According to new MC/Visa regulations, all merchants processing credit cards on their websites must be compliant to PCI-DSS standarts.
There is a simple rule. If customers are entering credit cards on your website, your website must be compliant to PCI-DSS. Compliance is required even if credit card info is not stored in your database. If you are using credit card processors in mode when credit card info is asked on their websites, like PayPal Standart, WorldPay, 2Checkout.Com, Authorize.Net SIM – you do not need PCI compliance and you have nothing to worry about.
If customers are asked for credit card info on your website – like it is done for Authorize.Net AIM/CIM, PayPal Pro, PayFlow Pro and so on, you need to implement compilance with PCI DSS standarts.
It is not quick to respond it all. In fact, this compliance is not only a software question. Even if we do all we can in aMember Pro, it will be anyway not enough. Additional steps must be done by your server system administrators to make sure your setup is secure and matches all standarts. These steps may include:
- you have to setup 2 dedicated servers and a firewall solution between. You need to get physical control on the servers to ensure nobody can access it to get secure data. First server will be handling website tasks, second (database) server must be behind the firewall.
- your system administrator must maintain security updates to the servers;
- you have to order and install SSL certificate and configure aMember to use it – so credit card information is encrypted when it comes from customer to your website;
- track and monitor all access to network resources and cardholder data;
- regularly test security systems and processes.
From our experience, it is almost impossible to do if you are a small membership website owner. Our recommendation is simple: avoid accepting credit card data on your website. Use third-party solutions, like : PayPal Standart, 2Checkout.com, Worldpay.com and others similar.
According to PCI rules, all scripts processing credit cards info must be certified for accordance with special PA DSS standarts. aMember Pro v.3 implements almost all PA DSS requirements with little exceptions (like customer info access logging, etc.). However, aMember Pro v.3 has not yet been certified for PA-DSS. We are working on aMember Pro v.4 – which is developed from scratch according to all PA-DSS requirements and it will be certified to PA-DSS.
I was able to install the software and get my member site up and running within a day. The software is very reliable and does a great job tracking members and payments.