Online PCI Compliance Simplified for Small Business Owners

If you’ve been researching this very much, by now you are probably thinking, “When is someone going to just give me a straight answer about what I need to do?” Ok, that’s exactly what I’ll try do.

For small business owners that accept payments online, there are special considerations, and some limitations that you must observe in order to be PCI Compliant. I’m assuming that if you read this, you know that you DO have to be compliant if you accept payments online. If you don’t know that yet, then take my word for it.

There are two basic things you need to do:

1. Make sure the WAY you take payments is compliant.

2. Make sure your policies regarding your site management, site access, and site software are compliant.

We’ll tackle the first item first.

The big thing about accepting payments online, is HOW you accept payments. And small business owners are prone to taking shortcuts here, thinking that there are shortcuts that will save them money. The issues are not simple – there’s a lot of technical stuff going on here. I’ll try to simplify it, but may not be able to simplify all of it.

There are three ways that site owners typically choose to accept payments online. I’ll list those, along with the costs, and risks.

1. Collect credit card numbers online, and then process them offline. To be PCI Compliant, you MUST NOT DO THIS! In fact, if your credit card company finds out you are doing this, they’ll slap you hard. The ONLY time you can do this is if you have a third party hosted shopping cart that is PCI Compliant (so you don’t have to bear the burden of it). Don’t assume it is!

This is NOT the least expensive way to do it, and it is terribly risky. You have to store the credit card numbers on your site, and therefore YOU are responsible for all risks associated (even if you use a third party hosted shopping cart). It is expressly forbidden by the PCI Compliance rules unless you meet VERY stringent security standards. You can’t. They are too expensive. Think a couple hundred thousand dollars.

If you are collecting credit card numbers online, and processing them (or handing them to someone else for processing, such as a direct sales parent company), STOP. Immediately. To continue to do so is an unacceptable risk, with potential civil, or even criminal penalties if someone else gets hold of those numbers.

If you have a website where numbers are passed to a gateway (Authorize.net, PayPal Pro, etc), then check to make sure that a “store credit card numbers on server” setting is NOT set to ON, ANYWHERE in the site configuration, because if it is, you may be accidentally doing this when you did not mean to.

2. Use a standard gateway, such as Authorize.net, PayPal Pro, LinkPoint, etc. This option is less risky, and less costly than option #1, but it does have ONE major requirement to it that makes it become costly. You MUST pass quarterly security scans. And those scans will cost you at least $350 per year. This option will not be affordable for most small businesses, in part because of the cost of the scans, in part because of the security enhancements that the scans will tell you that you need.

This option requires PCI Compliant Hosting, a PCI Compliant shopping cart (no, CRE 6.4 does not qualify), and PCI Compliant SSL. These enhancements will prove too expensive for most small businesses.

In this option, credit card numbers are COLLECTED by your cart, then PASSED to the gateway where they are processed. So you are responsible to ensure that the COLLECTION and PASSING processes are secure.

3. Use a hosted gateway service to process payments. This is similar to Option 2, in that it plugs into your shopping cart to accept payments, with one HUGE difference. That is, ALL collection, and processing, take place on the service provider’s site. Your cart is then required to meet reasonable security standards (to keep someone from diverting the traffic to a fraudulent site), but that is all. And MOST carts already have the goal of maintaining that kind of standard security measure.

In this kind of setup, the visitor adds items to the cart, hits checkout, and after reviewing shipping information, is taken to the processor website to finish the transaction. Only the CART CONTENTS are passed to the processor, NOT the financial data, presenting MUCH lower risks.

This kind of system includes the following processors:

  • PayPal Standard – when the order is placed, the shopper leaves your site, and goes to PayPal’s website to complete the transaction.
  • Authorize.net SIM – Be careful here! Authorize.net has TWO ways that it can be set up – one that falls under the process of option #2, and one that qualifies here. The shopper MUST leave your site before entering in ANY credit card data to fit in this category of risk and cost.
  • YourPay Connect – Again, be careful! This service can be set up more than one way. But it CAN be set up to accept payments on THEIR site instead of yours.
  • Google Checkout – Takes the visitor to Google’s site to make the payments.
  • 2CheckOut – Also takes the shopper off of your site to make the payments.
  • Any other system that takes the shopper OFF your website before any credit card information is entered in.
  • This is what CRE 6.4 does, and the category it falls into.

Basically, what you are doing here, is OUTSOURCING the PCI Compliance. You are taking the worst of the headache and letting someone else handle it. Not a bad option. Credit card companies will then typically remove the requirement for quarterly scans, and require only that you fill out a form each year. If you use only PayPal Standard, or 2Checkout (or a few other all in one systems), you won’t even be required to fill that out.

Drawbacks may be that the site feel changes when they go to the payment processor. This is a common thing though, and generally does not significantly impact sales for small businesses (the equation may be different for big ones). Most systems of this kind (including PayPal) have the ability for you to brand your processor pages with your logo, and to choose between two or more layout options.

If you use this option, we recommend turning it to your advantage – state in your Privacy Policy that payments are not processed on your website, and that it is to protect the sensitive financial information of the shopper. Turn the disadvantage to an advantage.

So, those are your three options, and the rough idea of what is involved in achieving PCI compliance with your shopping cart. There are several other factors which you must also be aware of, to be fully compliant, and they involve things besides just how your cart is set up.

1. Choose software that is updated regularly, and that is not inherently risky. Avoid Resale Rights software (TERRIBLY risky!), and avoid creating a shopping cart in FrontPage (it is outdated, and the code it produces is vulnerable). The more popular Open Source carts are usually acceptable.

2. You must ensure that security updates are done for your software. Generally this means having a policy to check for and install updates, or contracting this out.

3. You must have a policy for your business that minimizes risks. This policy should include two important elements:

  • Avoid sharing site or financial data access with anyone unless there is truly a need, and they are trusted. In other words, don’t be careless with passwords and information.
  • Don’t share passwords. Set up individual accounts for anyone who does need access to private information or to the site structure. This allows you to delete users if they leave your employ – very important if they leave with less than positive feelings.

It comes down to minimizing the risks where you can minimize the risks.

Much of it is common sense. Meeting the requirements need not be hard. The simplest strategy is this:

  • Choose website software that is reasonably safe.
  • Use PayPal Standard (or Authorize.net SIM or YourPay Connect if you are in a high end market that does not respond well to PayPal).
  • Keep your website software up to date.
  • Don’t share passwords, and limit site or hosting access to necessary personnel.

Those four items will pretty much address the need for very small businesses to be PCI Compliant.

If you have needs that dictate functioning beyond those payment options, then you will require a fairly high budget to meet them. That is the reality.

But by following these standards, and simplifying your processes, you can meet the need for compliance without additional expense. The expense and demands will only become prohibitive if you move outside the simpler payment options.

DISCLAIMER: This is my interpretation of the basic requirements. There are those who may disagree with my interpretation of it. Your merchant account provider is the final arbiter of precisely what is acceptable and what is not. If I have made any errors in my interpretations, I invite those with superior knowledge to correct me. I will correct and print any validated information which is other than what I have printed here.

Grow a Garden!

Gardening doesn't have to be that hard! No matter where you live, no matter how difficult your circumstances, you CAN grow a successful garden.

Life from the Garden: Grow Your Own Food Anywhere Practical and low cost options for container gardening, sprouting, small yards, edible landscaping, winter gardening, shady yards, and help for people who are getting started too late. Plenty of tips to simplify, save on work and expense.