Credit cards are an easy and convenient way for your customers to pay you. If you are a web merchant then it is virtually the only way. However, there are serious pitfalls you need to be aware of. Securing your customers’ credit card data is one of these issues. There are well defined industry goals and standards for securing this data. The PCI DSS (Payment Card Industry Data Security Standards) are the systems security standards designed to protect credit cardholder data. If you process just one credit card payment then you must make certain that your internal systems and procedures are PCI compliant.

The penalties for non-compliance can be severe, even for the smallest business…up to $10,000 for the first violation plus the potential loss of your ability to accept card payments. The fines are assessed by VISA, MasterCard and the other large credit card companies. In addition, card processors sometimes charge non-compliance fees to encourage businesses to comply with PCI DSS standards. Further, the State of Minnesota passed legislation in 2007 requiring card merchants reimburse financial institutions in certain instances for the cost of replacing compromised cards.

PCI Compliant – Important Steps

It is not difficult for most small businesses to become PCI compliant. In fact, it makes good business sense to implement most of these security practices even if you are not storing customers’ credit card data. Most of the requirements entail common security practices that all businesses should be employing to protect all sensitive data. Some of these include:

  • Install and maintain a firewall.
  • Do not use vendor supplied passwords on the firewall or any other security hardware and software.
  • Protect stored cardholder data using encryption or other methods.
  • Encrypt cardholder data while it is in transit across public networks.
  • Use anti-malware software and keep it current.
  • Restrict access to cardholder data on a need-to-know basis.
  • Assign a unique user ID to each person with access to your network.
  • Control access to your network by using passwords or tokens.
  • Restrict physical access to cardholder data.
  • Track and monitor access to all cardholder data.
  • Maintain and enforce an effective information security policy.

Perhaps the best way to deal with the entire issue of credit card data security is to outsource the task. There are PCI compliant SaaS vendors that offer web-based systems to process credit card payments and store the card data on their secure systems. These systems are designed to integrate with a wide variety of accounting systems, including QuickBooks, Sage Software, Microsoft Dynamics and others. If you do not store any customer credit card data on your systems and use a SaaS solution to process the entire credit card transaction then your PCI DSS reporting requirements are easier to meet.

If you have questions about cloud based backup contact Jim Stern at jstern@dsb-cpa.com.

 

Disclaimer: All content provided in this article is for informational purposes only, and is subject to change. Contact a DS+B professional before using or acting on any information provided in this article