PCI Compliance is a code that covers all participants in the Payment Card Industry, to ensure that customer card data remains secure as it passes through the card payment network. For card processors and equipment manufacturers who are responsible for handling and storing large amounts of card data, it’s a big deal, and the regulations are fearsome, but there are also important points for the merchant to consider too.
If you’re a small business, there a few simple checks and processes that you can follow to ensure that you are compliant. You’ll need to make sure that you demonstrate to your merchant service provider that you’re compliant – otherwise you’ll find yourself being charged an extra monthly fee to cover the risk. Most merchant providers will have a simple PCI self-assessment form and checklist – make sure you complete that, and save yourself an unnecessary fee. And of course, if you follow the guidelines, you're also protecting your business from the risk of fraud.
If you’re collecting any card details on your own web servers, they need to be PCI certified, which is beyond the scope of this article. However, most small businesses will pass online transactions direct to a payment gateway, so the customers’ data is never actually seen by the merchant’s server. You just need to make sure that your payment gateway and any other software is PCI compliant.
If you’re taking orders over the phone, what do you do with the customer’s details? Do you scribble them down on a bit of paper, or do you type them straight into your terminal? Obviously the best and most secure way to take phone payments is to enter the data straight into your terminal or online portal, but if you do find that you have to write details down, they must be kept securely, used as quickly as possible, and then must go straight into the shredder.
Ensure that all office PCs are fully password protected and that virus-checks are in place, that your wireless network is encrypted and password secured, and that your main router is firewalled. Do not share card portal logins and passwords between employees.
If a customer has to pay by sending card details on a written form, then make sure that the form includes a place for the customer’s signature. Any paperwork must be stored securely for a length of time agreed with your acquirer , as you’ll need to produce the signed form if a customer disputes a transaction. This is undoubtedly the least secure form of card processing, and you shouldn’t use it unless you absolutely have to.
Ensure that your card payment terminal is PCI compliant, that any wireless routers are fully password protected and encrypted and that all your network has a robust firewall. Regularly check all your terminals to ensure that they haven’t been tampered with, and keep all staff regularly trained on card payment procedures. If you find yourself having to take a manual payment with an imprinter, ensure that the customer has signed the sales slip, and keep your sales slips securely stored as per your acquirer’s instructions – as with mail order forms, you will need to produce your copy of the signed sales voucher if the customer disputes the transaction.
The PCI Security Standards Council website has a very helpful guide for small businesses: https://www.pcisecuritystandards.org/smb/