PCI Security: Small E-tailers Face Large Fines if Hacked

Tough PCI reglations go into effect on October 1, but off-site credit card processing can help ease the pain of compliance. Here's what you need to know.

Many small online merchants don’t understand much about the powerful technology behind their e-commerce store or how vulnerable this technology is to being hacked. We rarely read about a small merchant's computer system being broken into, because the large ones are so much more spectacular. But some security experts now say it's not a question of if you will be hacked, it's when.

The Pain of Non-compliance

Small merchants with on-site credit card processing who are hacked and have not put PCI standards in place can be fined $20 to $30 for each stolen card number (up to $500,000). If the breach is large, they may also be required to undergo a forensic audit (the cost of which starts at $10,000), be subject to more stringent standards than other stores of their size and may be sued. In addition to the horrors of dealing with the original breach, this is enough to effectively wipe out any small merchant.

By using off-site credit card processing, small merchants may avoid many of the hassles and security risks of on-site processing, because the merchant never touches the credit card information.

A Little Background Info

PCI (Payment Card Industry) Data Security Standards (DSS) are designed to be a baseline minimum standard for credit card security. The standard emerged in 2004 when five separate programs — Visa, Mastercard, Discover, American Express and JCB — were combined into a single standard. The group first turned its attention to large retailers processing many millions of transactions per year, dubbed Level 1 to Level 3 retailers.

Small Merchants Now in the Spotlight

Last year the standards council began addressing the Level 4 Merchants who represent the vast majority of online payment transactions. If your online store falls into this group, at a minimum you will be required to complete an annual PCI Self-Assessment Questionnaire and a quarterly network scan.

Level 4 small merchants are defined as those with fewer than 20,000 Visa transactions, and fewer than 1,000,000 total transactions per year. Most small vendors will fall into this category.

Beginning October 1, 2009, credit card processors and their agents who accept Visa will begin de-certifying all vulnerable payment applications. This means many small merchants will suddenly receive notices that they can no longer accept credit cards unless they have begun steps toward PCI security compliance. The de-certifications must be completed within one year. The time to take action is now, before your store is de-certified.

What is PCI DSS?

The PCI DSS or Payment Card Industry Data Security Standard is a security process to help you identify all parts of your business that are vulnerable to theft. This ranges from how you dispose of and retain paper records, how your network is set up, and how you transmit and store credit card and other personally identifiable information online.

The easiest way for small businesses to begin compliance is to switch to an off-site, third-party credit card processor and to store no personally identifiable information on your Web site.

Short-form Compliance for Small Businesses with Off-site Processing

In an off-site, third-party credit card processor scenario, your customers temporarily leave your Web site, enter their credit card information on the processor's site, and then automatically return to your online store afterward to complete the non-financial portion of the transaction. Third-party credit card processor companies include 2CheckOut, PayPal and the recent entrant, CRE Secure by the open source e-commerce maker CRE Loaded.

This group of businesses is required to complete a short, 11-question Self-Assessment Questionnaire A. This can be completed in about five minutes.

Questionnaire A is for merchants who do not store, process or transmit financial information on their premises. The risk of losing customer financial data on your Web site with this group is zero because you do not maintain that info, but the short questionnaire and affidavit is a formality that must be completed each year for record-keeping purposes. You must still maintain good practices with paper and other records.

Merchants who fall into this category also may or may not be required to do a quarterly PCI scan of their system, depending on their credit card processor.

Stiff Requirements for On-site Credit-Card Processing

For merchants who continue to use on-site credit card processing, the requirements are similar, but they must answer 195 additional questions on Questionnaire C or D each year, and begin quarterly or monthly security scans of their online store. They must also take active steps to fix any areas that are found to not be in compliance and specify dates by which their stores will be in compliance.

Questionnaire C is for merchants who use a Point-of-Sale terminal connected to the Internet with a program such as Quickbooks POS. Most of these are small retailers with a bricks and mortar storefront in addition to their online store. Questionnaire D is for everyone else.

These lengthy self-assessment questionnaires cover 12 security steps in great detail, including:

  • Firewall password settings
  • Use of secure encryption
  • Quarterly scanning of wireless networks
  • Anti-virus, anti-spyware and anti-adware programs
  • Creation of a company Information Security Policy for employees and contractors
  • Shredding, cross-cutting or pulping of paper documents that contain credit card information

If any item on your questionnaire is not in compliance, you must specify a date that you expect to be in compliance, and explain what actions you plan to take to achieve compliance.


Comment and Contribute
* Required Field
Your email address will not be published


Note: No advertising, no spam, no keyword in name/nickname field. Thank you!

Free Resources

Subscribe To Our Daily Newsletter