Musings on ecommerce and PCI compliance for nonprofits
Nov 18th, 2008 by Jon Stahl
I’ve been doing some thinking and planning about how to build some better online donation tools for small to midsize nonprofits. In the process of doing some of that background research, I’ve come across what I think is a pretty big latent risk to lots of nonprofits (and small businesses) that are doing online transactions.
It has an acronym: PCI, or PCI-DSS. It’s the set of security standards put in place by the credit card industry over the past few years, in attempt to limit the risk of catastrophic data security breaches that cause criminals to get their hands on credit card information of innocent folks.
What PCI says in a nutshell is this: if your computer systems store, process or transmit credit card information, then there are various security processes and safeguards that you MUST have in place, you must verify that you have these measures in place, and you must submit to periodic testing to make sure you have them in place.
The companies that issue merchant accounts are responsible for verifying the compliance of their small customers. The self-assessment form for the most common scenarios runs to 40 pages, and you have to be able to answer “YES” to every question in order to pass.
Why is this a problem? Well, obviously the intention here is good. Credit card data security is an incredibly important issue.
But there are a ton of nonprofits and others that operate small ecommerce sites using off-the-shelf ecommerce software such as ZenCart or Magento, or extensions to popular open-source CMSes such as Joomla, Drupal or Plone. These systems, properly configured are quite secure (especially Plone!), and in truth, they are generally not storing or processing credit card data, merely instantaneously retransmitting it to an ecommerce payment gateway such as Authorize.net.
Still, since these systems are “transmiting” credit card data, they clearly fall under the scope of PCI and those systems therefore must be PCI compliant under the rules. Failure to do this can expose an organization to fines, higher rates from their merchant account provider, or simply being cut off from the credit card system. Not good.
So, with that setup, here are some questions/observations:
I wonder how many small to midsized organizations there are out there that have the technical chops to make it through the 40-page self-assessment. Probably not too many.
What percentage of small merchants are actually achieving PCI compliance?
How many small merchants are actually being required by their credit card providers to demonstrate PCI compliance? Is anybody being sanctioned?
Are nonprofits who take credit cards offline or via virtual terminals being forced to achieve compliance, too? (In theory they should be.)
Shouldn’t open-source ecommerce developers be paying a bit more attention to this? I think a lot of them are setting up their users for trouble, by making it easy to set up systems that expose not-very-sophisticated users to these complex requirements. I suspect there’s a lot of misunderstanding out there.
Yes, I have a virtual terminal for processing monthly donors, of which we have a small numbe right now, and my cridit card processor wants me to pay $135 per year for compliance monitoring. I am looking around to see if I can get this done more cheaply, or if I can change to a terminal and avoid the fee, but my processor (Elavon) is telling me that terminals will also be subject to compliance fees.
I’ve been working w/ many of our clients to help prepare for the upgrades to our compliant applicatons. I’d be interested to hearing if you’ve had any recent reaction from your peers to PCI.