5 Things To Consider For Getting Your Company Out Of PCI Scope

in Blog
on Wednesday, 20 April 2016 14:44

Is it possible for a business to accept credit card payments but remain out of PCI scope? Companies that handle consumer credit card data are required to undergo a regular PCI audit, a costly and complex hassle that helps ensure data security. But is it possible to move to a payment system that takes your company completely out of the PCI compliance scope?

For many companies, the answer is yes. While some payment systems are too large to avoid PCI DSS compliance, many merchants and the software companies that serve them can make changes in their infrastructure to completely eliminate themselves from PCI scope or at least reduce their exposure level significantly.

Things like having to store credit card information for recurring payments can complicate the process of avoiding compliance with the Payment Card Industry Security Standard. But dealing only with card-not-present transactions can make it easier to reduce exposure.

What To Consider In Getting Out Of The PCI Scope

For merchants and software companies that want to avoid required PCI certification yet completely comply with PCI security requirements, several steps need to be taken:

Talk to a PCI auditor. The auditor can tell you if the strategy you have in mind will work or what other steps you may want to take so you you can meet compliance requirements in handling credit card payment data.

Decide what you must eliminate. Some components of your payment system may have to be phased out. You may have several software systems, terminal solutions and other components that must be eliminated or replaced with something that can put you outside PCI DSS scope. Some integrations with processors may need to be eliminated as well.

Consider simplification. You may benefit from unifying payment processing across all customers or sales channels. Simplifying overall structure and increasing transparency is necessary in some cases to convince a PCI auditor that you’re doing what you need to do.

Decide if you must store cardholder data. Terminal capture, for example, requires storing and sending card information. Host capture does not. If you need to hold data for recurring transactions, that data will have to be stored somewhere, and this can put you in the PCI scope if held at your location or on your equipment.

Plan what integration and migration work must be done. Once you reach a conclusion about what you need to do, you need to make plans to make it happen. You may need to integrate with a tokenization credit card processing service, a point-to-point encryption provider and more. If you’re storing cardholder data now, you need to plan a migration method and timing.

You’re Not Alone On The Pathway

Not all businesses can get completely out of the PCI scope, but many can. The process involves simplifying cardholder data handling and changing technology in most cases.

At PayVisors, we recommend the UniPay payment gateway, a payment processing system capable of performing necessary PCI scope reduction functions and based on open source commercial software that you and your team can adapt to your specific needs.

To learn more about how our business consulting company can help you get out of the PCI scope with the UniPay gateway, contact us now. Payment processing may be complex and potentially problematic, but we can simplify many aspects of it for you.

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.