Accepting payment on your website – Is your business PCI-DSS Compliant?
Whether your website has a shop, membership system or takes payment for other goods and services, it’s important that you know and understand your requirements as a merchant and the consequences that may be imposed.
Most businesses will offer direct deposit (bank transfer) & credit card payments via companies such as Paypal or Stripe. Others will go to the effort of setting up an online merchant account via E-Way or directly with their bank.
However, what are your options when it comes to collecting credit card details on your website? Do you know what your obligations are? How are you allowed to store or transfer them (say, via email)?
Well, as many businesses have discovered, if you need to receive regular payments via credit card for a goods or service such as a membership or layby, then Paypal is not the best option. Unfortunately if there are any complications, such as insufficient funds, missed payment or changes, it involves manually re-creating the payment schedule.
So for those businesses who already have a merchant but not an online merchant account, or a credit card collection point (such as app for their phone) it would seem obvious to have the customer complete a form online, which would either be stored on the website or sent to the business via email.
Easy, but NO! This is what you need to know!
The PCI-DSS – Payment Card Industry Data Security Standards are applicable to all Australian Banks and therefore when you become a merchant, by taking payments via credit card, you must abide by these as well.
So, what does this mean for your business and website if handling credit card payments manually?
You must not:
- Store Credit card details on your website
- Send credit card details via email
- Collect or store the CCV number with the credit card number/expiry date
- Ensure your firewall is functional & test on a regular basis
- Keep all software up to date for security/Malware purposes on the website & any PC that accesses it
- Each user must have a unique user ID & Strong/secure password
- Perform regular tests on your website, and software used
- Have a policy (that meets the PCI-DSS standards) visible on your website that explains how you handle (& store) confidential details, make sure all staff abide by these policies.
What happens if my business is found to breach PCI-DSS standards?
Each bank has their Merchant terms and conditions posted on their website (sample links posted below) with penalties ranging in the hundreds of thousands of dollars, as well as being responsible for any funds that have been stolen. These penalties apply to not only the merchant, but any other business involved including your web host. Therefore, it’s important that you read the terms and conditions of not only your bank, but your hosting provider closely & return to read them on a regular basis for any updates.
Here’s an example of Westpac Australia’s penalties
Are there options other than storing credit card details manually and being PCI-DSS compliant?
Yes, there are a range of options. Payment gateways such as Stripe and eWay allow credit card details to be stored within their gateway (which is PCI-DSS compliant) for recurring charges. Depending on the gateway, you can either login to the gateway website and place recurring charges manually to a stored credit card, or you can place charges to a stored credit card via a “payment token”, which is a unique identifier generated by the gateway for the combination of your website and the stored credit card. Your e-commerce system (such as Woocommerce) can present this payment token to the gateway to make recurring charges against a stored credit card without having the credit card details stored on your website – great for subscription based products.
We can assist you with the setup of these options.