This is the last part of our 6 part series about compliance requirements with the PCI Data Security Standards (PCI DSS).
Here's our list of topics with links next to the previous day's Nuggets.
Introduction: You will hate PCI compliance too
1. Storing cardholder data on your website
2. Protecting internal and wireless networks in your store
3. Security used in payment card applications
4. Controlling which of your employees has access to cardholder data
5. Frequency of testing and reporting
We're left with #5, testing and reporting.
Maintaining your online security and PCI Compliance is a continual process because security holes might appear with every software upgrade and with every change to an online form.
We like websites that interact with visitors. This could be a form, survey, AJAX widget, diamond search, and even a shopping cart. Every place you have a form, button, or link to engage a customer is also a place a hacker will try to exploit security holes. Your website might be secure today, but a simple JavaScript change tomorrow could cause trouble.
There are many companies that test for security holes and provide PCI Compliance reporting. A quick Google search for "pci compliance testing" returns 21,300,000 results. Each company will provide different levels of testing for different monthly or annual fees.
Yes, there are fees involved with testing for security holes. You have to pay the security testing company and then you have to pay someone to remediate any security issues found. You need to scan for, and fix security issues at least 4 times a year. Your scan reports need to be submitted to your bank.
The level of reporting and testing depends on how many transactions you process every year. Most of you reading this Daily Golden Nugget will probably fall into Level 4 and require minimal testing and reporting.
PCI Compliance Merchant Levels:
Level 1: Merchants processing over 6 million transactions annually
Level 2: Merchants processing 1 million to 6 million transactions annually
Level 3: Merchants processing 20,000 to 1 million transactions annually
Level 4: Merchants processing less than 20,000 transactions annually
As a local jeweler, and even an e-commerce jeweler, having more than 20,000 transactions every year would be a wonderful goal. That's 54 purchases a day! Realistically, we know most of our readers never even approach that number.
When you're a small, Level 4 merchant, the PCI Compliance standards require you to fill out a security questionnaire once a year. Officially this is called the PCI DSS Self-Assessment Questionnaire (SAQ) and it asks these types of questions:
Is your network connected to the internet?
What type of firewall do you have?
What accounting program do you use?
Are all media physically secured?
At the time of this writing the current PCI SAQ is 15 pages long. You can download it from the Documents section of PCISecurityStandards.org at this URL:
https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
Many times your payment processing company will mail you their own version of this same form.
So that's it. PCI DSS testing is a difficult hurdle to overcome, and most of the time is seems like an unnecessary burden to weigh down small businesses even more. But remember that it only takes a single security breech for a hacker to get that customer information. Once that happens you might be penalized with heavy fines enough to put you out of business.
There is a silver lining to the process. All of the payment card companies are pushing consumer awareness of PCI Compliance, and all the compliance testing companies are pushing brand recognition of their logos. Those logos will tell consumers that your e-commerce website is safe, and that has shown to boost sales.
