> When would an ecommerce site be required to get PCI certified? At what > volume of transactions?
My understanding is that you must comply with PCI-DSS if you handle a single transaction. I don't know if certification is ever required, but you may well be liable if you're not certified and you expose cardholder data. By letting someone else handle this, you can process as many transactions as you like without being on the pointy end of the stick. Obviously, at some point it would make financial sense to handle this in-house; I'm not sure where that breaking point would be, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330915 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4