MW Supports Cart66


MW Integrated with Cart66 – FINALLY!

It has definitely been a long time coming and an integration that has been requested by so many Australian merchants. Cart66 is an eCommerce plugin for the popular blogging software wordpress that enables merchants to “sell electronics, digital downloads, videos, music, web hosting, legal services, collect membership fees, and more.”Cart66

Over the past few months we have had an overwhelming number of requests to have the Merchant Warrior Payment Gateway integrated with the Cart66 plugin. The lack of support for an Australian payment processing option made the extremely flexible and popular Cart66 plugin unusable for many Australian merchants.

We feel extremely lucky to have been contacted by Dante Chichizola @dchichizola a senior web developer from Macintype Design who registered his interest in integrating the Merchant Warrior Payment Gateway into the Cart66 plugin.

Thanks to the efforts of Dante an Australian payment option finally exists for the Cart66 plugin! The plugin can be found at the Merchant Warrior Developer Zone or by clicking here.

We will be contacting the great team at Cart66 to have the plugin available with the professional version of the plugin. We understand they are extremely busy but do hope we manage to get this merged into their development cycle in time for their next release.


CS-Cart Integrates MW


CS-Cart v2.2.1 Release

We are happy to announce that the relase of CS-Cart v2.2.1 has support for the Merchant Warrior Payment Gateway.

“CS-Cart is the best shopping cart solution for building an ecommerce website of any size: from a small web store to a virtual shopping mall. A ready storefront, support for many payment and shipping options, full inventory control, unlimited products, promotional tools, and other ecommerce software features out-of-the-box.”CS-Cart

We have had a number of merchants request the integration of our Payment Gateway with CS-Cart and we are happy that CS-Cart has decided to include us in their latest release.

A full list of feature changes that are available in CS-Cart v2.2.1 are available here and here.

PCI DSS v2.0


Each year we have an onsite audit completed by our registered QSA (Securus Global) in order to ensure that all components of our payment platform including our business processes are PCI DSS compliant.

Tier 1 PCI DSS v2.0 – Certified!

In August 2010 the PCI SSC announced that the PCI DSS v2.0 would be published in October of 2010. A list of changes that have been made between PCI DSS v1.2 and PCI DSS v2.0 can be found here.

Thanks to the efforts of all staff we have been certified by Securus Global as a Tier 1 PCI DSS v2.0 payment gateway.

Merchants that take advantage of the Merchant Warrior payment platform can rest assured that all products have been thoroughly assessed and will continue to maintain the highest level of compliance.

The introduction of our Token Payments solution (including Tokenized Batch Payments), Transparent Redirect and Hosted Payments has aided a number of organizations in maintaining the highest level of compliance and reducing the costs that are associated with the PCI DSS.

We owe a great deal of thanks to the support that we have received from our acquiring partners (National Australia Bank, Westpac Banking Group, Australia & New Zealand Banking Group Limited, Commonwealth Bank of Australia), our merchants and of course our QSA – Securus Global.

PCI Compliant Yet Again

YOUR Security is OUR Duty

It may not be the most exciting news but it’s definitely worth a mention – last week we were approved as a Tier 1 PCI DSS Compliant Payment Provider again. It’s important for us to mention this to our clients and to the public as we take PCI DSS seriously. Each year we undergo an on-site audit by our professional QSA – Securus Global. Each of our products, services and environments are audited to ensure that our practices are PCI DSS Compliant and that we protect our merchant information in every way possible.

We undergo this on-site audit for three major reasons:

  1. Obviously, it’s a requirement.
  2. We like to ensure that each product and service that we develop meets the requirements of the PCI DSS.
  3. It’s important to us that we provide our merchants with the most secure platform to process transactions under.

It’s no secret that Merchant Warrior is working behind the scenes to produce new technologies to enhance the Payment Industry. However, we do have a few secrets in regards to the products and features which we will be releasing later this year. Our merchants are in for a pleasant surprise! Now that our new features and services have been given the tick of approval all that’s left is intense Quality Assurance and Software Testing before we release these exciting features to the public.

In the meantime I would like to thank Securus Global for completing yet another successful on-site audit with our team. The audit was handled in an extremely professional manner and no disruptions to important schedules took place – and for that we are extremely grateful. Also, to the team – I’d like to thank you for being well prepared and having all in order, making it a simple task for Securus Global to complete the audit. Well done!

For all merchants that would like to view our new certificate of compliance click here.

Now, I mentioned earlier that we take the PCI DSS seriously, and in all honesty we do. But the next comment is directed to the PCI Council – “Why?” and it relates the following video which is available on their website.

Just a warning – you may not take the PCI DSS seriously after you view this video.

PCI Compliance In A Nutshell

What is PCI DSS Compliance?

At some point during the running of your online store you will most definitely be asked some of the following questions: “Are you PCI Compliant?”, “What level of compliance do you adhere to?”, “Have you filled out your Self Assessment Questionnaire?”. The list can go on but in order to answer these questions correctly it’s best to know exactly what is being asked and to understand what PCI DSS Compliance is all about and the importance that this has upon you as a merchant.

Let’s get some of the common questions out of the way in bullet form and then we’ll move onto explanations:

Q: What does PCI DSS Compliance stand for?

A: PCI DSS stands for “Payment Card Industry Data Security Standard” which is governed by the Payment Card Industry Security Standards Council. The PCI DSS is supported by VISA, MasterCard, American Express, Discover & JCB.

Q: Why is PCI DSS Compliance so important?

A: The PCI DSS was created to prevent credit card fraud and to secure sensitive credit card information that merchants deal with. The idea of the standard is to ensure that merchants are doing their best to protect their customer credit card information. The penalties for noncompliance can be deadly to a small business. Noncompliance results in the payment brands (VISA, MasterCard, American Express, Discover & JCB) issuing a fine between $5,000 to $100,000 per month to the acquiring bank. In most cases the acquiring bank will then pass these fines onto the merchant, terminate the merchant or increase the merchant’s transaction fees significantly.

Q: Do I need to be PCI DSS Compliant to run an online store?

A: If you process, transmit or store credit card information then you will be required to be PCI DSS Compliant.

Q: I’ve never heard of this and have been running an online business for years with no problems. Is this all just jargon?

A: The payment brands as well as your acquiring bank can choose to audit your online business at their discretion. The PCI DSS has been in motion since 2004 and even though Banks are often slow movers they are beginning to understand the importance of PCI DSS Compliance. Banks are issued with heavy fines for boarding non compliant merchants and it’s in there best interest to protect themselves. It’s always better to protect your customer information as much as possible and also protect yourself from the penalties that are imposed for noncompliance.

With the common questions out of the way let’s move onto some explanations.

Do I need to be PCI DSS Compliant?

The Payment Card Industry Security Standards Council states that:

“PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.”PCI Security Standards Council (Article #5378)

The PAN specifically refers to your customer’s credit card number. If your shopping cart or billing software requires you to store the credit card information locally on your own servers then you will be required to follow the PCI DSS requirements. If you are processing or transmitting your customer’s credit card numbers across your network, over the phone or even to a third party provider then you will once again be required to follow the PCI DSS requirements.

A lot of merchants will feel that they do not need to follow the PCI DSS requirements because they do not store any credit card numbers locally on their systems. This is a common misconception and it’s important to understand exactly what “processing” and “transmitting” credit card numbers actually means. A primary example is that of a company that accepts credit card numbers from their customers over the phone. The company may not be storing the customer’s credit card number locally but they are still receiving the credit card number from the customer in an unencrypted form. After the representative receives the customer’s credit card number over the phone they will then (in most cases) enter the credit card number and customer details into a payment application which will send the credit card number directly to a Payment Gateway (such as Merchant Warrior). It is at this point that the merchant is “transmitting” the PAN (credit card number) and as such is still required to follow the PCI DSS requirements.

There are levels of compliance and it’s important to know where you factor into these levels. The following table is an extract from the PCI Security Standards Council FAQ:

Level/Tier Merchant Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region.
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by acquirer

Slow down! What’s a QSA? What’s this SAQ? What’s an ASV?

A QSA is simply a bunch of people who are not very nice. That’s what you’d expect anyway considering they are auditors. Merchant Warrior were lucky enough to work with Securus Global who seem to have a bit of life to them and were readily available to assist us in achieving our Tier 1 PCI DSS Compliance. QSA’s carry out on-site audits or consultation to help merchants or providers achieve PCI DSS Compliance.

SAQ refers to a Self Assessment Questionnaire. This is a document which has a list of requirements that merchants should be following. The SAQ must be filled in and submitted to either your bank or your QSA for verification. It’s best to check with your bank for exactly what your PCI DSS requirements are as they change from bank to bank.

ASV – it’s all in the name. An approved scanning vendor – they simply provide merchants with network scans to make sure that your basic external security is in tact. We choose to use McAfee Secure but there are many other ASV’s available and a list can be found here.

There are ways to reduce the risk of credit card fraud and even exclude your online business from being subject to the PCI DSS requirements. We’ll discuss this in the next section but before proceeding it’s important to note that although PCI DSS requirements may not apply to you, you should still secure your network and payment applications to the best of your ability. There is a major difference between being secure and being PCI DSS Compliant.

How can I achieve PCI DSS Compliance?

Merchant Warrior provides merchants with a number of products to help them achieve and maintain the highest level of PCI DSS Compliance. In case you’re wondering what allows us to develop and market PCI DSS Compliant products – it’s the fact that we are a certified level 1 PCI DSS Compliant payment provider. A certificate that verifies this can be found here.

The first step in achieving PCI DSS Compliance is working out exactly what personal customer information your business is required to keep on file. Do you really need to store credit card details of your customers? If not – then don’t do it. Business owners often like to have as much information on customers as possible and this is completely understandable but storing the first and last 4 digits of a credit card number instead of the entire number for verification purposes is more than enough. Where possible keep your storage of ANY credit card information to an absolute minimal if any. Some business models or payment applications may require that the credit card number be accessible. Merchant Warrior provides storage facilities such as Token Payments to help merchants access credit card data without the requirement to store the data themselves. Please read the Token Payments page for further details.

So you’ve managed to get storage out of the way. Here’s a quick question to make sure you’re still paying attention – Now that you’re no longer “storing” any credit card information are you PCI DSS Compliant? NO! (highlight to the left of the brackets to see the answer).

It’s time to find how to avoid “processing” and “transmitting” credit card details. Merchant Warrior has two products which help merchants completely avoid processing or transmitting credit card details. The first of the two products is Hosted Payments. Put simply Merchant Warrior hosts a payment page on behalf of the merchant and when customers click the “checkout” or “process” button on the merchants website, they are redirected to the payment page that we host for the merchant. In this scenario the merchant never accepts or transmits any credit card information as all of this is handled by Merchant Warrior due to the payment page being hosted on our servers.

Right now there will be some merchants saying “Yes. I know about a hosted payment page. I hate it – I want the hosted payment page to be completely re-branded so that it looks like my website and doesn’t cause any confusion or generate any fear for my customers.” We heard you. That’s why with our Custom Development merchants are able to request a completely custom hosted payment page. We’ll design the page exactly as specified to us by the merchant.

Whoops. We’ve forgotten something. Some merchants right now are upset and are saying “I’m not paying for you to design my hosted payment page. I have my own development team and they’re damn good at what they do. Why on earth should I use you? Give me another option.” – Sure. We heard you too. For merchants that aren’t worried about diving into easy development we have a Transparent Redirect product which gives merchants all the benefits of a Hosted Payment Page except that they are able to host the page themselves and have it completely designed as they like. We won’t get into the technical aspects of this product and how it achieves PCI DSS Compliance and avoids merchants having to store, process or transmit any credit card data we’ll just leave it to you to check out the Transparent Redirect page because it explains how this is achieved.

It’s that easy! By choosing Merchant Warrior you can achieve PCI DSS Compliance in a number of ways and keep it simple. We have off the shelf products that can help as well as completely custom designed solutions that can be catered to your exact specifications. If you’re curious about PCI DSS Compliance and require some consultation we’re happy to put you in touch with our amazing QSA – Securus Global.

Please be honest. What do I get from this?

Honesty IS the best policy so here’s your answer: Achieving PCI DSS Compliance for your business should not be a question, it should be a necessity. Customers that deal with PCI Compliant online stores often feel a sense of safety as they know the merchant is doing what is required to ensure that their credit card information is stored, processed and/or transmitted securely at all times. Your bank will move quicker in establishing your merchant account once they recognize your level of compliance and willingness to protect your customers and you avoid heavy fines that could potentially put you out of business should a breach occur and noncompliance be the reason. All in all PCI DSS Compliance is not the devil – it’s here to help us as everyday online shoppers continue to do what we do freely in a secure environment.

Choosing Merchant Warrior as your PCI DSS companion will ease the process of establishing your business as a PCI DSS Compliant provider.