Get All Access for $5/mo

Business Owners Must Embrace New PCI Standard To Keep E-Commerce Flowing Though intended to bolster security and confidence in e-commerce transactions, the new Payment Card Industry standard also requires a significant investment from most businesses.

By Paul Korzeniowski

While most businesses have done an adequate job protecting customer information, there have been a number of higher profile cases where outsiders were able to access and abuse confidential data. In response, financial companies crafted standards to close these openings and mandated that small and midsize businesses adhere to the new standards or risk their e-commerce operations.

In the past few years, high profile data thefts have occurred at TJX, Hannaford Bros., Montgomery Ward, Countrywide, and Citibank. Not only did these transgressions cost the companies millions in tangible and intangible ways, they also cast a chill over all online purchases and caused many businesses and consumers to pause before hitting the Enter key to complete their online transactions.

To assuage such fears, the Payment Card Industry (PCI) Security Standards Council, whose founders include American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, established various standards for online transactions. The PCI Data Security Standard (DSS) is the cornerstone in the initiative: it mandates that companies build secure networks, protect stored cardholder data, and encrypt all online transactions.

The first, flawed version of the standard made its way to market in 2007. Now, a second version of the standard has been announced. The new specification clarifies the wording in the previous version and extends a few features.

One term that needed clarification was "strong cryptography." Undefined in version 1.1, PCI Data Security Standard 1.2 specifies strong cryptography as Triple-DES 128-bit or AES 256-bit encryption. Another outstanding question was PCI DSS applicability to paper-based information; version 1.2 clarifies that the standard applies to both electronic and paper media containing cardholder data. For businesses that interpreted version 1.1 as applying to electronic media only, this means expanding the scope of compliance work.

Version 1.2 also includes new requirements for firewalls. Businesses must protect all public-facing Web applications with application-level firewalls and it shifts the periodic review of company firewall rules from every 90 days to every 180 days. The PCI Security Standards Council changed the control timeline to align better with a typical organization's risk management policies.

Wireless connections also were subject to lots of attention in the updated standard. WEP security features are no longer sufficient; the council wants companies to use stronger encryptions. After March 31, 2009, new WEP implementations will not be allowed and businesses must discontinue current WEP implementations by June 30, 2010. In place of WEP, businesses will need to protect wireless transmissions using products that comply with the IEEE 802.1x standard, requiring an equipment upgrade for some companies.

For small and midsize business owners and managers to comply with the new PCI DSS standard, they must first have a firm grasp of the requirements and then check to ensure that company systems adhere to the specification.

Though intended to bolster security and confidence in electronic commerce transactions, the new standard also requires a significant investment from most businesses. But small and midsize businesses don't have a choice. Major payment brands, including MasterCard and Visa, have adopted PCI DSS as a requirement for organizations that process, store, or transmit payment cardholder data. That means that all merchants, no matter how small or large, need to comply with the standard.

The threat to online transactions is so great the major financial players have moved to establish standards to decrease the likelihood of problems. If they want to keep their e-commerce transactions flowing, small and midsize businesses need to understand and adopt these standards.

See more columns by Paul Korzeniowski.

Paul Korzeniowski is a Sudbury, Mass.-based freelance writer who has been writing about networking issues for two decades. His work has appeared in Business 2.0, Entrepreneur, Investor's Business Daily, Newsweek, and InformationWeek.

Visit for the latest business news and opinion, executive profiles and careers.© 2007 Condé Nast Inc. All rights reserved.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick


ChatGPT is Becoming More Human-Like. Here's How The Tool is Getting Smarter at Replicating Your Voice, Brand and Personality.

AI can be instrumental in building your brand and boosting awareness, but the right approach is critical. A custom GPT delivers tailored collateral based on your ethos, personality and unique positioning factors.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

Apple Reportedly Isn't Paying OpenAI to Use ChatGPT in iPhones

The next big iPhone update brings ChatGPT directly to Apple devices.

Business News

Is the AI Industry Consolidating? Hugging Face CEO Says More AI Entrepreneurs Are Looking to Be Acquired

Clément Delangue, the CEO of Hugging Face, a $4.5 billion startup, says he gets at least 10 acquisition requests a week and it's "increased quite a lot."

Business News

Sony Pictures Entertainment Purchases Struggling, Cult-Favorite Movie Theater Chain

Alamo Drafthouse originally emerged from bankruptcy in June 2021.

Growing a Business

He Immigrated to the U.S. and Got a Job at McDonald's — Then His Aversion to Being 'Too Comfortable' Led to a Fast-Growing Company That's Hard to Miss

Voyo Popovic launched his moving and storage company in 2018 — and he's been innovating in the industry ever since.