Ah, PCI Compliance. We all know how fun a concept this is, and how much we like to dream about it at night (interspersed with dreams about the tax code and Family Medical Leave Act requirements). What can make PCI Compliance easier to handle so that we don’t make mistakes? Here are a few tips:
“PCI Compliant” – An Overused Term
Some security companies refer to their products and services as “PCI compliant.” It is impossible for this to be the case. A company can be PCI compliant, of course, but there is no one-fits-all solution for PCI-DSS.
Compliance is not applicable to one specific solution. Rather, it is based on the context of a network. Ensure the PCI tool you use fits the particular requirements of your system (especially your technological system, but, for the sake of taste, your digestive system as well).
Segregation – A Wise Idea
The best way to maintain PCI compliance might be to keep your payment processing segregated from your business’s general network. You may want to have one individual in charge of the payment processing piece of the network to keep everything properly segregated.
Choosing a PCI Compliance Partner
Picking out a good partner to maintain your PCI compliance is similar to picking out a square dance partner at a hoedown: it requires careful research. Looking at multiple possible providers will give you a sense not only of fair market pricing but also of the standard features of various services. Also be sure to look at reviews to ensure there aren’t too many horror stories.
Are You Responsible?
The short answer is yes. A merchant is held responsible for all sensitive information – whether it is processed by an outside party or not. What this means is that you need to know exactly what the company you are hiring is doing. This way you know exactly what you yourself need to do so that no loose ends remain. Of course all this must be in writing (just as when the marriage documents are signed during a shotgun wedding).
Maintaining PCI compliance is not all that difficult. You do not need a high-level security professional on-staff to handle this aspect of your business. What you do need is a reasonable idea of what PCI is – because without this knowledge, you will not be able to properly filter your options and choose a reliable product or service to comply with PCI-DSS standards.
by Kent Roberts and Richard Norwood