Regulatory Considerations for eCommerce Website Owners.

There are some general guidelines and regulations we need to be aware of while starting and running an eCommerce Website.  For example In the United States, the Federal Trade Commission (FTC) is the primary agency that regulates eCommerce activities. One can find some important guidelines in the link here. Most imp of the regulatory compliance for eCommerce portals is PCI compliance and secure information transfer between browsers and web network i.e. SSL certification.

For Secure information transfer: You would need to buy a SSL certification from VeriSign (Now part of Symantec) to enable HTTPS transfer of data and info from the browser. Please check out these two links here and here.

 For PCI compliance: If you do not store any customer Credit card information on your eCommerce website/servers and have SSL certification, by default your portal becomes PCI compliant. PCI though does mandate regular scans (please check this link and the table below)


Level / Tier Merchant Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2 Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or internal auditor if signed by officer of the company
Quarterly network scan by Approved Scan Vendor (“ASV”)
Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) Annual Self-Assessment Questionnaire (“SAQ”)
Quarterly network scan by ASV
Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual SAQ recommended
Quarterly network scan by ASV if applicable
Compliance validation requirements set by acquirer

We suggest you get a service like McAfee PCI Certification Service (link here) which helps you to regularly complete your self-assessment questionnaire (SAQ), review quarterly vulnerability scans, launch on-demand scans to retest as needed, and even generate the necessary PCI compliance reports and documentation.

(Connecting Dots is an eCommerce Website development Expert and a Magento Implementation Partner based out of Bangalore, India).