ra2 studio - Fotolia
My small organization accepts credit cards, so in the past three years we have been required to jump through many PCI DSS compliance hoops. The quarterly scans and annual self-assessment questionnaires are very time-consuming and costly to produce, especially since we have a low volume of sales. We have looked at third-party payment services like Square and PayPal, which we thought would absolve us from any PCI compliance measures; however, the end-user agreements are very one-sided and offer our company no protection if a data breach occurs. What else can we do to ease the PCI compliance burden? Are there any third-party payment services that offer protection and assume PCI DSS responsibilities for smaller merchants?
Thanks for a great question. The PCI DSS compliance burden can definitely be challenging for any merchant, but it has a particularly adverse impact on small businesses that simply don't have the resources available to larger organizations. You're on the right track with your current approach -- the more a company is able to outsource credit card processing, the better off it will be from a security and compliance perspective. I like to think of credit card data as the toxic waste of information security -- the less you have, the safer you'll be.
Take a look at the recent generation of credit card processing services that use a technology known as point-to-point encryption (P2PE). These products provide merchants with a credit card reader that scans cards and then immediately encrypts the sensitive payment information before it reaches any other system or network. The secret is that only the service provider has the decryption key necessary to retrieve the credit card information. As the merchant, not only do you not have access to any credit card information, the encryption makes it impossible for you to obtain it.
If a company uses P2PE technology and a PCI DSS validated service provider, it's in the best possible situation when it comes to credit card compliance issues.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn more about PCI DSS version 3.2
Discover ways to ease the compliance burden
Find out how to lessen the compliance burden with two techniques
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading