PCI/CISP — what is it and how does it affect you?

PCI, DSS and CISP are the new acronyms on the block — if you are accepting credit card payments you’d better know about them.

Devised by AMEX, MasterCard and VISA these acronyms stand for a set of regulations shop owners online and off-line have to follow when they store, process or transmit credit card data. Large fines loom otherwise.

Reading the regulations alone is enough to give you a minor heart attack. The good news is that ShopFactory eCommerce software makes complying easy.

PCI, CISP security standards

To accept credit cards you must be PCI / CISP compliant if you or the software you use store, process or transmit credit card numbers. This applies to you if you accept cards over the counter, by phone or over the Internet.

These standards were established by the credit card providers to reduce the theft of credit card numbers online and off-line.
(PCI: https://www.pcisecuritystandards.org/ CISP: http://usa.visa.com/merchants/risk_management/cisp_merchants.html)

These rules are positively scary and describe how you have to safeguard credit card details against potential theft. They apply to the software you use, your servers and your office environment.

So what should you do?

Shopping cart software

The easiest way to comply with PCI is to select shopping cart software which does not process, transmit or store credits card numbers, such as ShopFactory.

Unfortunately most shopping cart software in the market do at least one of the three, such as transmitting card numbers to a payment service provider for approval. Many open source shopping cart software solutions are guilty of this.

If this is the case, you will need to host your shop on a PCI / CISP compliant server as well as comply with all the security guidelines required by the standards. A major undertaking for small businesses.

Manual Credit card transactions

If you want to accept and approve credit cards yourself, use a service provider which accepts card details for you and stores them online in a PCI compliant environment, such as GlobeCharge.

This way you do not have to process or transmit credit cards - circumventing the need for having to comply with PCI standards.

Real-time payment service transactions

The safest option however is to use a real-time payment service provider, who accepts and approves credit card payments on your behalf on their server; or an order management gateway such as GlobeCharge.

Again you neither process, transmit nor store credit card details — meaning you don’t have to be concerned about PCI compliance.

If you get many orders, using a real-time payment service can also help you streamline your operation. Most of these services also use sophisticated credit card fraud detection methods, helping safeguard you against fraud, and it is their job to be PCI compliant.

But beware: If you connect to the real-time payment gateway in the background, and the customer enters payment details on your website, then you are again required to comply with PCI regulations.

Remember also to be careful about the shopping cart software package you use. Unlike ShopFactory many eCommerce solutions accept credit card details on your server and then transmit them to the payment service provider.

Again you are back to having to comply with all the PCI and CISP rules on your server and in your office environment.


There are many misconceptions about PCI compliance. The biggest misconception is that you only have to comply with PCI regulations if you store credit card numbers.

This is incorrect. Many shopping cart software packages accept credit card details from customers and then forward these to the payment gateway.

This falls under transmitting. If your software does this, not only your server but also your hosting provider must be PCI compliant.

Another misconception is that servers which pass security scans by an approved security service are automatically PCI approved.

This is also wrong. The security scan is only a part of PCI approval. If your hosting provider does not comply with PCI regulations, you can not comply either — regardless of the results of a security scan.

Additionally you have to actually comply with all the requirements in the PCI/CISP self assessment questionnaire. Many of these are not resolved by having an approved scan.


If you use shopping cart software such as ShopFactory combined with a real-time payment service which accepts card details on their server or an order management gateway such as GlobeCharge to accept credit cards, you neither process, transmit or store credits card numbers. This makes complying easy for you.