Even if you’re a small business with a small amount of credit card transactions each year, you may have already heard from your merchant bank or credit card processor about Payment Card Industry (PCI) compliance. PCI compliance is the process of developing security processes and systems that protect you, your bank, and your customers from credit card fraud and identity theft by making sure the way you store and access credit card information limits risk as much as possible.
In Part 1 I discussed the “what” of PCI Compliance. In this second part of my three-part series on PCI Compliance, I’ll tell you how you can simplify PCI compliance if all of your credit card transactions are processed online, e.g. by a shopping cart.
The first step is to determine your PCI Compliance level. Compliance requirements depend on the number of transactions your business has in a year. There are several levels of PCI compliance:
- Level 1 Merchants process over 6 million credit card transactions each year.
- Level 2 Merchants process between 1 million and 6 million credit card transactions each year.
- Level 3 Merchants process between 20,000 and 1 million e-commerce transactions each year.
- Level 4 Merchants process less than 20,000 e-commerce transactions per year, and less than 1 million total transactions per year.
Most small businesses fall into the level 4 category, which is who this article is intended to help. If your business is Level 3 or higher, your compliance requirements are more involved than I can cover in this post, but more information can be obtained from the PCI Security Standards at www.pcisecuritystandards.org.
PCI Compliance Can Be Easy For Level 4 Online Merchants
PCI Compliance is easier if you don’t store credit card data on your local systems. If your shopping cart software is PCI Compliant, and your hosting platform is PCI Compliant, then your e-commerce store should be able to pass a quarterly PCI Compliance scan.
If…
- If you only process credit cards via your shopping cart, and,
- your store passes a PCI Compliance scan, and,
- you fill out a Type 1 Self Assessment Questionnaire for card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced, (refer to the PCI DSS New Self-Assessment Questionnaire (SAQ) Summary V1.2)
…it’s easier to be PCI Compliant.
Two companies that I work with, and recommend, whose products and services will satisfy the software and hosting requirements for PCI Compliance are:
- ShopSite Shopping Cart Software is PCI/CISP/PABP/PA-DSS certified.
- LexiConn Internet Services Inc. is a National ShopSite Hosting Partner that can provide PCI Compliant hosting. (LexiConn and atStuff LLC have a mutual affiliate relationship.)
If you have to store credit card information try to outsource the information storage to your credit gateway and let them do the heavy technology lifting to protect that data. I suggest that you consider the Authorize.net Customer Information Manager (CIM) and/or Automatic Recurring Billing™ (ARB) products for safe, outsourced credit card storage. (I am an Authorize.net reseller.)
In Parts 1 and 2 of this 3-part series, I discussed the what and how of PCI Compliance. In Part 3, I’ll tell you why you should be PCI Compliant today even if your bank and/or merchant processor don’t require it yet.
The information in this article is intended as a guide only. Only your PCI Compliance vendor can certify your compliance. Please perform due diligence to ensure that you are meeting compliance standards by reviewing the requirements with the PCI Security Standards Council and your own PCI Compliance vendor.
If you’d like to receive regular technology updates from The View From Under the Hat, subscribe via RSS or email.
Mike Masin is an e-commerce developer and owner of atStuff LLC.
Photo by john.d.mcdonald
{ 2 trackbacks }