LoginLogin  Blog About
Search:

Support » Knowledge Base » Shop-Script » Accepting payments »

PCI DSS and Shop-Script

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a standard aimed at protection of sensitive cardholder information which was developed by payment systems VISA and MasterCard. This standard contains a set of requirements which must be met by any public resource (e.g., a website or an online store) where payments are made by customers using bank cards. More details about the standard and its requirements are available at the links below:

http://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
http://en.wikipedia.org/wiki/PCI_DSS

PCI DSS compliance validation

The PCI DSS requirements are applicable for all entities who accept payments from VISA or MasterCard bank cards; therefore, if your online store based on Shop-Script does accept such payments, please read this article carefully because you may be required to undergo the PCI DSS compliance validation.

In which cases are you required to pass the PCI DSS compliance validation?

  • Required if on your website (or on any other public resource owned or controlled by your company) customers are requested to submit cardholder data or if such data are in some other way stored, processed, or transmitted by your website.
  • Not required if your website is not used for transmission of your customers' cardholder data. For instance, if orders in your online store are paid for on a third-party payment system's protected website when customer actually leave your online store to perform payment (i.e. to input their cardholder data). In this case it is such a third-party payment system who must ensure and prove PCI DSS compliance and not your website (online store).
  • Not required if you do not accept payments from bank cards.

Should your business be in scope of the PCI DSS and if you fail to validate for compliance, your company may be penalized by fees in favor of VISA and/or MasterCard.

PCI DSS compliance validation is performed by specially assigned companies — QSAs (Qualified Security Assessors). The full list of QSAs is available on the official PCI DSS website at http://www.pcisecuritystandards.org/qsa_asv/find_one.shtml.

Being compliant with the PCI DSS requirements does not automatically make an entity validated. This is an obligatory but not a sufficient condition. The validation process must still be completed if your online store stored, processes, or transmits cardholder data.

Shop-Script payment modules

Online payment services integration modules (such as PayPal Website Payments Standard, E-Gold, etc.) are not in the scope of the PCI DSS. The requirements of the standard are only applicable if you accept bank card payments on your website.

By their operating principle all Shop-Script payment modules which allow accepting bank card payments can be classified into two categories depending on the type of API provided by the corresponding payment system:

  1. Those which redirect customers to a special third-party system payment page so that cardholder data are not entered on your website. Use of such payment modules does not require validation for the PCI DSS compliance because sensitive information (e.g., primary account number, cardholder name, etc.) is not submitted on your website and a third-party payment page is used instead. The burden of compliance is in this case transferred to the corresponding payment system. Such payment modules will be referred to as "safe" for simplicity of explanation.
  2. Those which require that customers enter cardholder data on your website during checkout. In this case sensitive information is processed or transmitted by your website and may also be saved in your database (the latter is true for the manual bank card processing module, for example). Such payment modules will be referred to as "unsafe".

The validation requirement will be applicable for your online store only if you use "unsafe" bank card payment modules.

We highly suggest using only "safe" payment modules to avoid the validation. If this is not possible, your company will be required to complete the PCI DSS compliance validation procedure so that no penalties are incurred.

Starting on October 15, 2010 Shop-Script (both as open-source software and as online service) will contain only "safe" payment modules; all "unsafe" modules are individually available for downloading on the Shop-Script website at http://www.shop-script.com/features/integrations.html.