Written June 2007
Updated March 2008
Payment Card Industry Data Security Standard / PCI DSS
If your business accepts credit cards, then you definitely have several obligations. First to Visa and Mastercard, which you have entered into a contract with (by accepting their cards). They have put in place notification requirements and penalties for card information data breaches. Simply put, if personal card information that you store is thought to be seen by unauthorized personnel, you must notify them.

Secondly, you have an obligation to your customers, who have kindly given you their business and thereby entrusting you with an aspect of their identity and financial welfare.

Basically, you must handle their information with care, much like how you would like your sensitive information handled by someone else. For an average small business, this means addressing three key areas.

Capture the Card
If you accept credit cards, the first thing to address is how you capture the customers information.

• (web) Use SSL encryption (https) on checkout pages
• (web) Send their credit card information for processing securely immediately after they submit it
• (web) Use PGP to immediately encrypt the card information, if not processing online
• (retail) Look at the signature on the back of the card
• (retail) Have them sign the stores receipt
• (general) Perform the PCI self assessment questionnaire

• (web) store their credit card on the webserver, even temporarily
• (web) store the PGP private key on the webserver
• (web) show their entire card number back to them, even on the receipt
• (general) send (or ask to receive) credit card information via email
• (general) print their entire card number on their receipt

• (general) Perform a PCI compliant Network Scan
• (retail) Use a swipe capture unit
• (retail) Ask to see their Identification
• (general) Perform a PCI compliant Network Scan

You Captured Their Information, Now What?
This is a critical point. At this stage you have a decision to make. Do you need to keep their credit card number on file, or not? The safest thing to do, is process the card, get the authorization and destroy the card number. Most of the time it really is not neccessary to keep a customers card number on file.

If it is neccessary to keep the card number on file, then you need to assure that no unauthorized personnel have access to it. If you store the information on an in-office desktop or server, that computer must be secure, the networked computers must be secure, and your network and Wi-Fi (if any) must be secure. Get a head start on this with our Three steps to Desktop Security and Three steps to Wifi Security

Check, and Double Check
Put together an outline for securing data so you can see where your business' vulnerabilites are. Cover capturing and storing of the data, and at the end put some reporting procedures. If something does happen, you will know who to contact.

More information, along with downloads of the requirements can be found here:
https://www.pcisecuritystandards.org

It may be that your bank (because of your type or volume of business) requires you to have a Qualified Security Assessment. Check with you bank (they notify you if you are required) and if you do, follow up with a qualified security scanning agency. Even if you are not obligated to do so, you can still hire one of the agencies to verify you, for your own peace of mind, and liability protection.