Back when I did my first startup, we were pretty hardcore about data privacy. We had an overpriced SSL certificate, we encrypted credit cards and other customer data, encoded our PHP code with Zend Encoder, and disallowed SSH connections except from specific IPs. We were in charge of security.
Nowadays, PCI Compliance is the boss. If you store or transmit credit card information in your organization or site, you will have to conform to the PCI DSS rules in order to do business.
The PCI DSS (Payment Card Industry Data Security Standard) program was created by the major credit card companies to reduce credit card fraud and enforce a standard level of security.
Why should I care?
Because if you don't get compliant they won't do business with you, and you won't be able to accept credit cards anymore.
From the PCI site:
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.
What are my choices?
If you need to handle, store, or transmit credit cards, like many businesses that handle sales over the phone or operate an online store, then follow the PCI guidelines. Here's the PCI Quick Reference Guide.
On the other hand, if you don't mind using a third party payment processor, you can let them go through the PCI compliance and just use their service. Here are a few:
- Amazon Payments
- Google Checkout
I've only used the top two. I'll be checking out the rest in order to improve payment options. Be looking for that later, and if you end up using a good payments provider (one-time and recurring payments) let me know in a comment below.
Update (Nov. 6th, 2011): I'm working on a comparison of most the above from the viewpoint of a bootstrapped company. Will post link here when done.
I have to do the PCI thing. How do I do it?
The good news is that the PCI SSC does not consider all organizations the same, so how deep your responsibilities run (your validation level) depends on the number of your transactions annually. To determine your validation level, read this brief Q & A.
Since many new startups will be in Level 4 for quite a while, I included this brief info about Level 4. Level 4, which is defined as performing less than 20,000 transactions per year, must:
- complete an annual Self-Assessment Questionnaire (SAQ),
- pass a quarterly vulnerability scan on your website and other public computers, and
- complete an Attestation of Compliance.
The SAQ is long and thorough, but does help you to identify where your organization may be lacking.
The security scans can be a little expensive and in some cases could bring your server to its knees since it scans for thousands of known vulnerabilities. Many services bill on a yearly basis. Here's a list of the approved scanning vendors.
My recommendation is to outsource your payment processing, as mentioned above, although that option doesn't fit all businesses. PCI Compliance can be a pain, especially for large organizations. If you need to get PCI compliant, don't try to fly under the radar, it's not worth it.
If anything above is incorrect, please comment below and I'll post an update.
Next post: finding a startup co-founder