July 1, 2010 is quickly approaching. I know this, because I am currently working on a couple of ecommerce projects. One thing that struck me is the number of custom built shopping cart solutions out there. Personally I like these custom solutions, because they can be tailored to the specific needs of a client’s customers. You can support odd configurations and logic that an off-the-shelf solution may not support. The challenge is making sure the solution is compliant with credit card regulations otherwise known as PCI-DSS.
A lot of off-the-shelf and Open Source shopping carts leave it up to the store owner to certify compliance. They try to follow software best practices, such as specified in section 6.5 according to the Open Web Application Security Project Guide. But these guidelines are very detailed and verbose. You could probably blow a clients budget just trying to understand all these guidelines. It really is making custom cart solutions a challenge especially on a tight budget.
Considering this I would focus on making the web site experience a positive one for the client’s customer. Focus on creating great interfaces for browsing and searching products, configuration options, etc. and then use a PCI compliant solution for checkout. This could be a PCI compliant cart like Pinnacle Cart or a hosted solution like Paypal or CRE Loaded. These solutions cost a bit more on a per-order basis, but simplify the implementation, especially for existing carts.
Once you have squared away the cart aspect you’ll need to square things up back at the office and with your hosting provider. Both of those require compliance as specified in section 7&8 and 1 respectively.
For a complete set of requirements see the PCI DSS Prioritized Approach documentation.