Any business that accepts credit card payments needs to be aware of the credit card processing data standards, which are becoming more stringent starting this October (see dates at the end of this article). Making sure that you are complying with the rules can be confusing and a little overwhelming to the small business owner. We turned to Henry Helgeson, President and CEO of Merchant Warehouse, for an explanation of how these standards impact small businesses.
The Payment Card Industry (PCI) Security Standards Council (SSC) is an organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. Its mission is to “enhance payment account data security by driving education and awareness of the PCI Security Standards.” The PCI SSC has developed the Data Security Standard (PCI DSS), which is a comprehensive standard intended to help organizations proactively protect customer account data.
Can you help us understand how PCI DSS affects small businesses – If a small business owner is using PayPal, Yahoo! stores, or another hosted ecommerce solution, do they need to go through the PCI compliance checklist and make sure they are compliant, or is that burden on the hosting company?
According to the PCI SSC, PCI DSS affects all parties that process, transmit or store cardholder information. This is why entities such as hosting companies have to comply with the PCI DSS. Although Visa/MC typically can’t go directly after non-merchants such as hosting services since they do not have an agreement with them for a merchant account, Visa/MC can force their merchants to use a PCI/PABP validated provider. This forces non-compliant providers to validate their compliance in order to retain their customers’ business.
Although merchants using PayPal do not technically have a merchant account, they do have an agreement with PayPal to process transactions according to PayPal’s policy. If there is a breach involving a PayPal merchant, Visa/MC will go after PayPal with any fines that may be imposed and in return, PayPal will go after the merchant to re-coup these loses if the merchant violated any of the PayPal processing guidelines.
Yahoo! stores merchants typically do have a real merchant account so they would be required to follow the PCI DSS requirements just like a merchant using a standard credit card processing solution.
There is no way of getting around PCI DSS. If a merchant wishes to accept credit card payments, they will need to be compliant or risk getting fined and their services terminated no matter what method of accepting payments they use.
If the burden is in fact on the small business owner, what are some tips to simplify the process of becoming compliant?
There are several simple steps a merchant needs to take in order to achieve compliance. The best starting point is to fill out a Self-Assessment Questionnaire. Once the correct questionnaire is completed, the merchant will have a good idea of what they still need to do for compliance. A couple of the most important requirements are simple, such as having an information security policy that is used to train all employees on how to handle cardholder information securely. This security policy should cover things such as proper storage and disposal of sensitive cardholder data, such as receipt copies, and an information disclosure policy to ensure sensitive data is not accidentally disclosed to people who are not allowed to have access to it. Another easily achieved but important requirement is limiting access to cardholder information only to those that have a business need to have access to it. This usually limits access only to management and limits access to those employees that do not need to have sensitive credit card information as part of their every day job function.
Depending on how the merchant is processing transactions (dial-up, IP) there are different requirements that must be met. This is why the questionnaire is an important first step in achieving compliance.
Say a business doesn’t bother with PCI DSS compliance. Will Visa, Amex, MasterCard, etc. not let them complete transactions through their networks?
If a business does not comply with the PCI DSS, they run a chance of incurring penalties and fines from the card associations. Visa/MC will impose escalating fines on merchants that do not comply with the PCI DSS and if they deem that the merchant is not putting forth an effort to comply, they may terminate their ability to accept Visa/MasterCard transactions.
Already, merchants cannot use payment applications identified by Visa as vulnerable, and VisaNet processors and agents cannot grant access to their network to new payment applications that are not PA DSS certified. Eventually, however, PCI compliance will be unavoidable for any size business and merchants need to be aware of several important upcoming deadlines:
- October 1, 2008 – Newly boarded level 3 or 4 merchants must prove their PCI compliance or use PA DSS-adherent payment applications
- October 1, 2009 – Payment applications identified by Visa as vulnerable will be decommissioned from the Visa network
- July 1, 2010 – Merchants must use PA DSS-adherent applications to accept Visa transactions
Obviously, these deadlines will have an impact on a huge number of existing businesses; it’s vital that companies begin to research PCI DSS and their options for compliance now to ensure a smooth transition.
Laura Leites, Assistant Editor, Smallbiztechnology.com