ra2 studio - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can small companies ease the PCI compliance burden?

Smaller organizations have a tougher time handling the compliance burden, specifically from the PCI DSS requirements. Expert Mike Chapple has some advice for small businesses.

My small organization accepts credit cards, so in the past three years we have been required to jump through many PCI DSS compliance hoops. The quarterly scans and annual self-assessment questionnaires are very time-consuming and costly to produce, especially since we have a low volume of sales. We have looked at third-party payment services like Square and PayPal, which we thought would absolve us from any PCI compliance measures; however, the end-user agreements are very one-sided and offer our company no protection if a data breach occurs. What else can we do to ease the PCI compliance burden? Are there any third-party payment services that offer protection and assume PCI DSS responsibilities for smaller merchants?

Thanks for a great question. The PCI DSS compliance burden can definitely be challenging for any merchant, but it has a particularly adverse impact on small businesses that simply don't have the resources available to larger organizations. You're on the right track with your current approach -- the more a company is able to outsource credit card processing, the better off it will be from a security and compliance perspective. I like to think of credit card data as the toxic waste of information security -- the less you have, the safer you'll be.

Take a look at the recent generation of credit card processing services that use a technology known as point-to-point encryption (P2PE). These products provide merchants with a credit card reader that scans cards and then immediately encrypts the sensitive payment information before it reaches any other system or network. The secret is that only the service provider has the decryption key necessary to retrieve the credit card information. As the merchant, not only do you not have access to any credit card information, the encryption makes it impossible for you to obtain it.

If a company uses P2PE technology and a PCI DSS validated service provider, it's in the best possible situation when it comes to credit card compliance issues.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn more about PCI DSS version 3.2

Discover ways to ease the compliance burden

Find out how to lessen the compliance burden with two techniques

This was last published in April 2016

Dig Deeper on Security audit, compliance and standards