What is PCI Compliance and How Can It Affect Me?
The twentieth century U.S. criminal Willie Sutton was said to rob banks because “that’s where the money is.” The same motivation in our digital age makes merchants the new target for financial fraud. The lack of security by merchants enables criminals to easily steal and use personal consumer financial information from payment card transactions and processing systems.
It’s a serious problem – more than 510 million records with sensitive information have been breached since January 2005, according to PrivacyRights.org. As a merchant, you are at the center of payment card transactions so it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers.
A survey of businesses in the U.S. reveals activities that may put cardholder data at risk.*
- 81% store payment card numbers
- 73% store payment card expiration dates
- 71% store payment card verification codes
- 57% store customer data from the payment card magnetic stripe
- 16% store other personal data
Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) helps to alleviate these vulnerabilities and protect cardholder data.
Payment Card Industry (PCI) Compliance is a complex system put in place by the five major swipe card brands/associations. These are: Visa, MasterCard, American Express, Discover, and JCB. A merchant who accepts one of these brands is subject to PCI Compliance. Any debit, credit, or pre-paid swipe card is subject to the PCI Compliance rules.
The rules for compliance deal with Data Security Standards (PCI DSS). The official site for the Security Standards Council (SSC) which oversees and enforces PCI compliance can be found here. The SSC mandates compliance standards to be in place prior to the transaction. Further compliance deadlines are set at various times. For most small to medium sized businesses, the deadline and enforcement will come from your merchant bank.
For PCI DSS, a merchant is any entity which accepts payments from one of the five brands. A merchant can also be a service provider if the merchant accepts cards for payments of goods or services on behalf of another entity. A service provider is subject to the same rules as a merchant.
Whether you use internet sales transactions or point of sale transactions, you must comply with PCI DSS. Use of even one swipe card in a merchant’s business in a calendar year, places the merchant under PCI DSS. For merchants, use includes: storage, transmission, or processing of cardholder data. The standards for compliance do vary for the number of transactions per year.
Merchants must complete a quarterly scan from a PCI SSC approved scanning vendor. Alpha Card Services is pleased to announce that upon launch of our new PCI Security website portal, where we will be able to help you evaluate and comply with requirements for PCI DSS. This website will also help you to validate your compliance and complete an Attestation of Compliance. Contact one of our helpful representatives to learn more.
The purpose of these standards is to protect cardholder account data, the account number printed on the card. Merchants and any other service provider involved in the transaction process must never store this sensitive data after the authorization. This includes sensitive data printed on the card, or stored on the magnetic strip or chip- and personal information entered by the cardholder. When merchants comply with PCI DSS, it ensures a number of things:
- The cardholders will use their cards knowing their information is secure. This helps you because when consumers know their information is secure, they will want to use their card to purchase your goods or services.
- The merchant will not be subject to fines or sanctions from the SSC.
- The banks the merchant uses will not be directly fined by the SSC (these fines generally are passed down the line until the merchant bears the cost)
- Merchants’ own storage and information is secure from malicious attacks, intrusions, or computer hackers.
- Many states require merchants who have been compromised to reveal the information to the public. Compliance prevents this embarrassment and potential loss of business.
How Do I know my Customers are Protected?
As a merchant you might wonder how you can comply with the standards and also ensure protection of your customer’s information. By utilizing our PCI Security website portal, and other safety measures, you can achieve maximum security of information.
First, Visa has promulgated a list of best practices for merchants. Although it is not all encompassing, it will help small to medium sized businesses protect themselves and their customers. Some of these practices include using a payment systems provider with a good reputation for updating his or her software for processing, not sharing access information for firewalls or secured networks, and not hiring cyber-criminals.
Second, one can avoid some common downfalls. Perhaps the most common is that small businesses with few transactions believe that an SSL Certificate is sufficient to ensure compliance. This is incorrect. Also, some small businesses that are run from homes are particularly targeted by hackers. This means that those who run small businesses should ensure they have a secure network and a good processing center.
Finally, merchants can ensure they have secure payment gateways. A payment gateway is the method through which a merchant is connected to the actual bank. Often these gateways are facilitated by processors, such as MyPOSDepot, and so finding a secure gateway is as simple as finding a good processor.
Dealing with PCI Compliance does not have to be a painful process, and is helpful to both you, the merchant, and to your customers. As we launch our brand new PCI Security portal, you can be assured that we will help you to comply with PCI DSS and that we will be using state-of-the-art software and security systems to ensure that our services to you will not be compromised. As small to medium sized businesses are the most vulnerable to hacking and are targeted by banks for compliance issues, any Level 4 merchant needs to make sure it has a good partner in swipe card processing. Contact one of our representatives for help today.
*Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)
Grant Rowlands
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368
Follow MyPOSDepot & Receive Exclusive Offers!