September 25, 2013, 1:30 PM — PCI compliance may seem like an arcane art if you're a small merchant, but you ignore it at your peril. Non-compliance with the security standards developed by the Payment Card Industry (PCI) Security Standards Council carries penalties of $5,000 to $100,000 per month.
The PCI Data Security Standards (DSS) and many other supporting documents can be easily downloaded from the council's website, but for small businesses without an IT security professional, the requirements can be baffling. However, there are some things you can do to ease the compliance process and the security measures it dictates. Though I still suggest hiring a Qualified Security Assessor (QSA), these tips can point you in the right direction.
Don't store any cardholder data
To greatly simplify your required security measures for PCI compliance, don't save or store any cardholder data in written or digital form. Use a card reader, POS, and/or payment processor that doesn't retain this information on your systems so you won't have to worry about protecting and encrypting that data. Check with payment vendors for details on their particular models.
If you need to keep cardholder data for reoccurring billing or other required business purposes, check with your payment processor to see if they offer options that allow you to input and store the data on their systems. If you must store the data yourself, remember you'll have to follow many more security measures, and you can never store the sensitive authentication info: full magnetic stripe data, the security code, or the PIN.
Choose a PCI compliant Web host
If you sell products or take payments via your website, choose a PCI compliant Web hosting plan and ecommerce or shopping cart application. Some Web hosting companies publicly post their compliance details on their website, but in many cases you'll have to ask the sales or support department. For ecommerce applications and shopping carts, you can refer to the List of Validated Payment Applications from the PCI council.
You'll likely have a tougher chance of achieving PCI compliance if you use cheaper shared hosting plans due to the way the servers are divided among multiple website owners. But you may be able to get away with using one (that's even non-compliant) if you choose a hosted payment solution where customers are forwarded to a compliant site to enter their credit card details, such as PayPal Standard, 2Checkout, or Authorize.Net. And you may want to consider a hosted payment solution even if your Web hosting plan is compliant, in order to reduce the security measures you must take. However, if you'd like to fully integrate the payment process within your site, you may have to go with a more expensive virtual private or dedicated server, which are typically PCI compliant.
Use dial-up terminals instead of IP terminals
Dial-up credit card terminals connect to your phone line and communicate with the payment processor similar to the way the old 56K modems connected to dial-up Internet. They're slower than IP-based terminals, but they can greatly reduce your Cardholder Data Environment--the computers and components where cardholder information is stored, processed, or transmitted--thus reducing the security measures you must follow.
No matter what type of credit card terminal or POS system you choose, ensure it's PCI compliant, either via the vendor or by checking the Approved PIN Transaction Security Devices and/or List of Validated Payment Applications from the PCI council. Also check with the vendors on how their terminals work and inquire about those that ease compliance.
Use a separate network for payment processing
If you do use IP-based credit card terminals, it may be easier to have a completely separate network with its own Internet connection for just the payment processing. This can ease the security measures you must take during the initial network setup and those you must follow in the future for staying PCI compliant.
Secure mobile card readers
For small businesses providing on-site services, mobile card reader solutions like Square, GoPayment, or PayPal Here are very attractive. They offer a quick and easy way to start accepting credit card payments and can be used with smartphones or tablets via a cell data or Wi-Fi connection. Although the current PCI DSS requirements (version 2.0) don't specifically address mobile card readers, businesses are still required to ensure that these solutions are within PCI compliance.
The PCI has published security guidelines for securing mobile payment solutions you use with your smartphones or tablets. Basically you should ensure the mobile devices are kept physically and digitally secure from theft, unauthorized use, malware, and hacking. Don't jailbreak or root your device or enable other functions that can make the device insecure, like USB Debugging on Android devices. Install an antivirus app and download apps only from trusted sources like the official app store. And remember if the mobile devices are connected to a Wi-Fi connection under the business's control while using the card reader, the network must be in PCI compliance.