Keeping Online Payments Safe

Security standards might make you rethink your payment system.
Magazine Contributor
3 min read

This story appears in the February 2007 issue of Entrepreneur. Subscribe »

Ever hear of the Payment Card Industry Data Security Standard? Get to know it because not complying with the PCI DSS could cost you big bucks.

The PCI standard, a requirement since 2001 that's increasingly being enforced among growing businesses, is intended to help organizations protect customer account data. It includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Under the PCI DSS, American Express, MasterCard, Visa and other credit card associations mandate that merchants and service providers meet certain minimum security standards when they store, process and transmit cardholder data.

Merchant banks whose retailers don't comply with the PCI standard could be fined up to $500,000--and banks typically pass along penalties. Noncompliant merchants also face losing their card-acceptance privileges. Many smaller e-tailers aren't even aware they're out of compliance with PCI until they seek out a payment processor. It can be confusing.

"While merchants should be complying with the standard now, it's going to be [several] months before the card brands start enforcing PCI compliance for the [smaller] merchants, and when they do, it will be more rational than it is now," says Avivah Litan, vice president and director of research at Gartner Inc. in Stamford, Connecticut. "It will be clearer what [smaller merchants] will have to do. They are not going after these guys and fining them now. They are trying to be rational."

Complying with PCI might seem like a hassle, but not complying could bring even bigger headaches, says Martin Elliott, vice president of emerging risk for Visa USA. "The brand damage that can occur to a merchant if their customers' data is compromised can be far more damaging than fees or fines that Visa may assess," he says, offering these tips for complying with the standard.

1.Establish a policy on data retention that minimizes the time you hold data. If you don't need data, delete it.
2.Know where your data is stored. Software can save data in places you may not be familiar with.
3.Store only essential data--such as cardholder name, account number and expiration date--and destroy all obsolete cardholder data.
4.Use only vendors that are also PCI-compliant.
5.Make sure your payment application follows Visa's "Payment Application Best Practices," available on Visa's PCI DSS website.

Melissa Campanelli is a marketing and technology writer in New York City.

More from Entrepreneur

Whether you are launching or growing a business, we have all the business tools you need to take your business to the next level, in one place.
Enroll Now

One-on-one online sessions with our experts can help you start a business, grow your business, build your brand, fundraise and more.
Book Your Session

Are paying too much for business insurance? Do you have critical gaps in your coverage? Trust Entrepreneur to help you find out.
Get Your Quote Now

Latest on Entrepreneur

My Queue

There are no Videos in your queue.

Click on the Add to next to any video to save to your queue.

There are no Articles in your queue.

Click on the Add to next to any article to save to your queue.

There are no Podcasts in your queue.

Click on the Add to next to any podcast episode to save to your queue.

You're not following any authors.

Click the Follow button on any author page to keep up with the latest content from your favorite authors.