Have you ever seen the inside of a courtroom?
Chances are that unless you've served on a jury, you've never seen the inside of a courtroom (other than what you've seen on television). That simply means that court cases and courtrooms aren't in your realm of experience and that your exposure is limited.
Now there's not a lot that's wrong with that, unless of course you're making critical business decisions that might result in you being in one of those courtrooms. What do we call those situations where we make decisions without enough experience or exposure? I don't know about you but I call them mistakes.
Can I tell you a little about my day job?
I work for a company called Emphasys Software. We develop enterprise software for targeted vertical markets. More specifically, we specialize in compliance-oriented software.
Unless you're in enterprise software or do business where the government is closely involved in making sure you do things right, the closest you may get to compliance-oriented software is TurboTax. Every year that product changes – not because Intuit wants it to, but because Intuit has to make the changes that are driven by keeping it compliant with changing legislation around taxes and tax liability.
I don't normally spend a lot of time talking about my day job because there's not a lot about it that's sexy. Monitoring legislation, mitigating liability issues, and driving software to keep pace isn't fun stuff. But it's very valuable to large organizations that count on it to keep them legal.
If you're doing e-commerce, can I scare you for a second?
If you are a developer that is doing e-commerce work for clients, let me ask you this:
Who is mitigating liability issues for you? Who is ensuring that what you're delivering is compliant with all the laws and standards that are out there? Are you aware of the fines that your customer can be made to pay, for mistakes you make? Are you protected against them coming back after you?
Let me ask it this way – are you protected from a scenario where your customer has their merchant account terminated and they can no longer get another – significantly limiting their potential to earn revenue?
If your customer gets caught in that situation, do you believe for one second that they won't come after you, if they think it was your mistake? What will you owe them? All their lost profits? For how long? Are you prepared?
If I'm scaring you a bit, then I've done what I intended. PCI compliance isn't a small thing.
I write about WooCommerce and I love how easy it's all become. But don't mistake technical ease with compliance or limited liability issues. Because nothing could be further from the truth.
What is PCI Compliance?
PCI compliance, in short, is all about the protection you take to make sure customer data is safe when you're taking credit cards. It's not just a web site thing. It's a paperwork thing. It's a transmission thing. It's a lot of things.
And if you've just rolled out a super-cool site with tons of features that lets someone quickly buy a CD, you may not have spent any time thinking about PCI compliance. But the consequences of a lack of compliance can be fines (several thousand to hundreds of thousands) as well as having your client put on a list that limits their ability to ever get a merchant account again. And that's huge!
Giving you a specific checklist of every thing you need to review to stay PCI compliant is beyond the scope of this post. But if you're managing data via phpMyAdmin, if you're interacting with a site via FTP (not sFTP), or if you're web and database servers are on the same box I can tell you right now you're not compliant. Period.
What does this mean for e-commerce developers?
You can still use WooCommerce. You can use Easy Digital Downloads.
But you can't just go connecting it to Stripe (which I love). You need someone in the middle to help you. Yes it will cost a tiny bit – but it's worth it. They're set up to ensure that your liability, from the web side of things, is mitigated and your client can't come back and blame you. (Note: your client still needs to solve their own paperwork issues, but that's not on you.)
They work with Cart66, WooCommerce, and/or Easy Digital Downloads.
Their name is Mijireh (pronounced my-jy-rah).
Please check them out! You'll thank me later.
What does this mean for regular folks that want e-commerce but aren't developers?
Let's be honest, you weren't going to deploy WooCommerce or Easy Digital Downloads anyway, so Mijireh isn't for you. But don't worry.
Just the other day I wrote about a solution called CloudSwipe. I use them on this site to sell my eBooks. You should check them out. You don't need to know anything technical and you won't need to worry so much about PCI compliance.
The Great News?
So at this point maybe you're wondering – should you look at CloudSwipe or Mijireh? Well don't worry about things because the great news is that the same e-commerce experts are behind both of them. They're just targeting two different kinds of customers.
So stay protected, stay compliant, and by all means, stay out of courtrooms.