Are Your QuickBooks Clients PCI Compliant?

Just in case you don’t already have enough to do, I have a suggestion for your next billable service that may provide a nearly endless amount of billable work for you and your firm.

If you haven’t heard by now, the Payment Card Industry (PCI) Security Standards Council has developed a rigorous set of “data security standards” (DSS) for how businesses must protect the security of customer credit card numbers.

These standards for compliance are incredibly far-reaching, and will put the fear of God into any business owner who has heretofore paid little attention to the details of how credit card numbers are stored into the QuickBooks data file, CRM database or online Web store. New compliance regulations are mandated by the credit card companies, and deadlines for complying have already passed (July 1, 2010 was the final compliance date).

I can’t emphasize enough how big of a problem there is in small businesses with regard to securing customer credit card numbers. For years, the businesses on Main Street have paid little or no attention to security of customer credit card numbers. Instead, the main focus has been on how to streamline the process of storing the numbers into software systems such that they can facilitate fast retrieval of the card numbers during the sales process. What we have now is a major case of trying to get all the cattle back into the barn, and then buying a lock for the door.

What is PCI DSS?

The PCI DSS is a set of comprehensive requirements for enhancing customer credit card data security. The standards were developed by the PCI Security Standards Council. This council includes representatives from dozens of credit card companies, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. The purpose of these standards is to help facilitate the broad adoption of consistent data security measures among merchants who store customer credit card data.

The PCI DSS is a group of six principles and twelve requirements. Here is the list of principles and requirements, taken directly from the PCI Security Standards Council website (


1. Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.


2. Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.


3. Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.

Requirement 6: Develop and maintain secure systems and applications.


4. Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.


5. Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.


6. Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.