PCI Compliance is a tricky thing whose scope can encompass a very broad range of things. Fortunately, your SiteWrench website keeps you off the hook for a tremendous chunk of that. Here are some important things to know:
1. DO NOT EVER EVER EVER EVER EVER EVER EVER (yes, that's 7) create a form field asking for a user to input a credit card number (or any other sensitive data for that matter). That can create big problems for you and accepting credit card numbers in a form where a person can read them can get you in big trouble.
2. When you use SiteWrench forms to collect payment with Stripe or Authorize.net the credit card form is generated for you. Then the credit card data is submitted directly from your user's browser to the Stripe/Authorize.net and never touches our server (we use their prescribed methods to do this). Because our website servers never touch the credit card data and you don't capture it, the burden for PCI compliance remains with Stripe/Authorize.net, where it should be.
I received a concerning message about PCI compliance and my website. What's up?
It is not uncommon for a less-than-savory entity to contact someone whose website accepts payments saying they must pay money to become PCI Compliant or pay for a scan or something else. Most of these third parties are scams and should be ignored. If you are following the rules, the burden of PCI compliance is maintained at the payment processor where the card is charged and data is potentially stored.
The best course of action if you receive a questionable notice is to follow up with your vendor via means not listed in the message to confirm whether or not the message is legitimate. Call your account rep or submit a support request via their website requesting an explanation.
Article is closed for comments.