Keeping Online Payments Safe

Security standards might make you rethink your payment system.
Magazine Contributor
3 min read

This story appears in the February 2007 issue of Entrepreneur. Subscribe »

Ever hear of the Payment Card Industry Data Security Standard? Get to know it because not complying with the PCI DSS could cost you big bucks.

The PCI standard, a requirement since 2001 that's increasingly being enforced among growing businesses, is intended to help organizations protect customer account data. It includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Under the PCI DSS, American Express, MasterCard, Visa and other credit card associations mandate that merchants and service providers meet certain minimum security standards when they store, process and transmit cardholder data.

Merchant banks whose retailers don't comply with the PCI standard could be fined up to $500,000--and banks typically pass along penalties. Noncompliant merchants also face losing their card-acceptance privileges. Many smaller e-tailers aren't even aware they're out of compliance with PCI until they seek out a payment processor. It can be confusing.

"While merchants should be complying with the standard now, it's going to be [several] months before the card brands start enforcing PCI compliance for the [smaller] merchants, and when they do, it will be more rational than it is now," says Avivah Litan, vice president and director of research at Gartner Inc. in Stamford, Connecticut. "It will be clearer what [smaller merchants] will have to do. They are not going after these guys and fining them now. They are trying to be rational."

Complying with PCI might seem like a hassle, but not complying could bring even bigger headaches, says Martin Elliott, vice president of emerging risk for Visa USA. "The brand damage that can occur to a merchant if their customers' data is compromised can be far more damaging than fees or fines that Visa may assess," he says, offering these tips for complying with the standard.

1.Establish a policy on data retention that minimizes the time you hold data. If you don't need data, delete it.
2.Know where your data is stored. Software can save data in places you may not be familiar with.
3.Store only essential data--such as cardholder name, account number and expiration date--and destroy all obsolete cardholder data.
4.Use only vendors that are also PCI-compliant.
5.Make sure your payment application follows Visa's "Payment Application Best Practices," available on Visa's PCI DSS website.

Melissa Campanelli is a marketing and technology writer in New York City.

More from Entrepreneur
Our Franchise Advisors will guide you through the entire franchising process, for FREE!
  1. Book a one-on-one session with a Franchise Advisor
  2. Take a survey about your needs & goals
  3. Find your ideal franchise
  4. Learn about that franchise
  5. Meet the franchisor
  6. Receive the best business resources
Make sure you’re covered if an employee gets injured at work by
  • Providing us with basic information about your business
  • Verifying details about your business with one of our specialists
  • Speaking with an agent who is specifically suited to insure your business
Try a risk-free trial of Entrepreneur’s BIZ PLANNING PLUS powered by LivePlan for 60 days:
  • Get step-by-step guidance for writing your plan
  • Gain inspiration from 500+ sample plans
  • Utilize business and legal templates
  • And much more

Latest on Entrepreneur