If your business accepts credit cards, you have probably been recently advised that you will be charged a new annual fee to pay for the cost of keeping your business compliant with the latest required credit card security regulations as handed down by Visa, MasterCard, Discover and American Express. This article will explain what compliance is all about.
First of all, let’s get a few terms explained.
PCI stands for Payment Card Industry. DSS stands for Data Security Standard. The credit card issuers have suffered huge losses due to credit card fraud and they have decided to take new steps to prevent as much of that as possible. These steps include coordinating with merchants to establish and enforce new credit card number protection strategies including the better encryption of credit card numbers when transmitted during a sales authorization by a merchant, and storage of customer credit card data afterward.
There are basically two ways to get a sale authorized: either using a credit card terminal next to your cash register (or integrated into your POS) or via Internet. Some merchants use a dial-up terminal and others use a high-speed Internet connection. Either way, the card issuers are concerned that transaction data be transmitted securely. There have been many headlines about breeches, wherein hundreds of thousands, even millions of credit card numbers are stolen. Hackers tap into phone lines and Internet connections every day.
So – here we are. Every bank and other credit card processing company will be passing on the cost of these increased security standards to their merchants. So please do not go cancelling your merchant account or trying to switch to another processor who does not or will not charge you this compliance fee, because you are going to have this fee from now on, regardless of which processor you are with.
Now, let’s talk about what you, as a merchant, will have to do to become and remain compliant with PCI DSS.
Your cooperation begins with a Self-Assessment Questionnaire. (SAQ) You can complete this questionnaire online and you will be getting a link to do so in your merchant account statement this month or very soon. The questionnaire will tell security departments how you process credit cards and from your answers you will receive instructions as to any further steps you need to take, if any.
One determination that will be made is what merchant level you fall under, and this is simply a matter of how many transactions you process annually. Levels 1 through 4, Level 1 being over 6,000,000 transactions per year and Level 4 being fewer than 20,000 transactions annually.
If you only use a dial-up line for your terminal, that will be about all you need to do. If you process transactions online or otherwise use a connection to the Internet to transmit data, a security scan will need to be performed to check for vulnerabilities anywhere along your Internet connection.
In either case, after you complete the SAQ you will be advised of the next step to take, if any. And once you are deemed compliant, your credit card processor will be notified and you are done. There is even a logo you can display on your website to let customers know you are compliant, and this will enhance customer confidence in your business.
If you are not being asked to become PCI DSS-compliant by your credit card processor, be concerned. One large processor that did not bother with this new requirement suffered a data security breech and now faces fines in excess of half a billion dollars. And you, as a merchant, are liable for up to $500,000 in fines for breeches that occur.
The annual compliance fee is not that much and is a small price to pay, as a cost of doing business, to safeguard your customers’ data.