Reader's Favorite Nuggets
Recent Hits All Time Matt's Favorites
Recent Reader's Favorites

Our Nugget List

PCI Compliance Testing and Reporting for Jewelers

by
This is the last part of our 6 part series about compliance requirements with the PCI Data Security Standards (PCI DSS).

Here's our list of topics with links next to the previous day's Nuggets.

Introduction: You will hate PCI compliance too
1. Storing cardholder data on your website
2. Protecting internal and wireless networks in your store
3. Security used in payment card applications
4. Controlling which of your employees has access to cardholder data
5. Frequency of testing and reporting

We're left with #5, testing and reporting.

Maintaining your online security and PCI Compliance is a continual process because security holes might appear with every software upgrade and with every change to an online form.

We like websites that interact with visitors. This could be a form, survey, AJAX widget, diamond search, and even a shopping cart. Every place you have a form, button, or link to engage a customer is also a place a hacker will try to exploit security holes. Your website might be secure today, but a simple JavaScript change tomorrow could cause trouble.

There are many companies that test for security holes and provide PCI Compliance reporting. A quick Google search for "pci compliance testing" returns 21,300,000 results. Each company will provide different levels of testing for different monthly or annual fees.

Yes, there are fees involved with testing for security holes. You have to pay the security testing company and then you have to pay someone to remediate any security issues found. You need to scan for, and fix security issues at least 4 times a year. Your scan reports need to be submitted to your bank.

The level of reporting and testing depends on how many transactions you process every year. Most of you reading this Daily Golden Nugget will probably fall into Level 4 and require minimal testing and reporting.

PCI Compliance Merchant Levels:

Level 1: Merchants processing over 6 million transactions annually
Level 2: Merchants processing 1 million to 6 million transactions annually
Level 3: Merchants processing 20,000 to 1 million transactions annually
Level 4: Merchants processing less than 20,000 transactions annually

As a local jeweler, and even an e-commerce jeweler, having more than 20,000 transactions every year would be a wonderful goal. That's 54 purchases a day! Realistically, we know most of our readers never even approach that number.

When you're a small, Level 4 merchant, the PCI Compliance standards require you to fill out a security questionnaire once a year. Officially this is called the PCI DSS Self-Assessment Questionnaire (SAQ) and it asks these types of questions:

Is your network connected to the internet?
What type of firewall do you have?
What accounting program do you use?
Are all media physically secured?

At the time of this writing the current PCI SAQ is 15 pages long. You can download it from the Documents section of PCISecurityStandards.org at this URL:
https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Many times your payment processing company will mail you their own version of this same form.

So that's it. PCI DSS testing is a difficult hurdle to overcome, and most of the time is seems like an unnecessary burden to weigh down small businesses even more. But remember that it only takes a single security breech for a hacker to get that customer information. Once that happens you might be penalized with heavy fines enough to put you out of business.

There is a silver lining to the process. All of the payment card companies are pushing consumer awareness of PCI Compliance, and all the compliance testing companies are pushing brand recognition of their logos. Those logos will tell consumers that your e-commerce website is safe, and that has shown to boost sales.
AT: 04/18/2012 09:07:30 PM   LINK TO THIS GOLD NUGGET
Confused and worried about your mobile website options? Click here to find out how to get your own website evaluation and a game plan to make it better.

Like This Jewelry Website SEO Gold Nugget? Please Share!

Like Our Site? Follow Us!


0 Comments on PCI Compliance Testing and Reporting for Jewelers

Post a Comment
Name:

Check here for Anonymous
Email

Website:

 
Please contact me at the phone number and address below
Phone Number

Address:

 
Comment:

 
User Verification
5 1 2 4 6 5 9 6
Please enter the number you see in the box.
[ What's This? ]
Sign Up For Emailed Daily Gold Nuggets

"...articles are easy to follow and seem to have information one can use right away."
-Ann, Gallery 4, Hamden CT


"...serious kudos to you. We love your straight talk, pertinent information and plain language. I don't know how many industries have something of jWAG's caliber available, but I learn from the emails every day. Really, really nice work, and very appreciated."
-Cheryl Herrick, Global Pathways Jewelry