We are a small manufacturing with an IT dept of one individual. We process credit card payments through a secure gateway and our merchant, First Payment Systems. Because we process using the internet, we're challenged with PCI compliance on our end, once the info reaches the secure gateway it's PCI compliant and stored on their system. While we believe our system is secure and we've passed certain tests, there is an extensive IT survey (25+ pages) to complete. There are items that we don't have in place and would be costly to put in place. We also don't have the manpower resources to implement what's recommended on the survey.
PCI compliance (payment card industry) guidelines and cost effective compliance?
Answers
Hi, a few questions...are you sure you are "in scope" for PCI? What is your annual credit card volume ($)? Do you have software running on your system that actually captures and stores the credit card information or are you using an internet application to enter and process the cards?
1
FYI as of 2012 (2013?) there is not an "in scope" level. Everyone has to be compliant.
Cost of compliance vs. Tokenization project.
We implemented Tokenization to remove the credit card number out of our environment using a PCI certified partner. The standard allows you to rely on a third party's compliance to meet your requirements.
This does not eliminate the compliance effort on your side but changes it from a ball park to a bread basket.
The easiest way to become PCI compliant (related to credit cards) is to not store credit card details at all. This should help you bypass most of the survey. Most CC processors have a tokenization program to help achieve this ability. Authorize.net's program is called CIM.
Here is an example of how this works:
(1) let say you use Magento as a webstore. You install an Authorize.net CIM magento extension. The extension allows you to capture and store the tokens and not the CC details for each transaction.
(2) If you use an ERP to manage your finances and fulfillment, you will probably want to update it to use the tokens passed from Magento (during order import). Depending on your level of integration, you can issue return directly from the ERP using the tokens, or you can go back into the webstore to reverse the transaction.
If you do not use a webstore at all, the same process applies to your ERP or
If you have questions, you are welcome to call. Much of my work this year has been around updating ERP system to achieve PCI compliance.
I hope this helps!
On this page, you will find a video tutorial:
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/
Chuck Boecking
Filed Under:
Cash Management