more-arw search

Q&A Forum

PCI compliance (payment card industry) guidelines and cost effective compliance?

Tiffany Neely's Profile
Tiffany Neely
Profile
Title: Controller
Company: Fine Art Lamps
(Controller at Fine Art Lamps) | Sep 24, 2012

We are a small manufacturing with an IT dept of one individual. We process credit card payments through a secure gateway and our merchant, First Payment Systems.  Because we process using the internet, we're challenged with PCI compliance on our end, once the info reaches the secure gateway it's PCI compliant and stored on their system.  While we believe our system is secure and we've passed certain tests, there is an extensive IT survey (25+ pages) to complete.  There are items that we don't have in place and would be costly to put in place. We also don't have the manpower resources to implement what's recommended on the survey.

Answers

Frank Anderson
Profile
Title: President
Company: Computer Outfitters
(President, Computer Outfitters) | Sep 25, 2012

Hi, a few questions...are you sure you are "in scope" for PCI? What is your annual credit card volume ($)? Do you have software running on your system that actually captures and stores the credit card information or are you using an internet application to enter and process the cards?

Topic Expert
Shannon Mathews
Profile
Title: Controller
Company: Aldrich Services LLP
(Controller, Aldrich Services LLP) | Sep 25, 2012

FYI as of 2012 (2013?) there is not an "in scope" level. Everyone has to be compliant.

Joe Schatz
Profile
Title: Director
Company: Medline
(Director, Medline) | Sep 26, 2012

Cost of compliance vs. Tokenization project.

We implemented Tokenization to remove the credit card number out of our environment using a PCI certified partner. The standard allows you to rely on a third party's compliance to meet your requirements.

This does not eliminate the compliance effort on your side but changes it from a ball park to a bread basket.

Chuck Boecking
Profile
Title: Open Source ERP and Business Intelligenc..
Company: Chuck Boecking
(Open Source ERP and Business Intelligence, Chuck Boecking) | Sep 26, 2012

The easiest way to become PCI compliant (related to credit cards) is to not store credit card details at all. This should help you bypass most of the survey. Most CC processors have a tokenization program to help achieve this ability. Authorize.net's program is called CIM.

Here is an example of how this works:
(1) let say you use Magento as a webstore. You install an Authorize.net CIM magento extension. The extension allows you to capture and store the tokens and not the CC details for each transaction.
(2) If you use an ERP to manage your finances and fulfillment, you will probably want to update it to use the tokens passed from Magento (during order import). Depending on your level of integration, you can issue return directly from the ERP using the tokens, or you can go back into the webstore to reverse the transaction.

If you do not use a webstore at all, the same process applies to your ERP or accounting system.

If you have questions, you are welcome to call. Much of my work this year has been around updating ERP system to achieve PCI compliance.

I hope this helps!

On this page, you will find a video tutorial:
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/

Chuck Boecking

2319 views
Topics

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email content@proformative.com to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.