Keep Your Stuff Safe: What Every Church Needs To Know About Safe & Secure Commerce (Part 3 Of 3)Posted at December 1, 2011
Earlier in our series, we talked about SSL and payment processors. Let’s wrap up this series by talking about PCI Compliance. Several years ago the major credit card providers (Visa, Master Card, Amex, Discover, etc) got together to address and regulate how credit card information should be handled. Remember our grocery store example? Too many merchants were driving to the grocery store with YOUR credit card information painted on the side of their car! I say this in jest of course, but it isn’t far from the truth.
PCI regulations change continually, but there are some basic things you of which you should be aware.
- You are a merchant. If you accept money on your Website, this means you.
- As a merchant, you will be asked to attest to how you handle customer/donor information, both on your website as well as internally in your organization. This is like a police officer stopping you on the way to the grocery store to make sure you have on your seat belt; you card in your wallet, and the wallet in the glove box. Now of course a police officer wouldn’t stop you if you were just sitting at a red light to check these things. Since you as a merchant agree to abide by the Credit Card company rules when you sign up as a merchant, you don’t have a lot of say in the matter. The types of questions you’ll be asked are similar to: Do you write credit card information down on paper? If you do, is it kept in a locked file cabinet? When someone unlocks the file cabinet, do you write down who and when it was unlocked and when it was returned and relocked? When you no longer need the paper, is it shredded?
- Your website will require a vulnerability scan by a 3rd party auditing firm. This scan tries to expose (on purpose) potential vulnerabilities in your website or the server hosting your website. In many cases, the website and server will not pass a scan on the first try. Therefore, you should expect to communicate back and forth with your webhost to secure and mitigate those vulnerabilities. Your webhost should take this process seriously and address the concerns in a reasonable time. You should also remember vulnerability mitigation may take some time to do properly to insure other vulnerabilities are not exposed. Be patient with your vendor. You hired them for their expertise so let them be experts!
PCI compliance is a relatively new requirement in the website industry. Just several years ago, the only merchants required to comply were the ones who were doing millions of dollars in transactions a month. Now, even the smallest merchant is required to conform to some level of PCI compliance. If you don’t comply, you could be heavily fined by the credit card companies based on the number of fraudulent transactions. For many smaller merchants, the fine for even one fraudulent transaction could put them out of business.
If you’d like more information on PCI compliance visit the PCI website at https://www.pcisecuritystandards.org/, leave us a comment, contact our care team, or contact the technical support for your merchant provider.
By Chuck Boyer
Director of Development & Production