Online PCI Compliance Simplified for Small Business Owners
If you’ve been researching this very much, by now you are probably thinking, “When is someone going to just give me a straight answer about what I need to do?” Ok, that’s exactly what I’ll try do.
For small business owners that accept payments online, there are special considerations, and some limitations that you must observe in order to be PCI Compliant. I’m assuming that if you read this, you know that you DO have to be compliant if you accept payments online. If you don’t know that yet, then you just need to know that you can be fined by the CC company, or sued by your customers in the event of a breach of security with sensitive credit card or debit card data, and in some cases, if you have been warned, you may be held criminally liable as an accessory. Some companies will tell you they can cancel you for non-compliance even if there are no evidences of theft of data.
There are two basic things you need to do:
1. Make sure the WAY you take payments is compliant.
2. Make sure your policies regarding your site management, site access, and site software are compliant.
We’ll tackle the first item first.
The big thing about accepting payments online, is HOW you accept payments. And small business owners are prone to taking shortcuts here, thinking that there are shortcuts that will save them money. The issues are not simple – there’s a lot of technical stuff going on here. I’ll try to simplify it, but may not be able to simplify all of it.
There are three ways that site owners typically choose to accept payments online. I’ll list those, along with the costs, and risks.
1. Collect credit card numbers online, and then process them offline. To be PCI Compliant, you MUST NOT DO THIS! In fact, if your credit card company finds out you are doing this, they’ll slap you hard. The ONLY time you can do this is if you have a third party hosted shopping cart that is PCI Compliant (so you don’t have to bear the burden of it). Don’t assume it is!
This is NOT the least expensive way to do it, and it is terribly risky. You have to store the credit card numbers on your site, and therefore YOU are responsible for all risks associated (even if you use a third party hosted shopping cart). It is expressly forbidden by the PCI Compliance rules unless you meet VERY stringent security standards. You can’t. They are too expensive. Think a couple hundred thousand dollars.
If you are collecting credit card numbers online, and processing them (or handing them to someone else for processing, such as a direct sales parent company), STOP. Immediately. To continue to do so is an unacceptable risk, with potential civil, or even criminal penalties if someone else gets hold of those numbers.
If you have a website where numbers are passed to a gateway (Authorize.net, PayPal Pro, etc), then check to make sure that a “store credit card numbers on server” setting is NOT set to ON, ANYWHERE in the site configuration, because if it is, you may be accidentally doing this when you did not mean to.
2. Use a standard gateway, such as Authorize.net, PayPal Pro, LinkPoint, etc. This option is less risky, and less costly than option #1, but it does have ONE major requirement to it that makes it become costly. You MUST pass quarterly security scans. And those scans will cost you at least $350 per year. This option will not be affordable for most small businesses, in part because of the cost of the scans, in part because of the security enhancements that the scans will tell you that you need.
This option requires PCI Compliant Hosting, a PCI Compliant shopping cart (no, CRE 6.4 does not qualify), and PCI Compliant SSL. These enhancements will prove too expensive for most small businesses.
In this option, credit card numbers are COLLECTED by your cart, then PASSED to the gateway where they are processed. So you are responsible to ensure that the COLLECTION and PASSING processes are secure.
3. Use a hosted gateway service to process payments. This is similar to Option 2, in that it plugs into your shopping cart to accept payments, with one HUGE difference. That is, ALL collection, and processing, take place on the service provider’s site. Your cart is then required to meet reasonable security standards (to keep someone from diverting the traffic to a fraudulent site), but that is all. And MOST carts already have the goal of maintaining that kind of standard security measure.
In this kind of setup, the visitor adds items to the cart, hits checkout, and after reviewing shipping information, is taken to the processor website to finish the transaction. Only the CART CONTENTS are passed to the processor, NOT the financial data, presenting MUCH lower risks.
This kind of system includes the following processors:
- PayPal Standard – when the order is placed, the shopper leaves your site, and goes to PayPal’s website to complete the transaction.
- Authorize.net SIM – Be careful here! Authorize.net has TWO ways that it can be set up – one that falls under the process of option #2, and one that qualifies here. The shopper MUST leave your site before entering in ANY credit card data to fit in this category of risk and cost.
- YourPay Connect – Again, be careful! This service can be set up more than one way. But it CAN be set up to accept payments on THEIR site instead of yours.
- Google Checkout – Takes the visitor to Google’s site to make the payments. NOT RECOMMENDED. Google collects AND USES information regarding your sales, and it DOES affect your site traffic (that is what they are all about). I won’t use this, they really don’t need to be THAT INVOLVED with my business.
- 2CheckOut – Also takes the shopper off of your site to make the payments. Reputation is questionable, this service is used by a lot of scammers.
- Any other system that takes the shopper OFF your website before any credit card information is entered in.
- This is what CRE 6.4 does, and the category it falls into, it just does not allow you any other choice but their proprietary gateway for transaction processing.
Basically, what you are doing here, is OUTSOURCING the PCI Compliance. You are taking the worst of the headache and letting someone else handle it. Not a bad option. Credit card companies will then typically remove the requirement for quarterly scans, and require only that you fill out a form each year, IF that. If you use only PayPal Standard, or 2Checkout (or a few other all in one systems), you won’t even be required to fill that out.
When you hand the headache back to the credit card company, they can NEVER penalize you on that portion of PCI compliance, because it is THEIR headache, not yours.
Drawbacks may be that the site feel changes when they go to the payment processor. This is a common thing though, and generally does not significantly impact sales for small businesses (the equation may be different for big ones). Most systems of this kind (including PayPal) have the ability for you to brand your processor pages with your logo, and to choose between two or more layout options.
If you use this option, we recommend turning it to your advantage – state in your Privacy Policy that payments are not processed on your website, and that it is to protect the sensitive financial information of the shopper. Turn the disadvantage to an advantage.
So, those are your three options, and the rough idea of what is involved in achieving PCI compliance with your shopping cart. There are several other factors which you must also be aware of, to be fully compliant, and they involve things besides just how your cart is set up.
1. Choose software that is updated regularly, and that is not inherently risky. Avoid Resale Rights software for ANY kind of cart functions (TERRIBLY risky!), and avoid creating a shopping cart in FrontPage (it is outdated, and the code it produces is vulnerable), or Dreamweaver (for the same reason). The more popular Open Source carts are usually acceptable, though we cannot recommend OSCommerce or other dinosaurs.
2. You must ensure that security updates are done for your software. Generally this means having a policy to check for and install updates, or contracting this out.
3. You must have a policy for your business that minimizes risks. This policy should include two important elements:
- Avoid sharing site or financial data access with anyone unless there is truly a need, and they are trusted. In other words, don’t be careless with passwords and information.
- Don’t share passwords. Set up individual accounts for anyone who does need access to private information or to the site structure. This allows you to delete users if they leave your employ – very important if they leave with less than positive feelings.
It comes down to minimizing the risks where you can minimize the risks.
Much of it is common sense. Meeting the requirements need not be hard. The simplest strategy is this:
- Choose website software that is reasonably safe.
- Use PayPal Standard (or Authorize.net SIM or YourPay Connect if you are in a high end market that does not respond well to PayPal).
- Keep your website software up to date.
- Don’t share passwords, and limit site or hosting access to necessary personnel.
Those four items will pretty much address the need for very small businesses to be PCI Compliant.
Now, there are people who will tell you to get around all this by just having people phone in orders, and take the CC data over the phone. Not only will this pretty much make having a website useless, but this is MORE of a risk, not less, and the Credit Card companies require you to have a PCI Compliant policy for THAT as well.
This consists of security for handling of the CC data. It cannot be written down and left laying around. It cannot be written down by hand, or on a computer, and stored insecurely. Companies that DO this regularly have a secure software program and a payment gateway in that, OR they manually enter numbers into a terminal, so the numbers are NEVER stored in their facilities. They may store a name and last 4, but any storage of data must be secured, no matter WHERE it is.
So even if you don’t want to deal with an online cart, a merchant account demands certain standards of compliance.
If you have needs that dictate functioning beyond the payment options listed, then you will require a fairly high budget to meet them. That is the reality.
But by following these standards, and simplifying your processes, you can meet the need for compliance without additional expense. The expense and demands will only become prohibitive if you move outside the simpler payment options.
DISCLAIMER: This is my interpretation of the basic requirements. There are those who may disagree with my interpretation of it. Your merchant account provider is the final arbiter of precisely what is acceptable and what is not. If I have made any errors in my interpretations, I invite those with superior knowledge to correct me. I will correct and print any validated information which is other than what I have printed here.