If one sells ecommerce software, do you HAVE to be PCI compliant at this point?


If one sells ecommerce software, do you HAVE to be PCI compliant at this point?

I read it costs upwards of 40K to get your ecomm software PCI compliant.

And some of the requirements have things like source code review, which means that your company is larger than 1.

Any thoughts on this?

I guess this industry is locked from 1-man operations?

Software Ecommerce

asked Jul 22 '10 at 03:40
Un Startup
162 points

2 Answers


Per the document on PCI DSS first line is about software developed for off the shelf sales. The answer is yes.

https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf http://en.wikipedia.org/wiki/PA-DSS

answered Jul 22 '10 at 04:31
John Bogrand
2,210 points
  • well if you are selling/distributing your ecomm software product, I think you HAVE to be PCI compliant. – Un Startup 14 years ago
  • Good point. I don't know what I was thinking. – John Bogrand 14 years ago
  • Please note that the comments are refering to the first answer I provided which was incorrect. – John Bogrand 14 years ago


I think you've to be PCI compliant only if you store credit card numbers, in other cases (if you let third party app to manage them) maybe you just want to run penetration test or code reviews just to be safe against crackers break-in.

Remember to check out Owasp material about how to write safe code. You can use also great ESAPI project from Owasp to embed security in you app with great library provided by security specialists. from all around the world.

However being PCI compliant is always a plus but maybe you want to reach the compliance by gentle migration.

Feel free to ask me more details about both penetration test than code reviews.

answered Jul 22 '10 at 16:32
118 points

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Software Ecommerce