Myth: If I use authorize.net I am PCI compliant

Fact:

Whether you are using authorize.net or any other payment gateway you still have a PCI requirement if your server passes credit card information through ram memory. Some integration methods for credit cards have the user fill out the credit card information and this is then passed off to the server which in turn sends it to your credit card gateway.

False Statement: "If I don't store credit card information I am automatically PCI compliant"

Even if you simply hand off the credit card information you have a compliance requirement.

So what is the answer? Choose an integration method where the credit card information is passed directly to the gateway and does not pass through the server. For example with authorize.net this would be the Direct Post Method or Customer Information Manager. There are also other services you can utilize such as stripe.com that use JavaScript to pass the information directly to the gateway so that you won't have a compliance requirement.

The team at Savvior can help you choose the most appropriate payment service and integration method to meet or bypass PCI compliance requirements

Myth: If my software is certified PCI compliant then we are compliant

Fact:

There are 12 seperate criteria for meeting PCI compliance and your software is only part of that equation. You need to be 100% compliant with all 12 criteria to have PCI compliance. This includes the physical security, network layout, and other factors. For small businesses who only do card not present transaction often having PCI compliant hosting will allow for compliance. A better strategy is to choose a credit card integration method that does not pass credit card information through ram memory as explained above.

The Bottom Line

Adhering to PCI compliance requirements is a costly endeavour. It involves meeting 12 seperate requirements with many sub-requirements. Depending on your transaction volume you may have to hire a QSA (Qualified Security Assesor) to run annual scans, and purchasing more expensive hosting. If something does end up going wrong you will be liable for the penalties under the law for non-compliance.

So What Are My Options?

For 99% of solutions it makes more sense to choose a credit card integration method that does not involve the server passing credit card information through ram memory. Savvior can work with you to find the correct solution for your project requirements.

If the sensitive card holder information is not stored and does not pass through ram memory on your server then you will not be required to be PCI compliant.

Savvior provides both PCI compliant web hosting, and has worked with QSA teams in the past to certify web solutions as being PCI compliant and we can walk you through the various options you will need to gain compliance. If you are doing eCommerce it's a good idea to go through the process even if you don't have a compliance requirement as a matter of best practices.