So now that you are deciding to get involved online, you may come across a situation where you feel it is necessary to hold onto your customers’ credit card information. While I would highly recommend that you do not do this unless it is absolutely necessary, I understand that there may be times where it is needed depending on what type of business model you are running.
The reason that I discourage you from doing this is because the major credit card providers have started what is called PCI compliance. PCI is short for Payment Card Industry. This basically is an agreement that if you accept their form of credit cards and hold onto card holders information that you are responsible for keeping it secure. If it leeks out, the credit card companies can come to you for reimbursement of those illegal charges on the cards if they find that you were not handling the information properly. With that said, they left plenty of loopholes in there to catch companies who run into the problem of having their system hacked to gain access to that information. Below are several things that you are required to do to make yourself PCI compliant.
#1: You are required to keep a secure network.
This is generally done anyhow but smaller businesses can frequently overlook this. For example, you are not allowed to simply keep the information in an excel file on your personal computer that is not secured behind a firewall and other features implemented to protect it. When you simply have this information on your computer and are connected to the internet with no security measures in place, you risk having that computer hacked and having that information stolen. You then become the source of the problem and could be liable for fraudulent charges to those credit cards.
#2: You have an obligation to protect the information.
Let us say that you are on a network and it is secure from outside sources other than the employees of your company. This is generally considered to be non-compliant. This information should only be available to people who actually need access to it. Access to it should be strictly limited to other employees if you have any.
This goes a step further for online transactions. When you accept a credit card, all of that information needs to be encrypted while the server is processing it. It has to be encrypted to a 128 bit SSL certificate minimum.
#3: There must be a vulnerability management program
This primarily relates to keeping everything up to date. Unfortunately, there are plenty of people out there who enjoy working their way around firewalls and anti-virus protection. When this occurs, the anti-virus software should have regular updates to fix any problems it encounters. The sad part is that this is an ongoing battle and you will need to keep all of your software up to date as well. You must regularly update your system to keep new viruses from infecting your computer and leaking important data.
#4: Monitoring the Network and Information is a requirement
You are not allowed to simply set it up and forget about it. You are required to regularly monitor access to this information. You will need to have each person who accesses the information have a unique identifier that they login with. You need to monitor who access the information, at what time, and where they go, etc. This can be rather complicated, especially if you have multiple people with access to the data. This monitoring is also used to track those who may not be associated with your business and have malicious intentions. You might be able to catch this type of activity before it becomes a huge problem.
#5: You must maintain a security policy
When you have hired employees, you must make them aware and sign a security policy that states importance of keeping this information secure. This is particularly necessary if they are going to be handling the credit card information. They should know and understand what type of responsibility they have to keep the cardholder information secure.
Grow by leaps and bounds with software to skyrocket your business: ecommerce shopping cart software, content management system software, and email marketing software by Interspire.
Shopping Cart Software 