Skip to main content
close search
site logo
Tiffany Neely's headshot
Tiffany Neely Controller

PCI compliance (payment card industry) guidelines and cost effective compliance?

Asked on May 9, 2013

We are a small manufacturing with an IT dept of one individual. We process credit card payments through a secure gateway and our merchant, First Payment Systems.  Because we process using the internet, we're challenged with PCI compliance on our end, once the info reaches the secure gateway it's PCI compliant and stored on their system.  While we believe our system is secure and we've passed certain tests, there is an extensive IT survey (25+ pages) to complete.  There are items that we don't have in place and would be costly to put in place. We also don't have the manpower resources to implement what's recommended on the survey.

Answers

Frank Anderson's headshot
Frank Anderson President • Sept. 25, 2012

Hi, a few questions...are you sure you are "in scope" for PCI? What is your annual credit card volume ($)? Do you have software running on your system that actually captures and stores the credit card information or are you using an internet application to enter and process the cards?

comment-icon 1
Shannon Mathews's headshot
Shannon Mathews Controller • Sept. 25, 2012

FYI as of 2012 (2013?) there is not an "in scope" level. Everyone has to be compliant.

Joe Schatz's headshot
Joe Schatz Director • Sept. 26, 2012

Cost of compliance vs. Tokenization project.

We implemented Tokenization to remove the credit card number out of our environment using a PCI certified partner. The standard allows you to rely on a third party's compliance to meet your requirements.

This does not eliminate the compliance effort on your side but changes it from a ball park to a bread basket.

Chuck Boecking's headshot
Chuck Boecking Open Source ERP and Business Intelligence • Sept. 26, 2012

The easiest way to become PCI compliant (related to credit cards) is to not store credit card details at all. This should help you bypass most of the survey. Most CC processors have a tokenization program to help achieve this ability. Authorize.net's program is called CIM.

Here is an example of how this works:
(1) let say you use Magento as a webstore. You install an Authorize.net CIM magento extension. The extension allows you to capture and store the tokens and not the CC details for each transaction.
(2) If you use an ERP to manage your finances and fulfillment, you will probably want to update it to use the tokens passed from Magento (during order import). Depending on your level of integration, you can issue return directly from the ERP using the tokens, or you can go back into the webstore to reverse the transaction.

If you do not use a webstore at all, the same process applies to your ERP or accounting system.

If you have questions, you are welcome to call. Much of my work this year has been around updating ERP system to achieve PCI compliance.

I hope this helps!

On this page, you will find a video tutorial:
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/

Chuck Boecking

Want to join the conversation? Submit an answer or ask a question by emailing us at [email protected]

Submit an answer
Filed Under: Cash Management
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.