Swipe for Mobile device or click on Bar

Out of Scope for PCI-DSS

SalesCart has had many firsts in the field of ecommerce and as far as we are aware of, SalesCart Cloud is also the first commercial shopping cart that is out of scope for PCI-DSS.  In fact, its entire architecture is based on the premise of nearly removing 100% of the complexity of PCI from our customers and merchants.  We've accomplished this not only to remove the complications, but to save merchants money, and remove the burden of Internet security risks to our customers. Furthermore, in removing PCI-DSS requirements from our online store software, the result is more security than ever before for the merchant and the customer. 

Out-of-Scope for PCI-DSS does not mean Out of Compliance!
In fact, it means quite the opposite. Out of Scope for PCI means automatic compliance.


Because SalesCart Cloud is out of scope for PCI-DSS, your website is out of scope for PCI, your web hosting is out of scope for PCI, and your web hosting facilities network is out of scope for PCI.  The only thing left in scope for PCI is your general business operations.   The advantages of this fundamental ecommerce architectural security change to you are:

Some shopping cart software providers have tried to simplify PCI by moving the security requirements from the store merchant to an all encompassing web store/web site/hosting vendor.  In such a case, the shopping cart software supposedly allows you to ignore everything in your PCI assessment in hopes they have adequately taking care of everything via their own PCI-DSS accredited software solution.   However, this is a false sense of security.  Fully embracing PCI-DSS for you is not the same as completely removing PCI from the solution altogether and therein lies a huge difference.   In order to understand the difference, you need to know what PCI-DSS is in the first place.

What is PCI-DSS?

All merchants are required to be Payment Card Industry (PCI) Security Standards complaint at this point.  This means merchants must be aware if any software or hardware they use to process credit cards does any of the following:  collects, transmits, or stores PAN (Primary Account Number) Cardholder data.  If it does, it must be PCI-DSS (Payment Card Industry Data Security Standards) compliant. Customers must complete a PCI questionaire that signifies they understand these requirements and do not store these data themselves directly and if they do, they must undergo constant audits of their companies practices. Cardholder PAN data is pretty basic, it is defined as the data you see on a credit card, namely:  the account number, the expiration date, the magnetic stripe on the back, and the security code printed on the back.  This is basically the same data that a criminal could use to process a fraudulant credit card charge without the card.

What does out-of-scope for PCI mean to me?

SalesCart is out of scope for PCI-DSS because it never:  Collects, Transmits, or Stores any PAN (Primary Account Number) Cardholder Data.  Period, full stop !

It does that by using a novel approach where this data is submitted directly from the customers browser to the payment gateway without going to SalesCart, or any SalesCart servers, or even any of the SalesCart network, and basically without even going to your website.  What that means to you, is that you truely don't have to worry about PCI-DSS for the online store software, your website, or web hosting.  There is no way your customers can ever accuse you, after the fact, of unintentional credit card data being divulged by you because you never store it and your estore software and your website server never even see it or hold it in memory for a microsecond during the process.  This cardholder sensitive data is transmitted directly from the customers browser to the payment gateway over the Internet connection between the customers browser and the gateway using the security implemented by the Gateway itself.  The significance of this to your business is huge.  In all other traditional ecommerce shopping cart software, the online store software collects, transmits, and usually stores cardholder data, so it is subject to PCI-DSS.  In addition, since the shopping cart software is typically a co-mingled, indistinguisable part of your website, then your website also by direct inference stores and collects cardholder data.  Furthermore, since your website falls under PCI-DSS, so does your web hosting because your web store runs on top of a web server where the data is being processed and stored.  The web server thus also, collects, transmits and stores cardholder data as well.  Finally, since your web server occupies some rack in a web hosting facility where someone could get to the computer to look at the data and/or in a facility with a network where some other computer intruder on the network could get to this data at any time, both the web hosting facility and the network is also under PCI-DSS.  So, you can see how this problem compounds itself for a merchant who controls a web site, but yet literally has no control over the web server, the web hosting facility, the network or the people passing, touching or even logging into the server that is holding their online store on a daily basis.   Even if they do have control over those other processes, can they really afford to maintain elaborate procedures and pay for expensive audits fo their web hosting and network facilities?

Because of this compounding of the problem with traditional ecommerce solutions, you can no longer just buy shopping cart software that is PCI-DSS compliant and just hope you won't be a victim of credit card theft.  A huge company like Target or eBay might be able to handle the costs of such an event, but most small to medium sized merchants can not.  By its very nature, if your traditional shopping cart software must be PCI-DSS compliant, it will force your website to be PCI-DSS compliant, and your web-server to be PCI-DSS complaint, and your web-hosting facility to be PCI-DSS complaint, and the hosting network to be PCI-DSS complaint. In fact, many merchants are operating a web store, right now, that could be violating PCI, just waiting to be fined or a victim of credit card theft.  Why?  Most merchants are simply unaware.  In addition, they are typically hosting using a free or inexpensive website at a low cost web hosting facility, and their webstore is co-mingled right along side another website where security is not a factor, or in a server rack where employees can get to it whenever they want to.  According to PCI, you as the merchant are responsible for all of that security of all those vendors involved.  If you store solution is involved in the transferring and storage of cardholder data and subject to PCI-DSS compliancy, you are required to know about it.  Also, you may be tricked into a false sense of security for an all ecompassing ecommerce model where the webstore, website, and webhosting is all at the same company who is supposedly PCI-DSS complaint.  If they had an intrusion into your credit card data, would they really notify you?  With SalesCart, you can rest 100% at ease not only about PCI but about the true security of your customers credit card cardholder data as well.  It never touches your web store, your web site, your web server, your web hosting network.

PCI Scans/PCI Fees?

In traditional ecommerce solutions, you must also periodically scan your website and webhosting facility because it is involved in the collection, transference, or storage of credit card cardholder data.   Companies that do these scans charge an additional monthly or yearly fee to perform them on your web site.  You must pay either directly for these fees, or your merchant account will collect those fees on your behalf of you to do the scans.  Also, if you don't do the scans or ignore PCI, you will be charged even higher fees to cover those risks.

However, SalesCart does not require such a scan.  In fact, with SalesCart your store and web site and web hosting are never even co-mingled.  In addition, SalesCart is packaged with the credit card merchant account and gateway and we do not charge those fees either.  You just have to complete the yearly PCI questionaire.  The PCI Self-assessment questionaire basically is where you indicate that you, your webstore, your website, and your web hosting never collect, transfer, or store credit cards.  The only part of your ecommerce solution that collects, transfers and stores credit card data is the merchant account gateway.  All merchant account gateways are PCI compliant by their very nature.  So PCI compliance becomes a breeze 

Is your Shopping Cart PCI-DSS Certified?

This is important.   SalesCart is the first shopping cart that is out-of-scope for PCI-DSS certification.  Any other shopping cart MUST be PCI-DSS certified to use it.  According to Practical Ecommerce, shopping carts, which are either “Payment Applications” or “Validated Service Providers” as defined by that organization, must affirmatively pass compliance standards by July 1, 2010.  Most shopping cart software is simply telling customers they are PCI-Compliant, confusing the issue of PCI compliancy with PCI-DSS.  PCI maintains a list of PCI Certified applications that you can search for.  Because SalesCart uses novel new software approaches that remove the software and you from the "transfer" and "storage" of credit card data it is exempt from PCI-DSS.