How to Comply With the New Payment Card Industry Data Security Standards
What are the usual challenges to compliance?
- Time: Garcia says many merchants underestimate the time needed to complete the internal auditing process. The timeframe depends on the size of your operation, how old or complex your computer systems are, your current payment-processing techniques and other variables, he notes. “But an intrusion that compromises your system,” he continues, “would take much longer to resolve than the upfront compliance process.”
- Systems: Says Botelle, “If you have an old mainframe or other legacy systems, becoming compliant can turn out to be a big process.”
What are PCI’s benefits to merchants? The auditing process shows your company’s vulnerabilities to threats from the outside world, Botelle says.
Are there any technologies that can help? Ask your commerce management software provider if it offers any modules that can help you comply with the regulations. Commerce management software provider CommercialWare, for example, recently released updated versions of its CWDirect, CWStore and CWCollaborate solutions that reportedly allow merchants the ability to further encrypt credit card data, cloak credit card numbers, remove card security numbers after authorization, and produce an audit trail of when card data is viewed. For more, visit www.commercialware.com.
Who can offer more assistance? Your primary assistance should come from your acquiring bank. Word of caution: The new standards may put an enormous strain on the industry’s acquiring banks. However, two of them, First National Merchant Solutions and Litle & Co., seem highly prepared to help their clients through the auditing process.
For example, for its clients Litle & Co. set up a special Web portal that offers more information on PCI standards. “Clients can log on, plug in their external IP addresses, take the questionnaire, and their information is automatically submitted to an auditor who reviews it,” Botelle explains. “We negotiated an inexpensive rate for this service for our clients. Our clients must use this service, so we’ve made it as easy to use as possible for them. And this way, we also know the status [of their PCI compliance].”