When you develop Web sites that collect payment via credit card for goods and services sold online, part of your responsibility is to establish and maintain PCI compliance. If followed properly, the Payment Card Industry Data Security Standard (current version 1.2) does a very effective job of providing a safe shopping experience for customers. However, achieving compliance is easier said than done, especially for startups and developers for small online retailers.

After reviewing the 200-plus sub-policies, procedures, activities, and technical nuances that make up the PCI Data Security Standard, most small and startup E-commerce companies will choose to outsource portions of their website operation to third party service providers. In this scenario, each party is independently responsible for maintaining control over compliance for their respective organization. You shouldn’t fall into the trap of assuming that someone else is handling your compliance needs. Everyone involved in your online store is responsible for a piece of the security compliance pie.

Anyone that touches or has access to credit card data in any capacity is responsible for PCI compliance, regardless of their role.  This includes the online retailer, the Web application developer, and the hosting provider.

The most important steps every E-Commerce developer should complete as they establish a PCI compliant business:

• Step 1 – Become educated about the payment card industry mandates. Taking the time to become knowledgeable here can go a very long way.
• Step 2 – Identify which portions of the PCI DSS you directly control and which items will be outsourced to third parties (A QSA – Qualified Security Assessor – can help with this step)
• Step 3 – Select service partners that have expertise in protecting personally identifiable information (PII).
• Step 4 – Thoroughly review each service partner’s ROC (report on compliance) to make sure there are no unfulfilled requirements or pending remediations for critical items

(more…)