Nate Solloway, Raffa Technology
Are you having issues with passing PCI Compliance? Every year, more of our clients are required to pass PCI Compliance checks as a part of the day-to-day business of taking credit cards for merchandise at events. The certification process can be intimidating, but we have some secrets to making the process easier for you and your staff.
PCI checkups are generally carried out by a third party who works for insurance companies and not for you. They will have online tools for filling out their version of the Self-Assessment Questionnaire (SAQ) which determines how deeply they need to scan your network and/or website to certify you pass their tests.
- How do members/constituents/customers use their credit cards with our services?
- Do credit card numbers ever pass through our servers or are they directly handled by our staff members?
A goal of easy PCI Compliance would be to minimize direct contact with credit card numbers every step of the way. The more you can move from handling or storing credit card information, the better off you are. Remember, having credit card numbers written down in any form places a burden on you to protect that data to be compliant. Safeguards can cost time and money. It’s better to never handle the numbers in first place.
The following are some credit care processing scenarios and related risks:
Scenario #1: Third-Party Processing
In this miraculous age of the internet, there is no shortage of third-party providers that will seamlessly work with your existing website and process credit cards for you. When a purchase or donation is made on your website, the customer is temporarily sent to another portal where their credit card is securely processed and you get the money in a timely fashion with a small percentage taken by the processor.
With third-party processing, you quickly pass your PCI Compliance checkup because all the risk of managing the credit card numbers is handled by someone else. You can safely fill out the SAQ version A which is the simplest of the questionnaires and easiest to pass.
Scenario #2: Secure Processing with a Terminal
We still have some organizations that must process a few transactions directly. If your organization has customers who still insist on giving you credit card numbers to process, never take them via email. Email is not a secure form for transmitting or storing credit card data and you may not pass your PCI Compliance tests if this information is found on your systems.
A credit card processing terminal with its own cellular connection will keep credit card data secure. Only take credit card numbers in person or over the phone. If, for some reason, these numbers are written down by a staff member, you have should have written policies on safely shredding and disposing of these documents as soon as the card is processed.
With this method, credit card numbers never pass through your network and you will be able complete SAQ version B.
Scenario #3: Processing on a Computer
Sometimes, despite your best efforts, customers insist on calling you with credit card numbers. Our clients want to know if they go directly to a third-party website for processing, are they PCI Compliant?
We see this scenario over and over again at client sites. Some internal process requires that a credit card be processed by a staff member using a network computer.
Raffa recommends avoiding this scenario if at all possible.
In this scenario, you now fall under the SAQ version C which puts your processes and internal network under direct scrutiny of third-party tests. The outside of your network will be scanned for any potential security issues. Any outward-facing servers or network firewalls will have to pass PCI Compliance testing and you may incur costs with your IT contractors to resolve these issues even if they are false positives by the third-party testers.
The computer that the credit card numbers are typed into will also be scanned quarterly by third-party software as well as every computer on the same network including servers If any one of these computers fail a PCI Compliance test, the whole network fails and you will not be certified.
If you must process credit cards in this way, ask your IT support to set up a dedicated computer and network connection. Your IT team can take an old laptop and provide a dedicated network port with a dedicated connection to the internet on your firewall that is not connected to the rest of your network. Then only one internal device will be regularly scanned for PCI Compliance though you will still be subject to the external scans.
Privacy and Beyond
Credit card numbers are just one piece of the privacy puzzle. Regularly auditing what health care, employment or other private information is stored on your network will better prepare you for protecting yourselves from unintentional leaks. Data privacy is becoming more important to your customers, employees, regulators and constituents.