If You’re an SMB Dealing with PCI, just GTFO
  • 4 min Read

When it comes to acronyms that strike fear into the hearts of small business owners, your first instinct might be the IRS. But more frequently, it’s PCI that provides most of the worry. The power to take payment information from customers comes with great responsibility and PCI is the arbiter of that responsibility, the dictation of standards designed to ensure that businesses are doing everything they can to prevent their customers’ financial data from falling into the wrong hands.

Large corporations, especially publicly traded ones, have entire teams of IT staff dedicated to following rigid security processes, and modifying those processes to comply with changing PCI standards. But for a small business, it’s no exaggeration to say that PCI compliance issues can dominate the operations of a small IT staff, making it difficult for these strapped resources to do much of anything else. So how do you take online payments, keep compliant and keep your staff focused on your growing business?

The key to achieving PCI compliance as a small business without undue burden is to ensure that your technology processes keep the customers’ financial data out of your systems altogether.

So, how do you accept credit card information without it coming through your system?  Many never explore this option for fear of disrupting a seamless, trusted user experience.

I don’t want to send the customers somewhere else to pay their bills, buying from me should be easy and streamlined for my customers.”

The solution lies in a combination of picking the right business partners to handle your payment processing and building your technology to take advantage of the tools they provide.  As you know, there are myriad credit card processors offering small business solutions for online credit card processing. They are not all created equal.

The more savvy online payment processing providers will have an alternative solution for capturing payment methods that involves a form that runs *on the payment processor’s server*.  This form glides just above your website without actually being part of it.  You might hear this referred to as an “iframe” or informally as a “widget” or “plug-in”.  

So when your customer enters their card data in this scenario, the card data is never interacting with your actual website at all.  It is being entered into the payment processor’s form which sends the data back to its own servers.  There’s a little bit of plumbing that happens behind the scenes to tell the processor which customer of yours they are taking payment for, but none of that is in PCI scope because the cardholder data is not involved in those communications.  In future, your system can talk to the payment processor’s API about making other payments against this card data, setup recurring payments etc., all without ever having to bring the card data into your systems and thus keeping you out of PCI scope.

So if you find that your business needs to address PCI compliance questions, work with your payment processor and technology partners to determine which of these mitigation options are available for you. Never be afraid to explore other payment processors if yours doesn’t provide the functionality you need to stay out of PCI scope.