If you received a non-compliance fee on your credit-card processing statement and are wondering why, you should take the Payment Card Industry Security Standards Council (PCI SSC) self-assessment questionnaire.
Credit-card companies and credit-card processors are assessing fees and penalties on retailers who don’t demonstrate compliance with credit-card data-security standards. Eventually these retailers could be denied credit-card system access. Much worse, if a retailer suffers a data breech the fines and loss pay-backs could devastate the business. Sometimes it takes weeks to realize you’ve been compromised.
I spoke with Bob Russo, PCI council executive director, recently who warned that any retailer who processes, stores, or transmits credit-card data must be compliant with current data security standards (PCI DSS). These standards were developed by credit-card brands and companies along with participating merchants and technology companies to ensure personal credit data isn’t commandeered by criminals for stealing, fraud, and identity theft. Russo says the whole point of the council and the standards is not about compliance, but data security and loss prevention.
I’ve received a couple of calls about new PCI deadlines recently. The reality is: the initial compliance deadline was last summer for all merchants. The PCI council will be introducing a new standard for operation of PIN-pad and other payment terminals in April, but we’ll get back to that.
To demonstrate compliance, generally you just answer a self-assessment questionnaire. Answering the questions also helps you understand what must be done.
For most merchants, if you don’t do more than 500,000 annual credit-card transactions, the questionnaire is all you must do. The actual criterion for who takes a questionnaire is determined by your credit-card processor or credit-card company. Your service provider determines who needs only to answer questions and who must have on-site audits by a qualified security assessor (QSA) and quarterly web-site and network scans by legal hackers to determine compliance.
MasterCard, for example, requires all merchants to have a quarterly computer-network security scan by an approved vendor, either by the merchant or the processing provider.
Other than that, cost of compliance should be minimal fees service providers charge. If you’ve updated your card-swipe equipment within the last year, you shouldn’t have to buy anything. However, if you haven’t updated your equipment or don’t have equipment that encrypts transmitted data, you need to upgrade immediately. (Crooks know their window of opportunity is shrinking.)
Most other compliance requirements are about how you handle credit card data, both paper records and electronic data.
First National Merchant Services, CBA’s endorsed credit-card processing service, says Christian-store retailers probably need worry only about the questionnaire and equipment. The company has set up a website for its customers to ensure compliance: www.Getcompliantwithfnms.com.
Just think of how your customers will feel when they see your posted certification indicating your compliance with security standards. Nothing like a little safety and security to warm a shopper’s heart.
New PIN Terminal Security StandardWhat is new is the final draft of the PIN Terminal Security standard. This will cover PIN pads, processing terminals, etc., and is due to be published April 30. It has a three-year review (a year longer than normal, which should extend your equipment budget).
This standard targets what’s called skimming. This is when a thief modifies PIN pads and payment terminals by re-wiring or replacing the card-swipe device to re-direct or skim credit-card data for criminal purposes. While technical standards are directed to equipment manufacturers, the council’s common-sense best practices also could prevent skimming on your devices. Be observant for wiring that suddenly appears on your device, for example, and check out the swiping device once in awhile.
For a one-page skimming overview:
For approved terminal providers: https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
For in-depth merchant best practices: https://www.pcisecuritystandards.org/pdfs/skimming_prevention_form.pdf
The PCI council will issue standards changes on payment applications and off-the-shelf software for credit-card processing from May to August. All the proposals will be formally presented to merchants at the council’s September annual community meeting in