ecommerce and pci pa-dss, is it legal to sell/distribute with out it? many o/s carts are not certified

My understanding of PCI compliance is that the person handling the credit card personal info or storing it needs to be compliant (so paypal, google checkout, etc).

Do these open source shopping carts take a credit card number, and expect you to run the transaction through the credit card company yourself?

This link sort of gets to the point: http://selfservice.talisma.com/display/2n/index.aspx?c=58&cpc=MSdA03B2IfY15uvLEKtr40R5a5pV2lnCUb4i1Qj2q2g&cid=81&cat=&catURL=&r=0.644091963768005

It depends on if you "process, store or transmit payment cardholder data".

My understanind is that PCI is from the credit card companies and so is a policy of use and not a legal / illegal thing.

It's not just the Payment Gateways that it covers.

While not a legal thing, there are heavy fines attached to breaches and your ability to take card payments can be revoked which would kill most e-commerce sites.

Think about:

• Do any staff members process payments over the phone? They can't write down numbers, you have to have processes in place to mitigate this risk.

• How is data processed? Do you store details in your database or files? Do you hold them in log files (IIS Logs/Application logs). How do you send it to the payment gateways? How is error handling done, does it send emails to support staff with card details?

It is not something to take lightly and you should walk into it eyes wide open!

Steve.