I hope my questions are not too simple. I am a sysadmin and not a web person. This all is out of my league.
I have a client who is looking to charge for data downloads and also sell physical merchandise. There will also be some “buy on the web and pick up in person” transactions such as event registrations. At some point they might want POS terminals so the system should be built with that in mind. The material is not adult oriented so there is no worry about being turned away by providers. There is a rather lot of content though. Well over 100GB and growing all the time.
They currently have a custom storefront that they believe to not be compliant with all the laws and regulations (PCI?). They process credit cards through Authorize.net and VeriSign. They are well a well established company with merchant accounts and all that.
We have been told that unless we use a company such as MonsterCommerce we must have third party audits. Is that right?
MonsterCommerce doesn’t seem like a good match since we would have to host many gigs of files on their servers (which I doubt they would appreciate) or do some kludged email thing. Neither seemed good to me.
How would you go about setting this up? I was thinking that a basic hosting account (LiquidWeb perhaps) with any shopping cart would do. Are there good modules available for controlling downloads? I figured there must be for the shareware sellers. Would we really need to do audits? The powers that be seem to think that we would have to have the corporate network audited. That seemed *really* wrong to me.
I've used OSCommerce for pay per download sales and it's worked fairly well for me. It also integrates with most payment processors, so you wouldn't have to change any of that.
As long as payments are going through a certified payment gateway, such as Verisign or Authorize.Net, and you're not storing any credit card numbers, I don't know of any reason why you would need any auditing of your server or network.
Just who needs to be CISP compliant? Do you know where I can find, in writing, an official listing of who has to comply and who doesn't?
I have heard that if you do not keep credit card numbers you do not need to comply. According to the FAQ at http://usa.visa.com/download/busines...t/cisp_FAQ.pdf they would need to since they are transmitting data. OTOH we were told that the LAN would need to be audited and that seems outrageous. Two servers back east are talking to each other and we need to secure our LAN? I don’t think so since “If a merchant or service provider does not store cardholder data, CISP still applies to the environment that transmits or processes cardholder data."
Of course that FAQ says that "CISP is directed to all entities that store, process, or transmit Visa cardholder data." which by a literal reading would mean that I as a customer have CISP "directed to" me since I am transmitting "cardholder data" even if it is my own. This stuff is terribly confusing to a literal minded geek.
You said that at some point they will be using a POS? the Point of sale will be on a retail store? how are those customer going to download the data if purchasing on a phisical store?
Anyway I believe you need some custom work to be done, you can get an ecommerce store like osCommerce and modifyit so it will populate directly from the POS.
Regarding the Visa regulation, I believe you will be just fine by having a gateway like authorize.net and your SSL Cert.
If you need 100GB of space on the server I believe you will need a dedicated, with good size hard drives and lots of transfer if the web site is going to be popular. Keep in mind that all products will be downloaded.
I cannot get to Visa's site unfortunately right now. It does not matter if you are storing numbers etc it also matters on the volume of transactions you are doing, etc.
I wished I could remember - but I always go back to that site and I cannot find the PDF on my computer (I just recently moved a lot of documents around). Another possible reason Visa might require them to be CISP compliant is because of past issues. For example, if someone had a website and it was not secure at all (had SQL injection, etc). And their site was hacked, credit card data was compromised etc. Visa might require something at that point.