Friday, February 19, 2010

The Truth About PCI Compliance

If you are using software to process credit card charges, you are processing someone's personal financial information, and you need to ensure that this information is safe from any attempt at compromising it, internal attempts as well as external attempts. Fines of up to $10M have been levied against fairly small businesses.

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory global standard established by the major card associations to ensure the protection of cardholder data. Based on twelve guidelines, the PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. As a merchant accepting credit cards as a form of payment, you are required by the card associations to adhere to the PCI DSS. The PCI DSS encompasses the security programs from Visa and MasterCard, Cardholder Information Security Program (CISP) and Site Data Protection (SDP), respectively.

The PCI DSS sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates, such as the need to implement formal and documented security policies and vulnerability-management programs. They were developed to ensure that cardholder data is protected throughout the transaction process. Compliance with the standard applies to all types of merchants, retail, Mail Order/Telephone Order, and Internet. All merchants need to follow best practices for storage and destruction of all paper or electronic records containing account numbers or cardholder data. Additionally, merchant service providers processing credit cards need to be PCI compliant.

The more credit card transactions a merchant processes, the more stringent the compliance procedure. For most merchants, compliance consists of passing quarterly or annual network scans and completing an annual self-assessment questionnaire. If you process more than 20,000 e-commerce or 6 million total V/MC transactions per DBA (doing business as) annually, you will need to provide evidence of certification from a V/MC certified vendor. Penalties for failure to comply with the PCI requirements, failure to rectify a security issue, or failure to report a compromise are severe:

  • Possible restrictions on the merchant
  • Permanent prohibition of the merchant’s participation in card association programs
  • A fine of up to $500,000 per incident
  • Violation of applicable federal or state laws
  • Fraud losses perpetrated using the account numbers associated with the compromise (from date of compromise forward)

To read more on this topic, click here.

Thursday, February 4, 2010

Small Business Loan Amounts Increase

A new senate bill has been introduced to aid Small Businesses by increasing the guaranteed loan limit, and extend fee eliminations due to expire under the Recovery Act, for one year. With 64% of all new jobs in the past 15 years created by small businesses, and 85% of those lost belonging to the same sector, Senators Mary Landrieu, D-La., and Olympia Snowe, R-Maine introduced a new legislation to provide more capital for small businesses.

Senate Bill S.2869, the “Small Business Job Creation and Access to Capital Act of 2009 would increase the small business loan limit to as high as $5.5 million. Both President Obama and SBA Administrator Karen Mills have come out in support of the concepts of the bill, and there is hope of it passing in early 2010.

To read more about this topic, click here.