more-arw search

Q&A Forum

How does your office handle PCI Compliance?

Our association is concerned we are not PCI Compliance. We are currently interviewing new credit card processors. We have been told by some they handle the compliance thru a fee they will charge back to us. I have had another one tell be I did not need to be PCI Compliance due to the volume of sales we did on an annual basis & the fee we were being quoted is not necessary. We are very confused on this issue. We currently run our sales thru PayPal. Needless to say, lacking education on this subject & would appreciate any advise.

Answers

Topic Expert
Keith Perry
Title: Consulting CFO and Business Operations A..
Company: Growth Accelerator
(Consulting CFO and Business Operations Advisor, Growth Accelerator) |

Anon,

I'm lost. We take credit cards....through paypal (and other systems, stripe being a big favorite, square for in person, etc).
But we never see the number. That is the problem of the processor. The processor needs to be PCI compliant, as they get that data.

Where I'm lost is, are you actually taking / recording CC data? A call center might have this problem (there are workarounds), but that's the only gap I know of. If you avoid getting the data, you don't need to worry about compliance as it isn't feasible or meaningful in your situation.

Beyond that, using PayPal etc, PCI is not your problem. That's why you pay PayPal.

Cheers,

Keith

Janet Langenderfer
Title: RETIRED
Company: Home
LinkedIn Profile
(RETIRED, Home) |

So much depends upon how many transactions you process per month and what method(s) you use for doing so. Keith is correct that if you are using PayPal then you may be fine. However, not all Square transactions are secure; processors for small businesses vary in the way they handle PCI Compliance. There are many variables. It becomes critical to read the contract they provide to you. What does it say about your responsibilities? Standard language that I have read, still puts the responsibilty on you unless you follow many rules and procedures.

Don't mean to add to your confusion, but even small companies have to protect cardholder information.

Janet

Norman Katz
Title: President
Company: Katzscan, Inc.
LinkedIn Profile
(President, Katzscan, Inc.) |

You might find the answers you are looking for by going to the industry organization source and reviewing some of their documentation on the subject which are divided into categories based on the type of company (i.e. processor versus retailer) you are:
https://www.pcisecuritystandards.org/security_standards/

Topic Expert
Christie Jahn
Title: CFO
Company: Prime Investments & Development
(CFO, Prime Investments & Development) |

I would agree with Norman that you really should research the standards for your business. We accept credit cards and can NOT see anything except the last 4 digits, but we are still responsible for being PCI Compliant. We are currently paying a small monthly fee for the credit card processor to take that liability. They ensure through the software that we are compliant because we are accepting the credit cards and scanning them in our system (even though we can't see any of the data).

Using Paypal the rules may be different; the onus may fall on Paypal and not your company.

Gene Turley
Title: Managing Consultant
Company: CPA Consulting Services LLC
(Managing Consultant, CPA Consulting Services LLC) |

If you take credit cards it is not an issue of being PCI compliant but how you verify you are compliant. There are 4 levels based on number of transaction, dollars, how you take the cards and services provided (ie. processors like First Data or Authorize.net). Depending on your situation you will need to complete one of the 4 questionnaires. Again depending on your situation, these questionnaires can be self-assessments or would need to be completed by an outside "approved" vendor.

Marisa Breall
Title: Customer Success Manager
Company: GitHub
(Customer Success Manager , GitHub ) |

Disclaimer: I work for Recurly, a PCI compliant recurring payment solution. Any merchant or service merchant provider accepting, transmitting, and/or storing cardholder data must be PCI compliant. Your merchant bank account requires your business to be PCI Compliant as well. PayPal's PCI compliance can help you reach that standard -- here is some information I found to that extent: https://merchant.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=merchant/pci_compliant_solution.

Topic Expert
Wayne Spivak
Title: President & CFO
Company: SBAConsulting.com
LinkedIn Profile
(President & CFO, SBAConsulting.com) |

This is a good topic and I'm sure the "rules" for PCI compliancy will change as they figure out what is a prime hack-able system and what is not.

Just to keep it straight, if you read or swipe a magnetic tape on a credit card, that info will reside at a minimum in your RAM and might possibly be written to your cache section on your hard drive.

Thus, even though you never see the full number, your device might still keep an image of that info for a period of time in excess of the time it takes you to complete the transaction.

1676 views

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email content@proformative.com to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.