This is part 2 in our series about compliance requirements with the PCI Data Security Standards (PCI DSS). PCI Standards are technical and operational requirements, set forth by the Security Standards Council, intended to protect cardholder information. We want to help you understand these specific compliance aspects:
Introduction: You will hate PCI compliance too
1. Storing cardholder data on your website
2. Protecting internal and wireless networks in your store
3. Security used in payment card applications
4. Controlling which of your employees has access to cardholder data
5. Frequency of testing and reporting
The overall goal of PCI DSS compliance is to protect cardholder information from being stolen, i.e. identity theft. If cardholder data is stolen from your store or your website it will be your fault, not your website host, and you could incur fines, penalties, and even termination of your right to accept payment cards.
1. Storing cardholder data on your website.
Somewhere, somehow, you need to capture a payment card and process the payment. When you swipe a payment card at the point of sale system in the store the cardholder data is process and discarded immediately. On a website the cardholder information needs to be captured and processed somehow.
If you're just starting out with your jewelry e-commerce website you may not want to go through the trouble of setting up automatic website payments. Doing so requires extra monthly fees which might not be worth it if you only have a few online sales.
Until you automate the process you could simply copy credit card information from your website to your payment terminal in your store, but this means you also need to store payment card information inside your website. You could delete the information after you manually process the card, but for some short period of time you still need to store it.
The #1 milestone goal set forth in PCI DSS Compliance efforts is to eliminate storage of cardholder information. The Security Standards Council claims that "if sensitive authentication data and other cardholder data are not stored, the effects of a [security] compromise will be greatly reduced."
We have to break down that quote because it seems contradictory to the whole PCI compliance idea in the first place. When your website is compliant to PCI DSS it means a hacker shouldn't be able to access the sensitive information... so how could you be "compromised?"
It turns out that a lot of the compliance rules will protect you, the store owner, from unscrupulous employees. You may give employees access to customer cardholder data, and it's those employees who could harm you more easily than any hacker could.
From our point of view, if you control access and employ good security, storing cardholder data is a convenience for repeat customers. Amazon.com saves cardholder data and many websites give the customers a choice to save or not save their payment information.
When you're just starting out with jewelry e-commerce you need to weigh security, customer ease of use, and the time it will take you to manage payment information. Whichever is more important to you will help you decide if you want to store or not store cardholder data on your website.
These are complicated choices that you need to consider. We're not trying to frighten you away from e-commerce; we just want you to be informed.
Our PCI Compliance discussion will continue tomorrow.