Surprise Non-Compliance Fee from Your Credit-Card Service?

If you received a non-compliance fee on your credit-card processing statement and are wondering why, you should take the Payment Card Industry Security Standards Council (PCI SSC) self-assessment questionnaire.

 

Credit-card companies and credit-card processors are assessing fees and penalties on retailers who don’t demonstrate compliance with credit-card data-security standards. Eventually these retailers could be denied credit-card system access. Much worse, if a retailer suffers a data breech the fines and loss pay-backs could devastate the business. Sometimes it takes weeks to realize you’ve been compromised.

 

I spoke with Bob Russo, PCI council executive director, recently who warned that any retailer who processes, stores, or transmits credit-card data must be compliant with current data security standards (PCI DSS). These standards were developed by credit-card brands and companies along with participating merchants and technology companies to ensure personal credit data isn’t commandeered by criminals for stealing, fraud, and identity theft. Russo says the whole point of the council and the standards is not about compliance, but data security and loss prevention.

 

I’ve received a couple of calls about new PCI deadlines recently. The reality is: the initial compliance deadline was last summer for all merchants. The PCI council will be introducing a new standard for operation of PIN-pad and other payment terminals in April, but we’ll get back to that.

 

To demonstrate compliance, generally you just answer a self-assessment questionnaire. Answering the questions also helps you understand what must be done.

 

For most merchants, if you don’t do more than 500,000 annual credit-card transactions, the questionnaire is all you must do. The actual criterion for who takes a questionnaire is determined by your credit-card processor or credit-card company. Your service provider determines who needs only to answer questions and who must have on-site audits by a qualified security assessor (QSA) and quarterly web-site and network scans by legal hackers to determine compliance.

 

MasterCard, for example, requires all merchants to have a quarterly computer-network security scan by an approved vendor, either by the merchant or the processing provider.

 

Other than that, cost of compliance should be minimal fees service providers charge. If you’ve updated your card-swipe equipment within the last year, you shouldn’t have to buy anything. However, if you haven’t updated your equipment or don’t have equipment that encrypts transmitted data, you need to upgrade immediately. (Crooks know their window of opportunity is shrinking.)

Most other compliance requirements are about how you handle credit card data, both paper records and electronic data.

First National Merchant Services, CBA’s endorsed credit-card processing service, says Christian-store retailers probably need worry only about the questionnaire and equipment. The company has set up a website for its customers to ensure compliance: www.Getcompliantwithfnms.com.

 

Just think of how your customers will feel when they see your posted certification indicating your compliance with security standards. Nothing like a little safety and security to warm a shopper’s heart.

New PIN Terminal Security Standard

What is new is the final draft of the PIN Terminal Security standard. This will cover PIN pads, processing terminals, etc., and is due to be published April 30. It has a three-year review (a year longer than normal, which should extend your equipment budget).

This standard targets what’s called skimming. This is when a thief modifies PIN pads and payment terminals by re-wiring or replacing the card-swipe device to re-direct or skim credit-card data for criminal purposes. While technical standards are directed to equipment manufacturers, the council’s common-sense best practices also could prevent skimming on your devices. Be observant for wiring that suddenly appears on your device, for example, and check out the swiping device once in awhile.

 

For a one-page skimming overview:

https://www.pcisecuritystandards.org/pdfs/skimming_prevention_overview_one_sheet.pdf

For approved terminal providers: https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html

For in-depth merchant best practices: https://www.pcisecuritystandards.org/pdfs/skimming_prevention_form.pdf

The PCI council will issue standards changes on payment applications and off-the-shelf software for credit-card processing from May to August. All the proposals will be formally presented to merchants at the council’s September annual community meeting in Orlando.

Going from Gloom to Boom: Jim Dion's view of indie retailing

Jim Dion was a featured speaker at the National Retail Federation conference, offering an encouraging word to independent retailers in his presentation "Going From Gloom to Boom". It was a special time set aside in the valley of looming retail giants just for indies. And the way this internationally renowned retail consultant sees it, independent retailing is just as poised for success in the economic recovery as mega-retailing. Indie retailers just need to think differently ... and act differently.

He quoted Procter & Gamble Senior VP Lou Pritchet to introduce what retailers must do to think and act differently: change. "When the rate of change outside your company exceeds the rate of change inside your company, disaster is imminent," Pritchet said. Retailers especially must understand the quick shifts and subtle turns their customers always go through as life overcomes them. Be connected to them to know which way they're going.

Judging by what's ahead in new consumer attitudes, technology advancements, economic realities, and retailing itself, inside change will continue to be a mandate. That's not to say that great and established retail disciplines aren't still important -- even critical. It is to say how you engage your customers -- more than ever -- must be relevant to what they need and want.

Dion says pay attention to two key "I" words: Impulse and Investment. It's not all about mindless consumption any more, but value is key: product value, company values, and value-driven spending. Which for Christian-store retailers means to work out a way for customers to purchase because it's a smart investment (on several levels) not just a good price.

"Only rich people can afford to buy cheap products because they're the only ones who can afford to replace them," he said.

How does that translate into a Bible purchase, for example? Why buy quality leather or comprehensive study guides? The value lasts a lifetime. (Remember when families recorded genealogies in their Bibles?)

Dion says sell fewer, better things to overcome pricing pressures, and become up-sell experts to meet customers' total needs.

See Jim's website: www.dionco.com. Check out CBA Connect e-learning at http://www.cbaonline.org/CBAConnectHome.htm.

Instrumented, Interconnected, Smart: Your Customers

The first couple of days at the National Retail Federation were full of buzz about "instrumented" consumers, interconnectivity, and "intelligent" consumers. This is creating a rapidly changing dymnamic for retailers. About 22% of the globe is online and there are more cell phones than automobilies (illustrating the rapid mobile-technology adoption in developing nations). Some 80% of shoppers use two or more technology devices (they are "instrumented") and will use them in retail relationships. For many of these consumers, social media means more than just a Facebook post. When it comes to retailers, consumers are more than willing to engage (after all, stores should be reflecting who they are!), but they want something in return: free samples, preferred customer status for special promotions, advanced sales, plus the ability to influence product development and new-service offerings. I'll talk more about this, but have to run off to a session. If you want to see some basic info on social media, check out Gunnar Simonsen's take on the CBA website: http://www.cbaonline.org/SocialMedia/social.htm.