My small organization accepts credit cards, so in the past three years we have been required to jump through many...
PCI DSS compliance hoops. The quarterly scans and annual self-assessment questionnaires are very time-consuming and costly to produce, especially since we have a low volume of sales. We have looked at third-party payment services like Square and PayPal, which we thought would absolve us from any PCI compliance measures; however, the end-user agreements are very one-sided and offer our company no protection if a data breach occurs. What else can we do to ease the PCI compliance burden? Are there any third-party payment services that offer protection and assume PCI DSS responsibilities for smaller merchants?
Thanks for a great question. The PCI DSS compliance burden can definitely be challenging for any merchant, but it has a particularly adverse impact on small businesses that simply don't have the resources available to larger organizations. You're on the right track with your current approach -- the more a company is able to outsource credit card processing, the better off it will be from a security and compliance perspective. I like to think of credit card data as the toxic waste of information security -- the less you have, the safer you'll be.
Take a look at the recent generation of credit card processing services that use a technology known as point-to-point encryption (P2PE). These products provide merchants with a credit card reader that scans cards and then immediately encrypts the sensitive payment information before it reaches any other system or network. The secret is that only the service provider has the decryption key necessary to retrieve the credit card information. As the merchant, not only do you not have access to any credit card information, the encryption makes it impossible for you to obtain it.
If a company uses P2PE technology and a PCI DSS validated service provider, it's in the best possible situation when it comes to credit card compliance issues.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn more about PCI DSS version 3.2
Discover ways to ease the compliance burden
Find out how to lessen the compliance burden with two techniques
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...continue reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.