Making our small business network PCI-DSS Compliant [closed]

Outsource it. Seriously, if you don't know PCI already you'll hate it by the time you get to know it. In an office that small there's no justification for processing payments inhouse. Use a 3rd party provider (like PayPal, your bank might also have options). Getting your network certified will likely cost you an arm and a leg. Using a 3rd party service will cost you a bit extra on every transaction, but the break-even point is going to be thousands of transactions (or more).


Yes, a great deal will need to be done. First of all, the list of security standards are here: https://www.pcisecuritystandards.org/security_standards/

This entire list applies to all size environments. The only thing that changes depending on how many credit card numbers you process and whether or not you are a service provider for other retail storefronts is the level of audit that must be performed on a regular basis.

If you've never been through the process before, and your environment doesn't require a third-party audit, I recommend going through at least one audit the first time to have some assurance that you've followed the guidelines listed in the Security Standards documents.

If at all possible, I highly recommend avoiding PCI compliance requirements by using a third-party payment processor. Full compliance is a very expensive endeavor.