Any experience with Shopify and online store that is PCI compliant?

[hajime]

Hi, I want to buy something about $70 from a local store. Never heard of the name. They don't list their full address. No room number, just the building location. When I asked them the room number by email, they told me that they don't do pay by cash and pick up in person as they only take order through their online store paid by credit card. I told them that I don't use credit card to purchase from unfamiliar companies and after telling the manufacturer about their dealer's way of doing business, the store manager said that they are PCI (Payment Card Industry Data Security Standard) compliant and they use Shopify. Thus, they told me that my card information is safe. They also said I could use Paypal as the pament option if I still feel a credit card is not my best option. What do you think? Isn't stores that do not list the full address a bit doggy?

 

[KaliYoni]

1. Shopify is no guarantee of anything. Shopify is like a WordPress for e-commerce. It is open to anybody who wants to run an online store. An equivalent statement to what the store told you is "We have a NCR cash register." Or if a taxi driver says, "I use Shell gas."
2. Using a credit card, assuming you are in the USA, offers more consumer protections than using PayPal. This is because credit card purchases are governed by federal regulations while PayPal transactions are only regulated by PayPal's user agreement or, in some cases, state-level money transmitter rules.
3. PCI compliance is a basic requirement for accepting credit cards. It doesn't offer any information about a seller's ethics, business practices, or honesty.

 

[hajime]

1. Shopify is no guarantee of anything. Shopify is like a WordPress for e-commerce. It is open to anybody who wants to run an online store. An equivalent statement to what the store told you is, "We have a NCR cash register." Or if a taxi driver said, "I use Shell gas."
2. Using a credit card, assuming you are in the USA, offers more consumer protections than using PayPal. This is because credit card purchases are governed by federal regulations while PayPal transactions are only regulated by PayPal's user agreement or, in some cases, state-level money transmitter rules.
3. PCI compliance is a basic requirement for accepting credit cards. It doesn't offer any information about a seller's ethics, business practices, or honesty.

Thanks. So basically better not to buy from them.

 

[secretk]

Did they you that they are PCI compliant or PCI DSS? I am asking because you mention PCI but you put the full naming which PCI DSS. PCI DSS is more than basic rules. We are compliant in my company with PCI DSS and if you apply their rules appropriately only 1-2 people would have access to the production DB (where your card is stored and is stored in an encrypted form). For someone to obtain information that can impact you, they need to know the encryption key, have access to the production DB and have means to decrypt the data.

That being said nothing is 100 % secure. You still would rely on the ethics of the 1-2 people that have access to the production DB. And on the Developers to not introduce some bug or omit something in their implementation.

 

[hajime]

They wrote: "please rest assured that our online store is PCI compliant (Payment Card Industry Data Security Standard). Our online store is hosted on Shopify"