https://www.securitymetrics.com Was just wondering if any members on here owns a business that accepts credit card, and if do, did you guys have to pay to be "PCI Compliant"? I had signed up and renew annual online for the "PCI Compliant" the past 4 years for my parent's business with no fee, but this year is asking for a $69 fee (since we only use a dial-up for credit card transactions". Site Certification Renewal - Annual Service - No Internet with Self Assessment Questionnaire (Annual Price) Was just wondering if this site and compliant legit or am I just throwing $ away if I was going to pay. PCI DSS compliance introduction Payment Card Industry Data Security Standard (PCI DSS) compliance is designed to protect businesses and their customers against payment card theft and fraud. Whether you process payment cards online or in person, SecurityMetrics PCI Focus guides you through PCI requirements to help you avoid data theft. If your business accepts, stores, or transmits card data, PCI DSS compliance is required by card brands such as Visa, MasterCard and Discover.
Funny, I'm doing some work about this right now. As far as I can tell, every business must be PCI-compliant in its credit card transactions. Whether you can get a better deal elsewhere I'm not sure. It sounds like you're in-person sales and not online? Or both. If both, I saw some gateways like intuit merchant services offer an online gateway with a POS machine..
From when I remembered doing it, PCI Compliance is a grade for CC vendors to charge you based off of how secure your site is for online transactions, so if you had the highest level, the transaction fees would be less than their basic or non-levels. I don't know what the site offers outside of consulting, but it doesn't seem realistic that they'd provide software or code for you to be compliant. The ultimate rule to getting there is that your site server should not touch or handle any CC data during a transaction and that it should all be directed to a separate internal server that fits the PCI criteria. (no outside interactions other than your servers and the payment portal, no direct connection of private user info between the PCI server and your server). As a small vendor, you probably use a SAAS solution or outside vendor like Paypal or Google Wallet. Those would not require PCI compliance since in theory (and assuming they did it right), they would handle all of that messy stuff and is baked into your contract and rates. In other words: -if your site doesn't connect to a big bank, then you don't need it. -if you were already "compliant" then you'd most likely still be compliant provided your code hasn't changed...provided the site itself is legitimately following rules -the audit checks they use is no guaranteed certification for real compliance, which the bank or whatever vendor you connect to would perform as a stipulation for lower rates on your contract. Perhaps some better site would offer a monetary guarantee in the case of non-compliance, or offer that they handle the interactions between you and the payment vendor (with a bit more coin likely...) -if you don't know what I'm talking about, most likely you don't need such a hardcore of a solution. But if you aren't using a Software As A Service solution to handle this, look into it because PCI compliance when done wrong is costly and outsourcing a custom home grown solution is like turning in your car to shady mechanics.