If you received a non-compliance fee on your credit-card processing statement and are wondering why, you should take the Payment Card Industry Security Standards Council (PCI SSC) self-assessment questionnaire.
Credit-card companies and credit-card processors are assessing fees and penalties on retailers who don’t demonstrate compliance with credit-card data-security standards. Eventually these retailers could be denied credit-card system access. Much worse, if a retailer suffers a data breech the fines and loss pay-backs could devastate the business. Sometimes it takes weeks to realize you’ve been compromised.
I spoke with Bob Russo, PCI council executive director, recently who warned that any retailer who processes, stores, or transmits credit-card data must be compliant with current data security standards (PCI DSS). These standards were developed by credit-card brands and companies along with participating merchants and technology companies to ensure personal credit data isn’t commandeered by criminals for stealing, fraud, and identity theft. Russo says the whole point of the council and the standards is not about compliance, but data security and loss prevention.
I’ve received a couple of calls about new PCI deadlines recently. The reality is: the initial compliance deadline was last summer for all merchants. The PCI council will be introducing a new standard for operation of PIN-pad and other payment terminals in April, but we’ll get back to that.
To demonstrate compliance, generally you just answer a self-assessment questionnaire. Answering the questions also helps you understand what must be done.
For most merchants, if you don’t do more than 500,000 annual credit-card transactions, the questionnaire is all you must do. The actual criterion for who takes a questionnaire is determined by your credit-card processor or credit-card company. Your service provider determines who needs only to answer questions and who must have on-site audits by a qualified security assessor (QSA) and quarterly web-site and network scans by legal hackers to determine compliance.
MasterCard, for example, requires all merchants to have a quarterly computer-network security scan by an approved vendor, either by the merchant or the processing provider.
Other than that, cost of compliance should be minimal fees service providers charge. If you’ve updated your card-swipe equipment within the last year, you shouldn’t have to buy anything. However, if you haven’t updated your equipment or don’t have equipment that encrypts transmitted data, you need to upgrade immediately. (Crooks know their window of opportunity is shrinking.)
Most other compliance requirements are about how you handle credit card data, both paper records and electronic data.
First National Merchant Services, CBA’s endorsed credit-card processing service, says Christian-store retailers probably need worry only about the questionnaire and equipment. The company has set up a website for its customers to ensure compliance: www.Getcompliantwithfnms.com.
Just think of how your customers will feel when they see your posted certification indicating your compliance with security standards. Nothing like a little safety and security to warm a shopper’s heart.
New PIN Terminal Security Standard
What is new is the final draft of the PIN Terminal Security standard. This will cover PIN pads, processing terminals, etc., and is due to be published April 30. It has a three-year review (a year longer than normal, which should extend your equipment budget).
This standard targets what’s called skimming. This is when a thief modifies PIN pads and payment terminals by re-wiring or replacing the card-swipe device to re-direct or skim credit-card data for criminal purposes. While technical standards are directed to equipment manufacturers, the council’s common-sense best practices also could prevent skimming on your devices. Be observant for wiring that suddenly appears on your device, for example, and check out the swiping device once in awhile.
For a one-page skimming overview:
https://www.pcisecuritystandards.org/pdfs/skimming_prevention_overview_one_sheet.pdf
For approved terminal providers: https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
For in-depth merchant best practices: https://www.pcisecuritystandards.org/pdfs/skimming_prevention_form.pdf
The PCI council will issue standards changes on payment applications and off-the-shelf software for credit-card processing from May to August. All the proposals will be formally presented to merchants at the council’s September annual community meeting in
This is an extremely helpful article Eric. As I understand it, PCI compliance is not a law, but as you have pointed out some processors will charge a monthly fee if you have not completed a self-assessment. In my experience, the self assessments are a bit difficult to understand for non tech-minded folks and may be difficult to fully comply with, without added expense on the merchant's part. This is at least the case for merchants selling over the web (not sure about POS terminals exclusively). You can find processors who will not charge PCI compliance fees however.
Posted by: Michael Covington | January 29, 2010 at 03:42 PM
Thank you for this great blog information!I'm finding this whole blogging world a great resource for any topic, and really inspirational.
Posted by: target stores online | February 12, 2010 at 10:30 AM
Good article. Personally though I would have liked to see you point out how flawed the whole PCI compliance concept is. The issue is not with small businesses. It is with big businesses. I've had my personal credit cards compromised several times in the last few years and the leak was always with a credit bureau, card issuer or large merchant. PCI compliance from small businesses, most of whom do nothing more then swipe a card at time of sale is just one more way to extract fees and penalties from the largest segment of users (in terms of numbers). It's ridiculous and someone needs to tell the credit card issuers "no", especially since they themselves seem to be a significant source of compromised accounts. Let them fix their own house before trying to critique mine.
Posted by: grant | February 16, 2010 at 12:51 PM
Thanks for the article, however, if you think you just fill out a simple questionnaire and then get certified compliant than you may be in for a surprise. The biggest hurdle, in my opinion, is all of the policies and procedures that are required to be documented and followed by your company. It's not rocket science but it does take some time to document these and get everyone trained to follow these guidelines at all times. Until then you cannot answer some of these questions honestly and be certified compliant.
Posted by: PCI Weary | February 24, 2010 at 09:23 AM
Greetings!
I just stopped by to read your site, and I have to give you the big thumbs up on your articles. It is refreshing to know that people like yourselves care about others in giving informative information that is relevant and true. As a courteous gesture, we would absolutely love your honest opinion on the following article that I have written found here: http://cyberconnexxion.com/2010/03/10/credit-card-companies-will-be-fighting-back-in-2010/. By all means, go through our entire site and tell us what you think! Once you have done so, and think that we can exchange links to have on each other’s site at the following url: http://cyberconnexxion.com/resources/links.htmlwe can boost traffic. It’s a win-win situation for the both of us. Please let us know! Again Congrats on a fanastic site!
Teeny S
Author, Webmaster
http://www.cyberconnexxion.com
Posted by: sean | June 12, 2010 at 10:11 PM
great lens about Credit-card companies and credit-card processors are assessing fees and penalties on retailers who don’t demonstrate compliance with credit-card data-security standards...
Posted by: scoremore | October 06, 2010 at 07:59 AM
Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined...
Posted by: scoremore | October 17, 2010 at 06:11 AM
instead of paying all these fees why not use cash? its inconvenient but it saves you money and if you dont have enough money to buy something will you really have that money later and should you be buying it?
Posted by: scoremore | October 19, 2010 at 08:23 AM
have you delete with images of credit card information with regards to data? how has this change your audits?
Posted by: scoremore | October 21, 2010 at 06:58 AM
I have just found out about this ELAVON have been charging me £17 a month for being non compliant .I found out after 6 months and asked them what the fee was for they said I had been sent a letter explaining I needed to fill in a questionaire on line to become compliant. I have never recieved this letter and it was by chance I saw the regular ammount being taken. I believe this is totally unfair as without the original letter retailers will be charged until they dscover the charge.Why can they charge without notification.The same company I also discover has been taking funds of £5 per month for a key padf which I dont have. I would love to know the legality of recovering my costs. Anyone??? PLEASE IF YOU ARE WITH ELAVON check your statements now. The charge last year was £30 for a year .neil whetstone
Posted by: neil whetstone | October 21, 2010 at 09:46 AM
It's nice to your blog, your article is well written, thank you for sharing!
Posted by: H Miracle Review | April 15, 2011 at 07:08 PM
I hope this allowed, I have never used this website before so I wasn't really sure what this was going to do. So this is just a test post. I really like this forum, it has some excellent discussions that take place.
Posted by: Coach Outlet Store Online | July 05, 2011 at 08:01 PM
During these days where you can’t be assured of your safety outside, your only sanctuary would be your home.
Posted by: pinnacle security | September 14, 2011 at 12:10 PM
your information was useful, but was missing a few steps that some cc companies, like the one I am cutting ties with has done....first thing, I was never told about a non compliance, when I called and asked why there was a $50.oo charge on my bill for it, they said they would send me a form via email, it never showed up, so once again I called, they explained they must have taken my email info down wrong. when I did recieve it, the attachement went to a page that didnt exist, so I called again, they once again sent it, this time, it only asked for my business information. I filled this out, and guess what? On my next bill was a $25 non compliance fee charge, they would not explain to me what this charge was once again, so I talked to one of my friends who used to work for a CC company, they said these companies dont have to charge this fee, and for a small business like mine, it is ridiculous, the most I have ever run thru in a month for cc sales is less than $1000, last month I didnt run a single card, but I got charged this $25. I think there is alot of shady business with these companies, and personally in my business, cash has now become king, and I will give discounts to people who pay cash. I also was informed if I wanted to cancel my account with this company, to fax in a cancellation, which I did, and once again, they informed me they never got the fax! So I had to pay my bank a $25 fee to stop payment to the company, my bank informed me, that sometimes these companies have other names and might try and run it through under another name. I am so fed up with this, I have heard the only company that actually is honest is heartland, so I am hoping to switch over to them, once I get this monkey off my back!
Posted by: curious cargo | May 09, 2012 at 03:17 PM