3. Becoming ‘PCI Compliant’ If You Accept Credit Cards

Nearly all businesses today accept credit and debit cards as a form of payment. Because sensitive data is collected in connection with these payments, the payment card industry has developed a comprehensive standard to help ensure the security of cardholder account data. This standard is known as the Payment Card Industry Data Security Standard or "PCI DSS," and is managed by the PCI Security Standards Council. The PCI DSS applies to all businesses that store, process or transmit cardholder data, and is enforced by the founding members of the PCI Security Standards Council — Visa Inc., American Express, Discover Financial Services, JCB International, and MasterCard Worldwide.

Getting Started

Ask your merchant bank or third party payment processor to assist you in determining how your business can best comply with the PCI DSS. Data security requirements may vary depending on the type of payment card processing device used, the sophistication level of your payment systems, and the cardholder information you collect and store. For example, businesses that use only imprint machines or standalone dial-out terminals — and do not electronically store cardholder data — need only comply with a subset of the PCI DSS requirements. Businesses using payment systems connected to the Internet or integrated payment applications (i.e., PC-based software applications) must ensure these systems are protected against computer-based attacks.

In This Chapter

Only 10% of US small businesses have a formal Internet security policy.

Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.