PCI Security Standards and Small Businesses (Part 1)

If you handle payment cards, you’ve probably heard of PCI.

More than likely you’ve seen their name (as PCI or PCI DSS) on your statement as a type of transaction fee or a monthly or annual fee.  You’ve likely heard of PCI security standards, and probably the term “PCI compliance.” You may be wondering “Who the heck are these people and what are they doing on my statement?” Let us formally introduce you and tell you why PCI security standards are important to your business and the credit card industry.

PCI’s website will tell you that they are a “global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.” Makes it sound like some organization based in Switzerland, doesn’t it?  Basically, in 2006, American ExpressDiscoverJCB (a Japanese credit card issuer), MasterCard, and Visa (the “Big Five”) got together and formed this organization: The Payment Card Industry Security Standards Council.

The organization is charged with creating best practices to protect credit card data wherever it exists, from paper receipts in the back room of a merchant, to the transmission networks, to the largest data systems in the largest merchants and banks. While the organization is staffed by employees of the big five, other organizations like acquirer banks, credit card processors and terminal manufacturers can participate through special interest groups. While all participants can all make recommendations, PCI owns the ball, and if you don’t want to play by their rules you may have to go home.

PCI has a rather large website and we encourage anyone interested in visiting it. The website can be a bit hard to understand at times. Here’s one example of writing from the PCI site:

Payment Application Qualified Security Assessor (PA-QSA) Companies are organizations that have been qualified by the PCI Security Standards Council to perform PA-DSS Assessments for PA-DSS Program purposes. PA-QSA Employees are individuals who are employed by a PA-QSA Company and have satisfied all PA-QSA Qualification Requirements applicable to employees of PA-QSA Companies who will conduct PA-DSS Assessments, as described in further detail in the PA-QSA Qualification Requirements.”

OK, if you understood that on your first reading, raise your hand – and let’s move on to explore PCI in simpler terms if we can.

In a nutshell, the PCI is trying to force everyone involved in the credit card industry to protect the six most important pieces of information in a credit/debit card transaction: account number, expiration date, cardholder name, the magnetic stripe, the chip (if present) and that little three-digit security code on the back of the card.

Forcing the industry to protect that information is not a bad thing.

Now you may be saying that you’re just a small merchant, not some national chain with hundreds of locations, so you don’t need PCI. But what happens if somebody breaks into your back room?

Will they find shoeboxes filled with old payment card receipts with all your loyal customers’ information on them and use them to steal your customers’ identities?

What if somebody hacks your in-store WiFi network and gets your customers’ information that way?

Both ways are a quick way to lose your customers and possibly end up getting sued by them. Then there’s the probability of bank fines and other headaches that will come your way quickly in the event of a security breach.

Say goodbye to your dream business – and, oh by the way, if you used your private bank account or even your house as a guarantee to your processor or acquirer, they could be at risk as well. If you’re a larger merchant there’s also the possibility of recurring FTC audits and possibly FTC fines.

Don’t think it can happen to you? Think again…

In Part 2 of PCI Security, I’ll give you some glimpses into real-life scenarios and the sobering truth about PCI compliance. Read on …