PCI Compliance - Do I need it for my website?

I have had a few enquiries recently regarding ecommerce websites and a few questions crop up every time. One of them is PCI Compliance, what it involves and what it costs.

To make things simpler, I've decided to write a quick(ish) article, explaining as simply as possible some of the questions regarding PCI Compliance and websites. I will make this clear from the start though - this article is written in as layman like terms as possible and is not meant to be a technical article on PCI Compliance. If you are looking for a technical and legal view on PCI Compliance, there are many websites out there that do just that - UK Cards Association is probably the first place you should look at for that.

I need a website that has my products for sale, can you build me one and how much is it going to cost me?

These first two questions are usually the first thing that are asked. They are innocent enough questions from people, and the response they are looking for is "yes" and "not a lot". The answer I give to the first question is "Yes I can". Because I can. But the cost "always" comes as a shock.

It isn't just the cost of the website build though, the web hosting is always another big shock to them. The explanation of things always involves PCI Compliance and the responsibilities that they have to take on board. I'm sure that some people think I make this stuff up though, what it involves, how much it can cost you if you get it wrong, the fact that you actually need it at all. I don't make it up....I don't particularly like it, I don't understand every facet of it (if you want someone that does, be prepared to pay more per hour for consultation than some people make in a week). But what I do understand is that if you are selling stuff from your website - and want people to pay with a card, then there is a very high likelihood that you need it.

Does my website need to be PCI Compliant?

In a nutshell, if your website has something to sell, and you want people to pay for it through your website using a debit/credit card - then yes, you need to be PCI Compliant.

But what if I use Paypal to take peoples money?

There are two scenarios here that we will cover:

a) Customer goes onto your website, adds a product into a basket, clicks on pay for item(s) and is then taken to Paypal to pay for their purchase, entering their card details.

b) Customer goes onto your website, sees a product and contacts you (phone, email, contact form) telling you that they want to purchase the item. You then log into Paypal and send a payment link from there.

OK, two scenarios to consider. If you are doing (a) then you need to be PCI Compliant. Option (b) you don't as the PCI Compliance is handled in full from the Paypal website.

From a business perspective, option (a) is what people generally want - it's quick and easy. It also takes up less of your time and is easier to automate.

Option (b) isn't great - it may frustrate the customer, who may go and look for another seller of the product - loss of customer. It will also take up more of your time. There are circumstances where this type of payment option is expected - probably a product that requires further information to be given, something that is maybe made to the customers exact specification i.e. not something off the shelf like a TV, dress or white goods.

OK I understand that I need to be compliant, what exactly do I have to do?

PCI Compliance is not a simple thing. It covers a wide spectrum of scenarios - it has to, it's what keeps credit card information safe. It covers a wide range of business types, from Sole Traders to Multinational Corporations. Without regurgitating everything, the UK Cards Association (link given earlier in the article) has all the details and questions for you to look through. Here they will tell you exactly what you have to do, which forms you need to fill in, etc.

Can you build websites that are PCI Compliant then?

Yes, our ecommerce websites are built using WordPress or Shopify. WordPress websites are hosted with one of our PCI Compliant suppliers and tend to be more customisable and easier for you to use. Shopify hosts the website on their own PCI compliant server, but the websites, we find, aren't as customisable and have a steeper learning curve. Both have their pros and cons and which one we advise you use will depend on your business, it's needs and your technical ability.

So how much is this PCI Compliant website going to cost me?

The million dollar question! It is impossible to give you an answer to this without an in depth meeting. The website cost, the web hosting cost, additional software, maintenance, marketing, content, images, so many things to consider.

One thing we can say is that you aren't going to get an ecommerce website set up for a few hundred pounds, not even for a few thousand pounds. Ecommerce websites are much more expensive than your normal websites. There are many reasons why this is so, but security and PCI Compliance i a major factor. If a ballpark figure of £3,000 for a very small ecommerce website and £800 per year for the hosting scares you, then fines of up to £60,000 for PCI non compliance are going to give you nightmares.

OMG really? That much? Are there any alternatives?

Yes there are. But the solutions aren't as "clean" as having a website that people can buy from direct. We will be happy to discuss these options if budget is a constraint for you.

But so and so has a website that sells stuff and they don't pay anywhere near that

I've heard this a few times and quite honestly I'm not bothered. I'm not bothered if other businesses are breaking the law. I never have done and never will, give advice that will put a business at risk. Fines for non-compliance vary, but will always be in the thousands and go as high as £60,000. It may also mean that you will not be able to accept card payments in the future. The damage to your businesses reputation cannot be expressed in pounds or dollars, but it isn't going to be good.

So if you have heard that they run their website for a few pounds per month (and accept credit cards), then they are either lying or are stupid.

So there you have it. If you want a website that sells stuff, you are probably going to need one that is PCI Compliant. If I haven't scared you off with the above article, and you would like to discuss this further, just get in touch and I will be happy to go through things in detail with you.