Seven actions you should take immediately if your business accepts credit cards

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

If your business accepts Mastercard, VISA, American Express, Discover, or JCB credit cards, you are responsible for becoming PCI compliant, if not already, then very soon. You could, in the future, face a random audit of your security procedures. If you don’t pass the audit, you could have your merchant account suspended or canceled. PCI compliance should be moved to the top of your to-do list this month.

1. Become familiar with the PCI 1.1 Data Security Standard. Depending on your merchant services provider, this could be obvious to you, or buried deep in your contract. Either way, it’s probably there. The standard offers very few strict requirements, which makes it tough to interpret. If you’re relaxed about security, you might read the standards document and not see anything you need to do, but you’d be wrong. Call or e-mail your merchant account vendor and ask them what your responsibilities are. Better safe than sorry is the rule here.
2. Make sure that any credit card information being transferred across the Internet is encrypted. If you use a professional processor or gateway, chances are your customer orders are already SSL-encrypted and all certificates are up to date. If you’re not sure, call the company that accepts the card information for you. If you’ve built your own server, you should double-check. Using Internet Explorer, click TOOLS, then OPTIONS. Select the ADVANCED tab, then scroll all the way down to the Security section. Starting with “Check for publisher’s certificate revocation” enable every Check and Warning option. Then go to your own website and make a purchase. You should see “HTTPS” at the beginning of your URL’s, and should be warned if anything is not working.
3. If you use credit card processing software, make sure it’s PCI compliant. If it’s not, find out when it will be. My company re-sells Intrix’s SuperCharge 4.6 to our customers. This version of the software is not PCI compliant because it does not encrypt stored information. We won’t be selling this version much longer, but right now we still do. Don’t assume that your vendors, even if they are major financial institutions, are going to force compliance upon you.
4. Make sure your customers’ credit cards are encrypted in your software. If you store credit cards in a database for recurring charges, or future use, make sure credit card numbers are encrypted, not just masked. You should have to enter a password, one which only you and the necessary accounting people know, to view or change the full credit card number. Make sure you understand the difference between masking and encrypting. If you can open your database in SQL Server (or whatever platform you use) and see the full card number, than it’s only masked. Only the last four digits should be viewable. Encryption means that you will never be able to see the full number without that password.
5. Set a short time limit on storing unencrypted customer information. If you have some need to store your customer’s information unencrypted, make sure you are disposing of that information as soon as you no longer need it. Set a time limit, seven to thirty days depending on your need, to either destroy or encrypt that information. Whether you realize it or not, your company probably has data packrats who never want to delete or destroy anything, “just in case…”
6. Use shredders, both physical and software, when destroying customer information. If you store information on paper, buy a quality shredder and use it. If yor company size warrants it, hire a reptutable service to shred and recycle your paper waste. If you store digital information, use a program like SuperShredder to delete files containing customer information. If you just delete the files and empty the Recycling Bin, that data is still easily recoverable. Shredder software will not just delete the file, but will overwrite it dozens of times with empty junk data so it can not be read even with sophisticated hardware tools.
7. Upgrade to WinZIP 11.1 and use AE-256 encryption. Any computer files containing customer information should be encrypted. Your company probably uses WinZIP to compress files anyway. Why not upgrade and use the encryption features to protect your customers while you store their data?

Spending the extra time and money to protect your customer’s information isn’t just good for them; it’s good for you. There may not be a “PCI Compliant” sticker you can place on your windows with the VISA and MasterCard logo’s, but there should be. Consider for a moment how badly it would damage your business if one of your computers was stolen and all of your customer’s information was stored on that hard drive. Do you want to send a letter to your entire customer base, informing them that they need to report their credit cards as stolen because you hadn’t encrypted their data?

If your website certificate or SSL encryption isn’t working, how many sales are you losing because customers would rather do business a company that is concerned about their security?

Could your business survive if you failed an audit and lost your merchant account?