For many small businesses, the PCI security requirements that have been mandated from the major credit-card brands (Visa, MasterCard, Discover, American Express, and others) are overwhelming and confusing. The requirements cannot be ignored, because failure to comply can lead to having your card-processing privileges revoked, and for many businesses, credit-card transitions are intrinsically linked to the revenue stream.
The key to handling PCI and other security issues cheaply and efficiently is not to set out to conquer problems but to avoid problems where you can so you don’t have to waste time trying to overcome them. Here are some suggestions for avoiding PCI and related security problems:
1. Limit the scope. PCI is only concerned about computers, people, and systems that might deal with cardholder data such as credit-card numbers. If you separate your world into an "affected by PCI" zone and a "not affected by PCI" zone, you can simplify your life dramatically by keeping the PCI zone small and simple.
2. Don’t store cardholder data unless you absolutely have to. The single biggest and messiest area of PCI has to do with any cardholder records that you store electronically. The best and cheapest answer is simply not to keep any such records—then you get a simple automatic pass on lots of very tough questions, and your business is significantly safer.
3. Don’t use unnecessary technology. Every new piece of technology you introduce into the PCI zone makes your life more complicated and risky. For example, wireless computer networking is convenient for many people, but if you use it in a way that overlaps with PCI, you have to worry about a number of highly technical questions about encryption, device configuration, key management, and so on.
4. No silver bullets. Many products can help you, but don’t get fooled into believing that there’s a "silver bullet" that will kill all your problems.
5. It never goes away. Unfortunately, security is like physical fitness: You have to keep working on it all the time, rather than just doing a special project once a year and then forgetting about it until next year.
Dr. Tim Cranny
Salt Lake City