Have you heard the news? American Express, Discover, Visa, and Mastercard have joined together to create a new Security Standard that your company must comply with if you want to continue taking credit cards as a form of payment! The new standard, known as PCI DSS (Payment Card Industry Data Security Standard) went into effect July 1, 2010 and is changing the way you take credit card payments. In most cases, your bank has probably taken much of the burden from you by insuring their systems are compliant, but the ultimate risk of compliance still falls to you.
Why would they do this?
Electronic bank theft has become much easier and safer than using a gun and a mask! Theft of customer credit and/or credit card information is rampant and until all the players in the system (banks, merchants, and cardholders) recognize they have a responsibility to secure credit card data, this will continue to be a serious issue. The PCI DSS standards will force merchants to participate in tightening the holes in the system.
The bad news is that failure to comply will result in your losing the ability to accept charges. The “badder” news is that the new regulations shift some of the costs associated with credit card theft to the merchants (that’s you, again). In other words, you could be fined up to $500,000 for the initial investigation, plus a fee per record that is compromised.
What is involved in this new PCI DSS regulation?
There are 12 requirements that fall into six categories:
- You must maintain a Secure Network
- You must protect Card Holder data
- You must maintain a vulnerability management program
- You must implement strong access control measures
- You must regularly monitor and test your networks
- You must maintain an information security policy
The credit card companies will require that you demonstrate that your company is in compliance. The number of credit card transactions you process in a year (and certain other criteria) will determine exactly what you have to do in order to demonstrate your compliance. At the very least, you will have to complete an annual compliance questionnaire and hire a company to perform a quarterly Network Scan for vulnerability.
What you should do TODAY
- Read the additional information continued in the Resources section below. You must understand what your responsibilities are.
- Insure that your network is as secure as possible. This may require that you hire an IT Consulting firm with specific expertise in PCI Compliance.
The Bottom Line
If have an account set up with a Merchant Company that allows you to take a credit card for payment (even if you do it all by paper), you will be affected by this new regulation. I strongly urge to you review the additional resources provided below and call your Merchant Account provider in order to insure your compliance.
Resources
What is PCI Compliance?