[Lanny]

Yesterday, in the afternoon (E.S.T.), on Fox News Channel, I saw an interview with a man from McAfee. The security man said that only 20% of ecommerce web sites are PCI compliant.

Question: Do LS, CJ and SAS require their advertisers to be PCI compliant?

[Chuck Hamrick]

Not that I am aware of. I did have a merchant who was looking at retargeting and it had to pass PCI compliance. To tell you the truth I am not familiar with PCI compliance, do you have further details?

[bradk]

I don't know, but they shouldn't as it's really not for them to enforce. If you a company is retaining cardholder data, it's simply obligated to be PCI complaint to its respective level and it's up to its merchant bank (if anyone) to enforce it. But even if the bank does nothing and the company gets caught, fines can still be levied.

so if you aren't PCI compliant now, you may want to check your agreement with your bank because I doubt the bank will eat the fines (which could be upwards of $100,000)

[Lanny]

I believe many of the smaller merchants outsource their credit card processing to third parties and that those merchants do not have credit card numbers, or, other confidential data, on their servers.

Probably any company that does have credit card numbers, etc., on their servers, needs to be PCI compliant.

Sounds like the networks (LS, CJ, SAS, etc.) do not require PCI compliance.

Thanks for the feedback!

@Chuck - I am not sure what the PCI requirements are, however, I believe they are very tough.

[bradk]

Yes, using something like PayPal to handle your billing definitely takes a lot of pressure and the onus off of a merchant.

[paulas]

There seems to be more and more regulation creeping in to the Internet Marketing Industry. I hope that the PCI law works in the way it's supposed to. Without being to interfering.

You can read more about the new PCI rules here

[shuvee]

Yes, in order to keep a merchant account with a major bank, you must be PCI compliant. Most merchant banks require that your server is scanned periodically to ensure compliance. It's actually a pain in the neck because as often as not the "issues" are either administrative (you have not done your annual "self assessment"), or - worse yet - they find you out of compliance because of a bug in their testing. I just passed for the 2nd quarter in a row without having to update anything; and I am breathing a sigh of relief.

Unfortunately, the banks are all so large that by the time something gets implemented in software, the chances that it addresses what it should, in the proper way, are greatly reduced. I continue to marvel at the antiquated and poorly thought out systems they have in place to handle chargebacks.

PayPal is not a great solution for merchants. Because it handles everything, and gives you less information (they tell you if there is an address mismatch, but not whether it's the "street" portion or the zip code), you have a greater chance of a lost package due to a typo, or a reversal by PayPal after the fact. I accept credit cards, but not PayPal, for that reason. Although your merchant bank can reverse the transaction (and does if it is challenged by the customer), you can usually get the money restored when you provide transaction documentation. I shudder to think what happens with PayPal; I haven't heard anything reassuring about that ...

There is no way for the networks to know whether you are PCI Compliant, plus it is common to be out of compliance for short periods (from when you are notified of a missing software upgrade to the time you can apply it). They can't even know if your servers are being tested. If you, as an affiliate, are concerned about sending your site visitors to non-compliant (or non-tested) merchant systems, I'd stick to major companies, and even there compliance does not mean total security. It is the large companies whose systems are targeted, and which are most likely to "lose" credit card information. However, small companies, fi they are with merchant account resellers who are not careful (and there are probably many of those), may be totally irresponsible about protecting credit card information. Too many little companies buy a store/cart system and install it on their own servers, with little or no understanding of security. They don't want to hire anyone to ensure that they aren't at risk, but doing it right is not something you can learn overnight.

I guess that was a rant. Sorry.

[paulas]

In other words Valerie. We are well and truly screwed

[Lanny]

@Shuvee (Valerie) Thank you for all of the data you provided. Interesting! I am aware that there are issues for Merchants who accept PayPal payments. My #1 Merchant does accept PayPal and that is a big plus for me. I keep hoping that my #2 Merchant will begin accepting paypal. Hopefully, during 2012! Lanny