How to become PCI compliant 23 July, 2008 By Vanessa Ho

"PCI standard is an evolving process and every quarter they introduce a tightening of the belt [where they] keep getting strict on what people can or can't do in the interest of protection the card holder or customer data," said Jeremy Segale, vice-president of operations with PaySimple.

One of the new standards that PCI introduced on June 30 was Best Practice 6.6 of the PCI Data Security Standard (DSS). The regulation requires merchants dealing with debit and credit cards to tighten their security by both conducting application code reviews and installing web application firewalls.

"As hackers get more sophisticated, you have to take more sophisticated steps to protect the data that you are storing," said Lisa Hephner, vice-president of technology with PaySimple. "PCI is not something that is stagnant, but it is growing with the industry and reacting to the environment."

Best Practice 6.6 of the PCI Data Security Standard was put forth by the PCI Security Standards Council, which issues, maintains and enforces the PCI security standards that govern payment account data security to which all corporations that deal with payment cards must adhere. However, across industries, according to PaySimple, small businesses are struggling to comply with the Councils standards, designed to protect consumers personal data.

SMBs struggle in this area because they are more concerned about running the day-to-day operations of their company and don't have the IT resources to implement, deploy and manage an in-house solution to help them be PCI compliant. If they are not compliant, they are at risk of losing their Merchant Account.

A company such as PaySimple can help with this as it has been certified PCI DDS compliant and assures that its system meets all the requirements demanded of a PCI Compliant third-party payment processing system.

Hephner added that because PaySimple uses a SaaS solution, it takes the burden off the SMB to be PCI compliant and places it on PaySimple.

"As soon as a merchant installs software on their own system they are then immediately responsible for making sure all their systems are secure and their ability to be PCI certified is considerably more onerous and cumbersome to them," noted Hephner. "By providing a SaaS application, SMBs never have to store anything on their own environment; we store 100 per cent of everything."

She further explained that with SMBs outsourcing PCI compliance to a company like PaySimple, they take the onus to be PCI compliant by running intrusion detection systems, doing comprehensive monitoring, encrypting data and going through rigorous penetration testing.

However, Hephner said that as much as the onus is on them, SMBs still have to take appropriate precautions to protect their customers' credit card information.

Segale advised SMBs not to store credit card information in an unsecure way and also to take precautions against ordinary viruses and hackers by installing intrusion detection systems, anti-malware and anti-virus solutions as well as keeping them up to date and patched. As well, he recommended that companies do not e-mail out confidential or proprietary information.

Hephner added that SMBs also need to establish their own security policies, such as not sharing passwords with anyone, as it is something that PCI looks for. As well, she said that a lot of common sense is needed by SMBs to be PCI compliant -- like not writing credit card numbers on a piece of paper and leave them lying around in the open.