Sunday, November 29, 2009

When a Shopping Cart is Not PCI Compliant: Three Options for Merchants


Earlier this week, Practical eCommerce shared three important questions to ask about your shopping cart. Today, as part of our ongoing PCI compliance series, I’ll take a look at options for ecommerce merchants currently using a shopping cart that is not PA-DSS (payment application data security standard) validated. More specifically, I’ll share the insights of hosting director Matt Whitted of Cybrhost, a web hosting provider specializing in ecommerce.

Cybrhost has alerted its subscriber base to the July 1, 2010 deadline for shopping carts to become PA-DSS compliant and Whitted has fielded numerous inquiries from merchants regarding the mandate.

Whitted says he recognizes that many of the more than 350 shopping carts, by Practical eCommerce's count, available to merchants have not been PA-DSS certified. “I do think this [the mandate] is going to push some of those smaller carts out. It’s a major investment to get your application certified. And then it’s a recurring process,” he says.

Three Options for Users of Non-compliant Shopping Carts

If an ecommerce merchant’s shopping cart provider is not PA-DSS compliant or in the process of becoming certified, Whitted says there are three options.

1.Outsource to an alternative payment solution.

Alternative payment solutions such as Google Checkout and PayPal Express Checkout allow merchants to outsource the checkout process. Payment information is not handled by the merchant. As a result, the merchant’s shopping cart is not considered a payment application and doesn’t fall under the PA-DSS mandate.

Whitted notes, however, that there are several downsides to this option: Outsourcing is generally a more expensive proposition, there are occasional technical glitches involved with the handoff between the shopping cart and the alternative payment system, and you’re giving some control of your business’ information to “Paypal or Checkout by Amazon or whoever you choose.”

2.Switch to a different shopping cart provider.

There are a variety of shopping carts that have applied for and received certification.

“Some of the ecommerce applications that are ahead of the curve and are going through the certification process proactively are going to benefit from people who make this decision (to switch),” Whitted says.

3.Do nothing and see if PA-DSS compliance is enforced.

Acquiring banks or processors are responsible for enforcement of PCI compliance. “Who knows how Visa or MasterCard will handle it?” questions Whitted. “They may be understanding or more extreme.” He notes however, “ Most businesses are not going to want to live by the seat of their pants.” Summing It Up - Practical Ecommerce

1 comment:

  1. Yes ofcourse, every shopping cart must be enabled atleast one of these features ifever it is not a standard validated.
    Shopping Cart Software

    ReplyDelete