5 tips for easy PCI compliance

Meeting the Payment Card Industry's data security standards is challenging for most small businesses

PCI compliance may seem like an arcane art if you're a small merchant, but you ignore it at your peril. Non-compliance with the security standards developed by the Payment Card Industry (PCI) Security Standards Council carries penalties of $5,000 to $100,000 per month.

The PCI Data Security Standards (DSS) and many other supporting documents can be easily downloaded from the council's website, but for small businesses without an IT security professional, the requirements can be baffling. However, there are some things you can do to ease the compliance process and the security measures it dictates. Though I still suggest hiring a Qualified Security Assessor (QSA), these tips can point you in the right direction.

Don't store any cardholder data

To greatly simplify your required security measures for PCI compliance, don't save or store any cardholder data in written or digital form. Use a card reader, POS, and/or payment processor that doesn't retain this information on your systems so you won't have to worry about protecting and encrypting that data. Check with payment vendors for details on their particular models.

If you need to keep cardholder data for reoccurring billing or other required business purposes, check with your payment processor to see if they offer options that allow you to input and store the data on their systems. If you must store the data yourself, remember you'll have to follow many more security measures, and you can never store the sensitive authentication info: full magnetic stripe data, the security code, or the PIN.

Choose a PCI compliant Web host

If you sell products or take payments via your website, choose a PCI compliant Web hosting plan and ecommerce or shopping cart application. Some Web hosting companies publicly post their compliance details on their website, but in many cases you'll have to ask the sales or support department. For ecommerce applications and shopping carts, you can refer to the List of Validated Payment Applications from the PCI council.

You'll likely have a tougher chance of achieving PCI compliance if you use cheaper shared hosting plans due to the way the servers are divided among multiple website owners. But you may be able to get away with using one (that's even non-compliant) if you choose a hosted payment solution where customers are forwarded to a compliant site to enter their credit card details, such as PayPal Standard, 2Checkout, or Authorize.Net. And you may want to consider a hosted payment solution even if your Web hosting plan is compliant, in order to reduce the security measures you must take. However, if you'd like to fully integrate the payment process within your site, you may have to go with a more expensive virtual private or dedicated server, which are typically PCI compliant.

Use dial-up terminals instead of IP terminals

Dial-up credit card terminals connect to your phone line and communicate with the payment processor similar to the way the old 56K modems connected to dial-up Internet. They're slower than IP-based terminals, but they can greatly reduce your Cardholder Data Environment--the computers and components where cardholder information is stored, processed, or transmitted--thus reducing the security measures you must follow.

No matter what type of credit card terminal or POS system you choose, ensure it's PCI compliant, either via the vendor or by checking the Approved PIN Transaction Security Devices and/or List of Validated Payment Applications from the PCI council. Also check with the vendors on how their terminals work and inquire about those that ease compliance.

Use a separate network for payment processing

If you do use IP-based credit card terminals, it may be easier to have a completely separate network with its own Internet connection for just the payment processing. This can ease the security measures you must take during the initial network setup and those you must follow in the future for staying PCI compliant.

Secure mobile card readers

For small businesses providing on-site services, mobile card reader solutions like Square, GoPayment, or PayPal Here are very attractive. They offer a quick and easy way to start accepting credit card payments and can be used with smartphones or tablets via a cell data or Wi-Fi connection. Although the current PCI DSS requirements (version 2.0) don't specifically address mobile card readers, businesses are still required to ensure that these solutions are within PCI compliance.

The PCI has published security guidelines for securing mobile payment solutions you use with your smartphones or tablets. Basically you should ensure the mobile devices are kept physically and digitally secure from theft, unauthorized use, malware, and hacking. Don't jailbreak or root your device or enable other functions that can make the device insecure, like USB Debugging on Android devices. Install an antivirus app and download apps only from trusted sources like the official app store. And remember if the mobile devices are connected to a Wi-Fi connection under the business's control while using the card reader, the network must be in PCI compliance.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile paymentbusiness securitySquare

More about PayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Eric Geier

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place