What PCI rules mean retailers and how to comply

Every business and organization that doesn’t still keep its money in a coffee can is finding that their banks and credit card companies are getting serious about safeguarding credit card information.

The focus on the industry in the last five years has been on larger companies, but now even the smallest are being brought into compliance with these standards. It will safeguard customers, but at a cost and increased financial liability to business owners.

It’s the Payment Card Industry Data Security Standard (PCI DSS, or just PCI), rules for safeguarding credit card information that apply to all organization handling debit, credit, and pre-paid cards for American Express, Discover, Japan Credit Bureau (JCB), MasterCard, and Visa International.

The standards are written and administered by the Payment Card Industry Security Standards Council.

If PCI doesn’t work, federal law may step in. This was already threatened at a Congressional hearing on retail credit card security. State legislatures are also getting into the act, with 38 states having laws requiring notification of affected parties in case of credit card information security breaches.

The initial focus on PCI compliance, after it went into effect in 2006, was on larger retailers, and moved to smaller business over the past few years. Technically, all merchants have been required by the credit card industry to be PCI compliant since at least Jan. 1, 2008.

There is the oft-quoted statistic from Visa that, “More than 80 percent of compromises identified since 2005 are Level 4 merchants.”  A Level 4 merchant is one with fewer than one million Visa transactions, or one with fewer than 20,000 electronic commerce transactions, a year. Visa also notes that the Level 4 merchants’ 80 percent rate of all compromises involves only five percent of Visa’s potentially exposed accounts.

And even if PCI is not a law, you may wish it was. When PCI violations come to the attention of your card companies, they can levy fines from $5,000 to $100,000 a month.

The penalties for violating the PCI standards go through your bank, which means violations cause you problems with the bank as well as the credit card company. The fine for violation goes to the bank, which will pass it on to you, and the bank may take other actions against you as well.

You get PCI certification by filling out a questionnaire from your bank. Depending on the cards you have and certain aspects of your business, you may need to have your system tested with a scan. These scans might be required every 90 days to maintain certification.

The PCI compliance protects cardholders in two broad ways.

  1. They prohibit a business from keeping certain card information on their customers. You can keep cardholders names and card numbers only if they are encrypted, and you can’t keep things like the validation value or the three- and four-digit codes, PINs or the full magnetic strip data.
  2. Retailers have secure data processing and storage systems with adequate firewalls and wireless access protection. In some cases data can only be stored on computers not connected to the Internet.

The PCI requirements also require retailers to have security systems that detect intrusions into their systems and take immediate action against them. A further safeguard is requirements that the system be tested and validated periodically.

A simple way to handle this is to get your organization a comprehensive business software suite that manages all your data and is PCI compliant, but remember that you are still responsible yourself for the PCI compliance and for any problems that occur.

Leave a Reply