How does your office handle PCI Compliance?

Anon,

I'm lost. We take credit cards....through paypal (and other systems, stripe being a big favorite, square for in person, etc).
But we never see the number. That is the problem of the processor. The processor needs to be PCI compliant, as they get that data.

Where I'm lost is, are you actually taking / recording CC data? A call center might have this problem (there are workarounds), but that's the only gap I know of. If you avoid getting the data, you don't need to worry about compliance as it isn't feasible or meaningful in your situation.

Beyond that, using PayPal etc, PCI is not your problem. That's why you pay PayPal.

Cheers,

Keith

So much depends upon how many transactions you process per month and what method(s) you use for doing so. Keith is correct that if you are using PayPal then you may be fine. However, not all Square transactions are secure; processors for small businesses vary in the way they handle PCI Compliance. There are many variables. It becomes critical to read the contract they provide to you. What does it say about your responsibilities? Standard language that I have read, still puts the responsibilty on you unless you follow many rules and procedures.

Don't mean to add to your confusion, but even small companies have to protect cardholder information.

Janet

You might find the answers you are looking for by going to the industry organization source and reviewing some of their documentation on the subject which are divided into categories based on the type of company (i.e. processor versus retailer) you are:
https://www.pcisecuritystandards.org/security_standards/

I would agree with Norman that you really should research the standards for your business. We accept credit cards and can NOT see anything except the last 4 digits, but we are still responsible for being PCI Compliant. We are currently paying a small monthly fee for the credit card processor to take that liability. They ensure through the software that we are compliant because we are accepting the credit cards and scanning them in our system (even though we can't see any of the data).

Using Paypal the rules may be different; the onus may fall on Paypal and not your company.

If you take credit cards it is not an issue of being PCI compliant but how you verify you are compliant. There are 4 levels based on number of transaction, dollars, how you take the cards and services provided (ie. processors like First Data or Authorize.net). Depending on your situation you will need to complete one of the 4 questionnaires. Again depending on your situation, these questionnaires can be self-assessments or would need to be completed by an outside "approved" vendor.

Disclaimer: I work for Recurly, a PCI compliant recurring payment solution. Any merchant or service merchant provider accepting, transmitting, and/or storing cardholder data must be PCI compliant. Your merchant bank account requires your business to be PCI Compliant as well. PayPal's PCI compliance can help you reach that standard -- here is some information I found to that extent: https://merchant.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=merchant/pci_compliant_solution.