as needed including photos & multiple categories  Add variants such as size, colour & quantities Monitor & track orders  Create discount codes  Flexible postage/delivery rules (e.g., based on weight, set price per order, different cost per category, free shipping)  Variety of payment methods (Direct Deposit, PayPal, Credit Card)  Create special pricing for limited time periods  Create gift vouchers  Track inventory  Integrate with an E-Bay store  CMS pages (as many as you need) using WYSIWYG editors (like MS Word) that allow you to easily update them  

Other features include;

 Each page & product can be optimised for search engines individually  Well formatted products with detailed view that allows you have multiple images in relation to that product, variants such as colours/sizes All types of image galleries, light boxes & image sliders can be added as another option to display images  Images load quickly and look professional (depending on the quality of the photos)  Magento (e-commerce software) is now owned by EBay & PayPal, so just like EBay it’s very user-friendly, easy to navigate for the customer and in the back/admin end  Links/icons/shares with Facebook, twitter, Google + & Pinterest (& many others)  User friendly links to each page (based on what you name the product or page)  Very easy to update, un-publish without deleting if stock becomes unavailable.    

Test drive Magento's shops or the admin section

                                  
Find out more about Magento by reading their blog
 

Online Store Preparation

Online Store Preparation

Preparation for your new online store

What do you need to start collating for your online store?  Your preferred domain name/s & email addresses  Your company/business logo  Preferred colours for your site  Images for the main page  Introduction blurb for main page  Categories & sub-categories for your products  How many products you plan to have in your store, as well as the information & images needed to describe your products  Payment details (Paypal/direct deposit/cheque/COD/Eway)  Are you charging a surcharge for credit cards or other payment methods?  Are you registered for GST?  Postage options and costs (Aust post, courier, international postage, express post), including packaging and timeframes.  Contact details  Social media links & icons  Terms and conditions  FAQ  Any other content such as markets or events you attend  Are you planning to have a newsletter?  Preferred fonts - www.google.com/webfonts Guy Designs will assist you in collating the above information, with easy to complete forms, in the preparation for your website. Please ask us if you need help or further explanation.