The entire point of the exercise is to make sure that merchants processing credit cards are taking appropriate security measures to protect cardholder data.
You might think that compliance is a simple thing if you are one of the millions of small businesses conducting online transactions through a third party service provider like Link Point. It might seem that most online microbusiness owners will have nothing to worry about because most of them never come into direct contact with customer credit card data.
However, it's not quite that simple. We might not come into contact with the sensitive data but we are still responsible for what happens when that data is transmitted from our web sites to our virtual terminals and/or payment gateways. The PCI Security Standards Council has determined that "anybody who touches the data has to be compliant," as spokesman Glenn Boyet put it to me.
That means, in order for you to be considered PCI compliant, your payment gateway and your merchant account provider and your shopping cart software and even your web hosting company -- all the service providers you use to handle your customers' data, transmit it, or process it -- need to be PCI compliant, too.
Many service providers have already taken care of this, while the list of those that haven't contains a few surprises. Among web hosting companies, for example, GoDaddy.com has been PCI compliant since 2006, according to Neil Warner, Chief Information Security Officer for the hosting giant. On the other hand, it appears that Verihost (formerly Verio) and Homestead are not.
So, what can an online microbusiness merchant do to make the credit card companies happy with their security practices, even if they don't actually see any of the data in question themselves?
One of the things you are going to have to do is download and complete the appropriate Self Assessment Questionnaire (SAQ) that is applicable to your merchant situation, whether you never see a credit card or are a Main Street point-of-sale processor or a mail order/catalog processor or whatever. That is the first step toward compliance and the questionnaire will help you to identify any security issues you may have and correct them.
While you're at it, contact your merchant bank if you haven't yet heard from them already. They will almost certainly have some sort of compliance assistance program in place for their merchants. You'll be doing yourself a favor by using it.
Besides that, if you have any problems with the form (especially for companies without employees, since the form assumes that you have them) or what it tells you about your security practices, you should be able to get help there.
Check the resources provided by the major credit companies to make sure that your web hosting company, your merchant bank and your payment gateway are on their lists of compliant service providers.
Many of the smaller or independent (or both) service providers offer very popular platforms or services that may not be PCI compliant (OsCommerce, a popular Open Source shopping cart system, for example).
If that turns out to be the case, you will need to decide whether to change vendors or hold out until they can get certified - assuming they plan to do so. Either way, make it your business to find out what, if anything, your providers intend to do about it.
In many ways, it may seem like a pain to have to check up on all your service providers like this. However, even if we do not directly handle our customers' data, it is important to know that the vendors we select to handle it for us are up-to-date on their security practices. That's just good microbusiness risk management and good customer service, too.
* * * * *
About the Author: Dawn Rivers Baker, an award-winning small business journalist, regularly reports and analyzes small business policy and research as the editor and publisher of The MicroEnterprise Journal. She also blogs at The Journal Blog.
Dawn is a member of the Small Business Trends Expert Network.