e-edition eEdition Subscribe Log in
Sunday, October 06, 2024
64.0°F

Taking credit where credit is due

| April 3, 2011 9:00 PM

Dear PropellerHeads: My small business has a web site but we don't take orders over the Web. What do I need to know before taking credit card information online?

A: You need to know three simple letters: TLA. That's Three-Letter Acronymand you're about to see a lot more of them. See if you can spot them all while I'm gone - BRB!

First, the easy part: Talk to your web design firm or eCommerce consultants about accepting payments from your site. Already have a merchant account for taking credit cards off-line? Then you have a head start. Next you'll select a payment gateway, the online equivalent of a POS (point-of-sale) terminal like you probably already use in your store.

A merchant account and a payment gateway are technically that's required to get started. From a security perspective, though, there's more involved, and that's no reason to LOL.

That's why the Payment Card Industry (PCI), made up of Visa, MasterCard, and others, developed the PCI Data Security Standard (PCI DSS). The DSS seeks to provide "a robust payment card data security process - including prevention, detection, and appropriate reaction to security incidents." (http://bit.ly/dStzX0)

The DSS lists many rules for securing credit card data, grouped into six main "goals" which apply to you and your site design company.

The first is to keep your network secure, by (for example) installing a firewall and changing the default passwords on your networking equipment.

Second, protect cardholder data. Don't store credit card numbers unless absolutely necessary, and use Secure Sockets Layer (SSL) to encrypt credit card numbers on your checkout page.

Third, manage security vulnerabilities. This means, among other things, keeping your anti-virus software up-to-date.

Fourth, control access to cardholder data. Employees should have restricted access to customer card numbers (on a "need-to-know" basis).

Fifth, monitor and test your security. Monitor access to credit card information, and test your security procedures on a regular schedule.

Lastly, maintain a security policy. Develop a formal policy for employees and contractors. Review it often.

The benefits of following the DSS recommendations are obvious. Securing cardholder data promotes trust among customers and business partners by reducing the likelihood of fraud (and, specifically, your liability).

Adhering to these rules does not free you entirely from security concerns, but following the policies will make your company more secure than not following them. This will decrease your exposure to fines and lawsuits (AKA "lawyer IOUs").

Also, it's possible that credit card companies will revoke your account (and you will lose the ability to take credit card payments) if card data under your control is stolen and you are found to have ignored reasonable security measures.

Despite the PCI's good intentions, the DSS requirements can be both confusing to understand and expensive to implement. Some believe that they are too onerous and that their main purpose is to generate business for security consultants, so they can purchase more barbecue.

The good news for you is that the level of compliance required by the PCI is tied to the size of your business. Smaller companies have fewer requirements to meet, are assessed less often, and in general have an easier time following the DSS rules (http://bit.ly/fSL3S1).

In fact, if you process a small enough number of credit card transactions every year, you might be able to claim PCI compliance solely by filling out a Self-Assessment Questionnaire (SAQ). By contrast, larger companies must have their security procedures audited by an independent Qualified Security Assessor (QSA).

Lastly, you might avoid some of these responsibilities by sending your customers through a third-party payment service during checkout. PayPal (paypal.com), Google Checkout (checkout.google.com), and Amazon (payments.amazon.com) are popular choices.

For more information about PCI compliance, see their web site at http://bit.ly/eWs9Eeor visit http://bit.ly/h4dB00for a lengthier overview, including criticisms. Both are available on my favorite TLA, the WWW.

When the PropellerHeads at Data Directions aren't busy with their IT projects, they love to answer questions on business or consumer technology. Email them to questions@askthepropellerheads.com or contact us at Data Directions, Inc. 8510 Bell Creek Road, Mechanicsville, VA 23116. Visit our website at www.askthepropellerheads.com.