Payment card security for small businesses

A man shops securely online line thanks to PCI-DSS

If your business accepts card payments - for example, to take payments online you need to think about security. Having the right security measures in place minimises the risk of online fraud or data theft. It also helps reassure customers that you are trustworthy

The best approaches combine technical security measures with sensible procedures that help you identify potentially fraudulent transactions.

What is PCI-DSS?

PCI-DSS stands for the Payment Card Industry Data Security Standard. It describes how your business must protect the credit and debit card details your customers provide when they purchase goods or services from you.

Although PCI-DSS can seem confusing at first, most smaller businesses find it fairly straightforward to comply with the rules. There's plenty of support and guidance available too, both online and from banks and payment providers.

"PCI-DSS was created by the payment card industry," explains Mark Kedgley, chief technical officer at New Net Technologies, a global provider of data security and compliance solutions.

"The industry wanted to create a standard to protect card data, in order to reduce losses from fraud and data theft," he continues. "All merchants that take payment by card are subject to this standard, and so are the banks that process payments. Fundamentally, if you're taking card payments then you're subject to PCI-DSS."

If you think PCI-DSS might affect your business, don't ignore it. You can be fined or even stopped from taking payments altogether if you don't take steps towards meeting the requirements.

What does PCI-DSS require your business to do?

To comply with PCI-DSS, your company must meet 12 requirements that describe various aspects of how you hold and process customers' card details. To prove their PCI-DSS compliance, most smaller companies simply have to fill in a self-assessment form.

"It's a declaration," confirms Mark. "What kind of merchant you are determines which self-assessment form you have to fill in. PCI-DSS is policed much more strongly for big companies that may hold and process card details relating to millions of customers."

If your business only uses customer card details to take one-off payments, then meeting PCI-DSS is likely to be straightforward. However, if you store customers' card details in order to take future payments, or transmit that data elsewhere, that's when it can become more arduous.

Many companies opt to sidestep PCI-DSS by relying on a trusted payment services provider. "Using third-party services like PayPal or Worldpay is a good way to make PCI-DSS simple, because you can pass the burden of compliance on to the supplier," elaborates Mark. "The downside is the extra cost to process each transaction."

Online security measures to fight fraud

Every online shop will suffer attacks from fraudsters at some point. They may attempt to obtain goods using stolen credit cards or by other, similar means.

To minimise the risk from fraudsters, find a payment services provider which takes extra anti-fraud measures on top of PCI-DSS. For instance, look for:

  • 3D Secure (also known as Verified by Visa and MasterCard SecureCode), a system which requires the customer to enter extra information - usually a password - before approving payment;
  • address verification (also called AVS), where the PSP checks that the address entered by the customer matches the address of the credit card holder;
  • card security code checking (also called CV2), where customers must input three digits from the back of their credit card to complete payment.

If your provider takes extra precautions like these, mention it on your website.

Customers are also likely to look for the secure padlock in their web browser before making payments online. You can provide this with an SSL certificate.

Practical security policies

Complying with PCI-DSS really isn't that different to taking other sensible security precautions, except that the standards you must achieve are set by a third party. Much of what you need to do simply follows good security practice - so you'd probably be doing it even if PCI-DSS didn't exist.

  • Consider PCI-DSS as part of your overall security policy, rather than as a separate issue.
  • Take practical steps to keep data safe. Don't write down customers' card details, or store them in unprotected spreadsheets. Think about how you would want a retailer to treat your card details and apply the same standards.
  • Keep an eye out for potentially fraudulent transactions. Fraudsters tend to buy high-value items, using the fastest shipping method and 'disposable' contact details like free email addresses and mobile phone numbers.
  • If you suspect an order is fraudulent, phone or email the customer back. Ask them about the details of their order, and to send proof of name and address.
  • If in doubt, ask for payment using a different card (which would need to have the same address) or another method such as a bank transfer.
  • Think about how you will deal with buyers who make fraudulent refund claims after you have sent them the goods.
  • Talk to your bank or payment provider for their advice on how you can take payments.

Find credit card security resources for merchants from the PCI Security Standards Council

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.