If one sells ecommerce software, do you HAVE to be PCI compliant at this point?
I read it costs upwards of 40K to get your ecomm software PCI compliant.
And some of the requirements have things like source code review, which means that your company is larger than 1.
Any thoughts on this?
I guess this industry is locked from 1-man operations?
Per the document on PCI DSS first line is about software developed for off the shelf sales. The answer is yes.
I think you've to be PCI compliant only if you store credit card numbers, in other cases (if you let third party app to manage them) maybe you just want to run penetration test or code reviews just to be safe against crackers break-in.
Remember to check out Owasp material about how to write safe code. You can use also great ESAPI project from Owasp to embed security in you app with great library provided by security specialists. from all around the world.
However being PCI compliant is always a plus but maybe you want to reach the compliance by gentle migration.
Feel free to ask me more details about both penetration test than code reviews.