As many of you may have heard, the payments industry is finally enforcing all merchants to be PCI DSS compliant in 2010.
So, why has your processor instituted a PCI compliance program?
Very simple really – They didn’t have a choice!
The payment cards are demanding that all merchants comply with the regulations as Merchant Service Providers can be held liable for merchants data breaches.
What does this mean?
Again, very simply – They now share in your liability.
There’s been so many high profile security and data breaches that I’m sure many of you have seen on the news that have affected the payment card industry, internet merchants and retail merchants internationally.
Processors now share in the potential liability for data breaches and the pressure has been placed on them to assist merchants to be PCI DSS Compliant by the end of 2010.
PCI DSS Compliance was designed to offer merchants best practices for handling customers sensitive data and minimize the losses that occur when card data is compromised.
Moving forward if a merchant is found to not be compliant fines could be levied to the merchant & the processor but by being compliant this exposure is minimized greatly.
As far as becoming compliant goes, your processor more than likely contracted with a PCI Compliance vendor to assist in the process. Most should should have an online portal, email support and live phone support.
I suggest giving them a call and let them walk you though it rather than stress yourself trying to figure it out on your own.
Here’s why…
Their are 4 self-assessment questionnaires and picking the right one can be a bit technical and probably beyond the level most of us operate at regarding IT (at least it’s beyond my technical knowledge – LOL).
For many of you the customer is going to your web site to select the images they wish to purchases then they are sent to a secure online order form using a gateway such as Authorize.Net or NMI where they enter their data. In other cases the customer never actually leaves your site so the card data is captured on your server using an SSL Certificate. In yet other cases people capture the information on their own front end and transmit the data to authorize.net or NMI using a virtual terminal.
The issue is that unless you know which of these methods you are using, it could be confusing as to which of the 4 different self assessment (SAQ forms) to use. Also, is Authorize.Net, NMI or the gateway you use the only means you use to take credit cards? Do you ever take cards over the phone or have a terminal or some other means such as a smartphone app? This could change which of the forms you use as well.
Also if you’re collecting credit card data on your own frond end and transmitting it on the back end to the gateway, you may have to have a quarterly ASV scan in addition to filling out the form. Again it can be a tricky, slippery slope.
There are 4 levels of merchants based primarily on how many transactions you do a year. The overwhelming majority of merchants fall into the Level 4 category (under 20,000 transactions a year). You may also be interested to know that the overwhelming majority of incidents around data security and credit cards take place at Level 4 merchants as well. But here is the key fact, the only difference between the levels is that Level 1 merchants have to have an on site audit performed annually. Level 2, 3 and 4 can fill out their own questionnaires. But the DSS or data security standards are actually the same across the board. The PCI council makes no distinction that Level 4 merchants don’t have to comply. They absolutely do and the fines of up to a half a million dollars plus costs are very much in effect.
When it comes to PCI I am afraid there are no easy simple answers so I hope that this article shows this to you and everyone reading this.
The reason processors are offering PCI Compliance programs is once again very simple…
To help you lower your risk, thereby lowering the processors risk!
These kinds of programs cost money though and nobody likes extra expense and I get that!
I know you don’t need to use the vendor your processor selected and can opt out of being billed but you would need to use another service provider to show proof of compliance.
In closing, Banks & processors share in the potential liability for data breaches and the pressure has been placed on the processor to assist all of their merchants to be PCI DSS Compliant by the end of 2010.
The stance of the processor is that the cost of the program is a no brainer versus the fines involved should card data be compromised and the merchant is found to not be compliant.
More to come in the next days
