| So now that you are deciding to get involved online, | | | | access to it. Access to it should be strictly limited to |
| you may come across a situation where you feel it is | | | | other employees if you have any. |
| necessary to hold onto your customers' credit card | | | | This goes a step further for online transactions. |
| information. While I would highly recommend that you | | | | When you accept a credit card, all of that |
| do not do this unless it is absolutely necessary, I | | | | information needs to be encrypted while the server |
| understand that there may be times where it is | | | | is processing it. It has to be encrypted to a 128 bit |
| needed depending on what type of business model | | | | SSL certificate minimum. |
| you are running. | | | | #3: There must be a vulnerability management |
| The reason that I discourage you from doing this is | | | | program |
| because the major credit card providers have started | | | | This primarily relates to keeping everything up to |
| what is called PCI compliance. PCI is short for | | | | date. Unfortunately, there are plenty of people out |
| Payment Card Industry. This basically is an agreement | | | | there who enjoy working their way around firewalls |
| that if you accept their form of credit cards and hold | | | | and anti-virus protection. When this occurs, the |
| onto card holders information that you are | | | | anti-virus software should have regular updates to fix |
| responsible for keeping it secure. If it leeks out, the | | | | any problems it encounters. The sad part is that this |
| credit card companies can come to you for | | | | is an ongoing battle and you will need to keep all of |
| reimbursement of those illegal charges on the cards if | | | | your software up to date as well. You must regularly |
| they find that you were not handling the information | | | | update your system to keep new viruses from |
| properly. With that said, they left plenty of loopholes | | | | infecting your computer and leaking important data. |
| in there to catch companies who run into the | | | | #4: Monitoring the Network and Information is a |
| problem of having their system hacked to gain | | | | requirement |
| access to that information. Below are several things | | | | You are not allowed to simply set it up and forget |
| that you are required to do to make yourself PCI | | | | about it. You are required to regularly monitor access |
| compliant. | | | | to this information. You will need to have each |
| #1: You are required to keep a secure network. | | | | person who accesses the information have a unique |
| This is generally done anyhow but smaller businesses | | | | identifier that they login with. You need to monitor |
| can frequently overlook this. For example, you are | | | | who access the information, at what time, and |
| not allowed to simply keep the information in an | | | | where they go, etc. This can be rather complicated, |
| excel file on your personal computer that is not | | | | especially if you have multiple people with access to |
| secured behind a firewall and other features | | | | the data. This monitoring is also used to track those |
| implemented to protect it. When you simply have this | | | | who may not be associated with your business and |
| information on your computer and are connected to | | | | have malicious intentions. You might be able to catch |
| the internet with no security measures in place, you | | | | this type of activity before it becomes a huge |
| risk having that computer hacked and having that | | | | problem. |
| information stolen. You then become the source of | | | | #5: You must maintain a security policy |
| the problem and could be liable for fraudulent charges | | | | When you have hired employees, you must make |
| to those credit cards. | | | | them aware and sign a security policy that states |
| #2: You have an obligation to protect the information. | | | | importance of keeping this information secure. This is |
| Let us say that you are on a network and it is | | | | particularly necessary if they are going to be handling |
| secure from outside sources other than the | | | | the credit card information. They should know and |
| employees of your company. This is generally | | | | understand what type of responsibility they have to |
| considered to be non-compliant. This information | | | | keep the cardholder information secure. |
| should only be available to people who actually need | | | | |