Credit Cards Online 101: PCI Compliance for Small Businesses

Saturday, January 26, 2013

PCI Compliance for Small Businesses

I've researched and written before about PCI compliance for a level 3 vendor (back in 2009), this time I'm trying to see the general situation for small business PCI compliance.

As background, it seems like everyone takes credit cards these days. Between Paypal helping people take credit cards and the little attachments for our smart phones, it seems like a routine activity that does not incur any special obligations or concerns. But this is wrong, not true. There are some clear lines that companies cross as they take credit cards for payment. Once these lines are crossed, there are more legal obligations to maintain security and financial risk.

The rules are developed and described on the website of PCI Security Standards Council. The council was founded and is run by the credit card companies to have a joint system on security. Specifically by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

PCI's page for small business proclaims:

Small MerchantsYou must secure cardholder data to meet Payment Card Industry rules! Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale. If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!

I'm in the SAG category of "card not present":

A	Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

The PCI site then has a self-assessment questionaire which should be filled out and submitted. Here's a critical part of the intro:

Once filled out, the self-assessment questionnaire should be submitted to the acquirer. My acquirer has never asked for one. It's not clear to me how often I'm supposed to submit it. And when I've asked around, I've never found another online retailer who has ever heard of or filled out this questionnaire. Any thoughts anybody?
----
Plusbyems. Thanks for your great response and the call out. Here's a live link to your post: http://plusbyems.wordpress.com/2013/01/28/in-response-to-our-friends-at-credit-cards-online-101-on-pci-compliance /

1 comment:

Anonymous said...: Enjoy you blog. Read your post from Saturday and put together an answer this morning. Hope it helps!

Here's link: http://plusbyems.wordpress.com/2013/01/28/in-response-to-our-friends-at-credit-cards-online-101-on-pci-compliance/

Keep up the great work!; January 28, 2013 at 12:28 PM