What Is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) consists of requirements designed to ensure that all businesses that process, store or transmit credit card information maintain a secure environment. All merchants who accept credit, debit, or card association labeled pre-pay cards, regardless of size or number of transactions, must be PCI compliant. PCI compliance is to be taken very seriously. In fact small merchants and home business may be the most susceptible to hackers.Where to find specific information on PCI compliance? The Payment Card Industry Security Standards Council (PCI SSC) was launched to manage the ongoing evolution of the Payment Card Industry (PCI) security standards. Its primary focus is on improving cardholder data security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major card associations (Visa, MasterCard, American Express, Discover and JCB.).
The PCI SSC is where a merchant can go to find what he needs to know about the PCI Security Standards. Merchants can also find out why and how to become compliant with PCI Security Standards. To access the standards go to (www.pcisecuritystandards.org/security_standards/pci_dss.shtml)What are the penalties for noncompliance? The penalties can be catastrophic for small to medium-size businesses. The card associations have the ability to fine the acquiring bank up to $100,000 per month for PCI compliance violations. The banks will pass this fine on to the acquirer who will push the fine downstream till it eventually hits the merchant. Furthermore, the bank may either terminate your relationship or increase transaction fees. Make sure all equipment and software is PA-DSS compliant! When discussing with a distributor or salesperson equipment or software that processes, stores or transmits credit card information, make sure it is PA-DSS compliant. PA-DSS refers to Payment Application Data Security Standard maintained by the PCI Security Standards Council. You may hear the term “PABP” as well. To address the critical issue of payment application security, in 2005 Visa created the Payment Application Best Practices (PABP) requirements to ensure vendors provided products which supported the merchants’ efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data. See www.visa.com/pabp for more information. However, PABP is being transitioned to the PCI Security Standards Council (PCI SSC).What should you do if your cardholder data is compromised? Go to (http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf) to review the specific procedure.Your state may also have a law requiring data breach notifications California implemented a breach notification law in 2003. Now around 40 other states that have similar laws in place. See www.privacyrights.org for more detail on state laws.