Accepting Credit Cards: What You Need to Know

Any business that accepts credit card payments needs to be aware of the credit card processing data standards, which are becoming more stringent starting this October (see dates at the end of this article). Making sure that you are complying with the rules can be confusing and a little overwhelming to the small business owner. We turned to Henry Helgeson, President and CEO of Merchant Warehouse, for an explanation of how these standards impact small businesses.
The Payment Card Industry (PCI) Security Standards Council (SSC) is an organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. Its mission is to “enhance payment account data security by driving education and awareness of the PCI Security Standards.” The PCI SSC has developed the Data Security Standard (PCI DSS), which is a comprehensive standard intended to help organizations proactively protect customer account data.

Can you help us understand how PCI DSS affects small businesses – If a small business owner is using PayPal, Yahoo! stores, or another hosted ecommerce solution, do they need to go through the PCI compliance checklist and make sure they are compliant, or is that burden on the hosting company?
According to the PCI SSC, PCI DSS affects all parties that process, transmit or store cardholder information. This is why entities such as hosting companies have to comply with the PCI DSS. Although Visa/MC typically can’t go directly after non-merchants such as hosting services since they do not have an agreement with them for a merchant account, Visa/MC can force their merchants to use a PCI/PABP validated provider. This forces non-compliant providers to validate their compliance in order to retain their customers’ business.
Although merchants using PayPal do not technically have a merchant account, they do have an agreement with PayPal to process transactions according to PayPal’s policy. If there is a breach involving a PayPal merchant, Visa/MC will go after PayPal with any fines that may be imposed and in return, PayPal will go after the merchant to re-coup these loses if the merchant violated any of the PayPal processing guidelines.
Yahoo! stores merchants typically do have a real merchant account so they would be required to follow the PCI DSS requirements just like a merchant using a standard credit card processing solution.
There is no way of getting around PCI DSS. If a merchant wishes to accept credit card payments, they will need to be compliant or risk getting fined and their services terminated no matter what method of accepting payments they use.
If the burden is in fact on the small business owner, what are some tips to simplify the process of becoming compliant?
There are several simple steps a merchant needs to take in order to achieve compliance. The best starting point is to fill out a Self-Assessment Questionnaire. Once the correct questionnaire is completed, the merchant will have a good idea of what they still need to do for compliance. A couple of the most important requirements are simple, such as having an information security policy that is used to train all employees on how to handle cardholder information securely. This security policy should cover things such as proper storage and disposal of sensitive cardholder data, such as receipt copies, and an information disclosure policy to ensure sensitive data is not accidentally disclosed to people who are not allowed to have access to it. Another easily achieved but important requirement is limiting access to cardholder information only to those that have a business need to have access to it. This usually limits access only to management and limits access to those employees that do not need to have sensitive credit card information as part of their every day job function.
Depending on how the merchant is processing transactions (dial-up, IP) there are different requirements that must be met. This is why the questionnaire is an important first step in achieving compliance.
Say a business doesn’t bother with PCI DSS compliance. Will Visa, Amex, MasterCard, etc. not let them complete transactions through their networks?
If a business does not comply with the PCI DSS, they run a chance of incurring penalties and fines from the card associations. Visa/MC will impose escalating fines on merchants that do not comply with the PCI DSS and if they deem that the merchant is not putting forth an effort to comply, they may terminate their ability to accept Visa/MasterCard transactions.
Already, merchants cannot use payment applications identified by Visa as vulnerable, and VisaNet processors and agents cannot grant access to their network to new payment applications that are not PA DSS certified. Eventually, however, PCI compliance will be unavoidable for any size business and merchants need to be aware of several important upcoming deadlines:

  • October 1, 2008 – Newly boarded level 3 or 4 merchants must prove their PCI compliance or use PA DSS-adherent payment applications
  • October 1, 2009 – Payment applications identified by Visa as vulnerable will be decommissioned from the Visa network
  • July 1, 2010 – Merchants must use PA DSS-adherent applications to accept Visa transactions

Obviously, these deadlines will have an impact on a huge number of existing businesses; it’s vital that companies begin to research PCI DSS and their options for compliance now to ensure a smooth transition.
Laura Leites, Assistant Editor,


About Ramon Ray

Ramon Ray, Marketing & Technology Evangelist, & Infusionsoft. Full bio at . Check him out on Google Plus, Twitter or Facebook

  • Lisa from PaySimple

    For small merchants that use a third party hosted services such as Yahoo Stores for all their credit card processing, certifying PCI Compliance is a matter of taking a few common sense steps, and submitting a short 11 question self-assessment (SAQ-A)
    If your business can answer yes to the following requirements, you are a Type 4 MOTO merchant and qualify to certify PCI compliance using the simple Self Assessment Questionnaire (SAQ-A).

    • You have a MOTO Merchant Account, and handle only card-not present (Mail Order / Telephone Order and e-commerce) transactions.
    • You process fewer than 20,000 e-commerce credit card transactions per year, and fewer than one million total credit card transactions per year.
    • You enter all of your transactions directly into a third party system, and you do not have any computer files that contain cardholder data.
    • Your third party system is certified PCI compliant
    • All documents containing credit card numbers stored by your company, such as authorization forms, are in paper format only

    If you qualify for the 11 question SAQ-A, you will need to complete it by answering “yes” or “n/a” to all of the questions, and submit it to your acquirer (the company that issued your merchant account).
    The questions are largely based on your internal security policy as outlined above in Laura’s article– so if you don’t have one, you’ll need to create it– which is a good idea anyway. Don’t forget to include as part of that policy, that all vendors that have access to your customers’ card numbers must also be PCI compliant.
    You can download SAQ-A here
    One last important note: If you choose a third party hosted service, then you will not need to have your own systems undergo a security scan. If you install any software on your own computers, you will not qualify for the simple SAQ-A, and you will need to undergo quarterly security scans for your entire network. That’s just one more reason why hosted payment processing systems make sense for small businesses.
    Yahoo Store is one good choice for a hosted system, particularly for e-commerce transactions using a shopping cart, as is Google Checkout.
    Resellers of offer a wide variety of systems using the back end in conjunction with its secure customer storage-add on.
    For a complete system solution that covers mail, telephone, and e-commerce transactions, I invite you to take a look at my company– PaySimple. We are a PCI Certified solution provider, and we’ve made it a point to know the ins and outs of PCI. We will do everything we can to help your small business through the process.