If you are using software to process credit card charges, you are processing someone's personal financial information, and you need to ensure that this information is safe from any attempt at compromising it, internal attempts as well as external attempts. Fines of up to $10M have been levied against fairly small businesses.
The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory global standard established by the major card associations to ensure the protection of cardholder data. Based on twelve guidelines, the PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. As a merchant accepting credit cards as a form of payment, you are required by the card associations to adhere to the PCI DSS. The PCI DSS encompasses the security programs from Visa and MasterCard, Cardholder Information Security Program (CISP) and Site Data Protection (SDP), respectively.
The PCI DSS sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates, such as the need to implement formal and documented security policies and vulnerability-management programs. They were developed to ensure that cardholder data is protected throughout the transaction process. Compliance with the standard applies to all types of merchants, retail, Mail Order/Telephone Order, and Internet. All merchants need to follow best practices for storage and destruction of all paper or electronic records containing account numbers or cardholder data. Additionally, merchant service providers processing credit cards need to be PCI compliant.
The more credit card transactions a merchant processes, the more stringent the compliance procedure. For most merchants, compliance consists of passing quarterly or annual network scans and completing an annual self-assessment questionnaire. If you process more than 20,000 e-commerce or 6 million total V/MC transactions per DBA (doing business as) annually, you will need to provide evidence of certification from a V/MC certified vendor. Penalties for failure to comply with the PCI requirements, failure to rectify a security issue, or failure to report a compromise are severe:
- Possible restrictions on the merchant
- Permanent prohibition of the merchant’s participation in card association programs
- A fine of up to $500,000 per incident
- Violation of applicable federal or state laws
- Fraud losses perpetrated using the account numbers associated with the compromise (from date of compromise forward)
To read more on this topic, click here.