I once heard someone say not having PCI compliance is like riding a bike in just shorts and flipflops – You can get going quickly but when you fall off it’s very very painful and you may not walk again.
To make things worse PCI compliance is about as murky and confusing as things get online. Almost as messy as the EU cookie law (don’t get me started on that!). The real shame is that payment gateways’ sometimes use very confusing language and marketing jazz to obfusicate PCI. Here are some of the options we consider and why. I’m sure there are more and I’d like to hear some thoughts on what is the best option.
What is all this about? Can you start from the beginning?
Anyone who takes credit card data needs to follow certain compliance regulations to ensure that security is in place and fraud minimised. This happens across the board – it doesn’t matter if you are a bricks and mortar shop in the highstreet or an ecommerce store. If you handle credit cards, then you need PCI compliance. If you don’t have it you can face fines and if fraud occurs the liability rests upon your company. It’s not a reccomendation its a requirement.
We initially setup our stores with Paypal Express. It’s super easy to get going and because the credit card data is enterred on the Paypal domain we don’t have to worry about PCI compliance. Paypal already have that in place on their servers. But Paypal Express is not the best checkout service if you want people to pay by card. Their Express landing page is essentially there to get people to create a Paypal account. Not what we want.
Paypal express also has a £1,900 limit in the UK. When this limit is reached you will need to have your account manually approved. Maybe we get the bad days at customer HQ in Ireland, but Paypal customer service has always been poor, and getting this manually approved is always a pain. They hold your cash until you do get approved due to money laundering regulations. Again, not ideal but heh, it is super simple to get going and there is no monthly charge.
So. What next?
Merchant Accounts and Payment Gateways
The merchant account holds the money paid into it. It’s normally run by a bank although there are some hybrid Merchant-Payment Gateways services that exist. For instance Paypal, they hold the dough and they take the dough. There are also a few other hybrid services such as Braintree (not the exciting Essex town – but a hip dev friendly company that has just launched in the UK. Or so they say.) and PaymentSense. I’m sure there are a few more.
The taking part is the payment gateway. They faciliate the transfer of money. The Merchant Account will want to be confident that the process the Payment Gateway uses is secure and PCI compliant. They usual have a few.
Both the Payment Gateway and the Merchant Account will have charges attached.
We found for Merchant Accounts these vary between 10p to 30p for debit card transactions and 1% – 3% on credit card transactions. There will normally be a minimum fee amount in place of around £20 – £40.
For Payment Gateways these vary a lot more but your basic package is around £20 / month. There are also setup charges that need to be considered.
The Hop, Sop, and What Not.
Ok, you’ve got the customer in the cart and you need to take their card details. What then? There are a bunch of methods you can communicate with the payment gateway to complete the sale.
- You can take the card details on the checkout – PCI required on your server
- You get redirected to a seperate domain hosted by the Payment Gateway (HOP) – PCI managed by Payment Gateway
- Take card details on the checkout but transfer across to the Payment Gateway securly using clever magic (SOP, transparent redirect and IFrame) – PCI Compliance reduced.
This is readily available and we do worry that some people are going to get very burned using this method. If you are capturing the card details on your server then you need PCI compliance. Even if your server is not storing the details the onus is still on you. Just look through the WooCommerce extensions store and you can find many Payment Gateways that do this but how many are getting their PCI in place?
The customer goes to a seperate page on the Payment Gateway’s server. Sometimes this can look nothing like your site (and consequently can drop conversion rates) and sometimes they do it well (i’m looking at you Mijreh Slurp). It’s a cost effective way of getting card details and being PCI compliant because the Payment Gateway are covering it.
The grey area
We’re seeing conflicting information about this. There are methods in which the hosted and PCI compliant card capturing pages are embedded in your site or the card details are super-securly sent across to the payment gateway. eWay are very confident in their Transparent Redirect solution. They have even got Statsec (a BAE security company) to vouch that using their transparent redirect method is PCI secure.
We’ve seen a lot of people unconvinced. I asked eWay on UK Business Forum and they responded that it ‘reduced the scope of PCI compliance’. I was glad for their honest answer but it’s a bit different from their site which describes their Transparent Redirect solution as “A PCI-DSS Compliant Solution“.
So it all does a fab job of making the amount of work minimal, but you’ll still need to get PCI Compliance.
I will mention that PaymentSense are also offering Transparent Redirect and include free PCI Compliance for the first year. So that means you can get take card details in your checkout and not have to pay extra for a separate PCI compliance. The best of both worlds it seems.
Pay for PCI compliance? It’s just a self-assessment form!
Well, yes you can do it yourself. And you can read more here. SAQ A is the basic form but we are not confident that this will be sufficient for the methods in the grey area and we would not want to take any risks. Once online reputation is damaged it is hard to rebuild confidence.
Apart from the top category of PCI Compliance, Level 1, PCI Compliance is at least half self-assessment. The vast majority of vendors who say they are PCI Compliant need to do one of the following:
- Complete a quarterly self-assessment questionnaire. SAQ.
- For online vendors, submit to a quarterly system’s vulnerability scan by a 3rd party IT Security firm.
Not the end of the world perhaps. Just another cost and another job. This has to be undertaken by the business owner, so unfortunately we cannot offer this on behalf of our clients.
So who to use?
Don’t just add a payment gateway without thinking about PCI. As Woocommerce developers we see dozens of Payment Gateways on the WooCommerce extensions page but very little mention of PCI compliance. Be wary about the process used and check the PCI requirements.
We have no relationship with the following companies. We are just sharing what we have discovered and if we are incorrect about these details we’d love to hear your thoughts in the comments.
These guys spotted the problem with PCI compliance and made a company out of it. They provide a 3rd party service that is PCI Compliant. You can plug in a range of payment gateways into Mijreh and they will allow you to take card details on their PCI compliant servers. They also have some clever tech called Slurp which mimics the theme you use for your site. This means a consistency in brand which is often lost with Hosted Order Pages.
They charge for the service though. We think it is worth it, but bear in mind you are now having your margin taken off by Mijreh, your Payment Gateway and the Merchant Account. (Just don’t look!)
Please visit Mijreh, if for nothing else their graphic explaining the mechanics of PCI are fab.
They have a direct relationship First Data who provide their merchant accounts. It’s a bit like the hybrid services I mentioned above. This means you can get up and running quickly and you don’t have to concern yourself so much with fee’s coming off your margin from two places.
They are also only £10 / month for their basic package and throw in free PCI compliance for the first year. They have a HOP and they have Transparent Redirect. We think this is a great package to get started with.
The cool kids in town. They have the fancy tools like Beagle Alerts and Social Carts but we have yet to get a straight answer about PCI compliance. They work with half a dozen banks to provide a merchant account. This could be really useful if you are already running a chip and pin machine in store and want to use the same bank for your online Merchant Account. But because they don’t have a single relationship with one Bank we found the eWay guys just couldn’t promise anything about helping us get PCI. You’ll have to pay for a professional PCI compliance check and talk it through with the bank.
eWay costs start at about £20 / month. There will also be merchant fee’s on top of this.
Paypal Pro have an iFrame solution. We think this falls into the grey area we discussed above. You’ll need to get a PCI compliance check. It is nice to have all your orders (Paypal and CCard) in one place and will help you reduce your rate because you will have a greater number of orders.
Paypal Pro charges £20 / month.
We’ve got our eye on Braintree who have just launched in the UK. Looks like their support is all managed out of California and inevtiably they are quite tricky to get hold of. Support is important to us so we’re going to wait for this one to mature a bit more before looking into them. They are one of the new breed of Pyament Gateway / Merchant Account hybrids.