PCI Compliance
Posted on October 12, 2011 | No Comments
Jim Ecina Anderson asked:
PCI Compliance: What is it and why should I care?
I must have heard this question a hundred times from merchants, and it can be hard to understand what it is, and why it matters.
PCI DSS (Payment Card Industry Data Security Standard) has actually been in effect for several years now. Simply stated it means that merchants are doing everything possible to protect card holder information from being stolen. In recent years it has become even more important with the large breaches of data that put thousands of cardholders at risk of fraud.
Protecting data can be a daunting task for a small merchant, but common sense goes a long way in complying with the regulations. First, make sure that the receipts being printed only show part of the card number, and not the expiration date. It sounds simple, but I still see businesses that have the full card number on the receipt. Second, don’t write down card information and leave it unsecured.
I know that some businesses rely on phone orders, and you need to keep the written authorization on file. If that’s the case, make sure that only the necessary people have access, and that the files are kept locked at all times. You would be surprised at how many people don’t do that. Third, if you’re processing using a terminal that works over IP you need to have a scan done quarterly. The scan ensures that there aren’t ways for cyber criminals to access your information or plant viruses that would transmit data to them. If you’re using a certified compliance vendor it’s very easy to schedule the scans, and they’ll help you trouble shoot any security threats.
So how do you certify your compliance? It’s a very simple process really. You answer a self assessment questionnaire, and pass your scan if necessary. Most people think that it’s hundreds of questions that are very technical, and that’s not the case at all. In most cases it’s approximately 20 questions that are true/false. For most merchants it only takes about 5 minutes to complete.
Why should you care about being certified? There are a few reasons. If you are certified, and there is a security breech this helps protect you from very large fines from the various card issuers. Even a small breech for an uncertified merchant can cost hundreds of thousands of dollars, which would most likely put them out of business. It is the merchant that’s responsible for the cost of forensic audits, re-issuing compromised cards, and fines.
Secondly, some processors are charging merchants $20.00 a month for not being a certified compliant. $240.00 a year for not filling out the form seems like a lot of money to me! Last, but not least, in states like Nevada a merchant that is certified compliant is protected from further fines from the state if there is no gross negligence on the merchants part. If non-compliant and breeched the state will levy it’s own penalties in addition to the fines by the card associations. Many states are following suit and creating laws that mirror Nevada’s.
So now that you know it’s not quite as bad as you imagined, and that it is important in more ways than one, contact your processor. Chances are that there’s a program in place already to help you through the certification process. And now that you know it’s not going to take most of the day, you really have no reason not to do it. You have nothing to loose by doing it, and the protection it offers is well worth the time it will take!
Caffeinated Content
PCI Compliance: What is it and why should I care?
I must have heard this question a hundred times from merchants, and it can be hard to understand what it is, and why it matters.
PCI DSS (Payment Card Industry Data Security Standard) has actually been in effect for several years now. Simply stated it means that merchants are doing everything possible to protect card holder information from being stolen. In recent years it has become even more important with the large breaches of data that put thousands of cardholders at risk of fraud.
Protecting data can be a daunting task for a small merchant, but common sense goes a long way in complying with the regulations. First, make sure that the receipts being printed only show part of the card number, and not the expiration date. It sounds simple, but I still see businesses that have the full card number on the receipt. Second, don’t write down card information and leave it unsecured.
I know that some businesses rely on phone orders, and you need to keep the written authorization on file. If that’s the case, make sure that only the necessary people have access, and that the files are kept locked at all times. You would be surprised at how many people don’t do that. Third, if you’re processing using a terminal that works over IP you need to have a scan done quarterly. The scan ensures that there aren’t ways for cyber criminals to access your information or plant viruses that would transmit data to them. If you’re using a certified compliance vendor it’s very easy to schedule the scans, and they’ll help you trouble shoot any security threats.
So how do you certify your compliance? It’s a very simple process really. You answer a self assessment questionnaire, and pass your scan if necessary. Most people think that it’s hundreds of questions that are very technical, and that’s not the case at all. In most cases it’s approximately 20 questions that are true/false. For most merchants it only takes about 5 minutes to complete.
Why should you care about being certified? There are a few reasons. If you are certified, and there is a security breech this helps protect you from very large fines from the various card issuers. Even a small breech for an uncertified merchant can cost hundreds of thousands of dollars, which would most likely put them out of business. It is the merchant that’s responsible for the cost of forensic audits, re-issuing compromised cards, and fines.
Secondly, some processors are charging merchants $20.00 a month for not being a certified compliant. $240.00 a year for not filling out the form seems like a lot of money to me! Last, but not least, in states like Nevada a merchant that is certified compliant is protected from further fines from the state if there is no gross negligence on the merchants part. If non-compliant and breeched the state will levy it’s own penalties in addition to the fines by the card associations. Many states are following suit and creating laws that mirror Nevada’s.
So now that you know it’s not quite as bad as you imagined, and that it is important in more ways than one, contact your processor. Chances are that there’s a program in place already to help you through the certification process. And now that you know it’s not going to take most of the day, you really have no reason not to do it. You have nothing to loose by doing it, and the protection it offers is well worth the time it will take!
Caffeinated Content