My Merchant Services Contract Requires Me To Do What??
If you are reading this article and your business accepts credit card payments from clients, it is highly likely you fall under Payment Card Industry Data Security Standard (PCI DSS) Level 4 compliance requirements. What does that mean to you and should you care? It actually means quite a lot and ignorance is far from bliss. Buried in your merchant services contract, you will find that you are subject to stiff fines for non-compliance and even worse, non-compliance demonstrates negligence on your behalf in the event a security breach turns into a civil or class-action lawsuit from disgruntled clients seeking both restitution and vengeance.
If this is news to you, you are not alone. The Payment Card Industry (PCI) consists of the five major credit card brands: Visa, MasterCard, American Express, Discover, and JCB International. The PCI Data Security Standard (PCI DSS) originated from the proprietary and different standards credit card issuers established to protect their credit card data. Naturally, multiple and dissimilar standards caused confusion among merchants and through pressure the card issuers came together to create a single, international standard for protecting credit card data.
These requirements are based on International Standards Organization (ISO) 17799, which is the internationally recognized standard for Information Security practices. Rooted in these standards, the six main objectives for PCI DSS compliance are for merchants to (1) Build and maintain a secure network, (2) Protect cardholder data, (3) Maintain a vulnerability management program, (4) Implement strong access control measures, and (5) Regularly monitor and test networks.
The most fundamental concept is to “build and maintain a secure network,” since that truly encompasses why the PCI DSS and other regulatory standards are passed in the first place. In simple terms, companies must have policies, procedures, standards, and guidelines in place to address physical security, technical security, and management responsibilities for how computers are maintained, data is processed, data is stored, and what user responsibilities are. This affects a newly established, 2-employee Limited Liability Company just as much as it affects a 200-employee corporation which has been in business for 75 years. When the consequences range from fines to devastating lawsuits, precautionary investments pale in comparison to the reactive costs associated with cleaning up from non-compliance breaches.
A Case For Compliance
A case in point is with TJX Companies, Inc (TJX). As the parent company of T.J. Maxx and Marshall's department stores, it faces more than a dozen class action lawsuits for non-compliance in what is currently considered the single largest data breach in history. Their lack of Information Security standards opened their entire, international business operations to data theft. In a matter of days, hackers penetrated and stole the credit card information of millions of customers. The after-effects will take years to clean up and are expected to cost TJX $1 billion in remediation costs, fines, and lawsuits.
Requirement 12 – You Can Run, But You Can’t Hide
Level 4 merchants are now getting much more attention from the PCI, since these smaller businesses tend to not have very secure networks and this makes an ultimate playground for hackers. Though Level 4 merchants are not required by the PCI SSC to have quarterly vulnerability assessments or submit to an onsite security assessment, they still must meet the PCI DSS standards for creating and maintaining a secure network. Requirement 12 of the PCI DSS specifically states that merchants must “maintain a policy that addresses information security” as part of their compliance requirements.
There are both technical and administrative tasks associated with implementing PCI Compliance standards in your business. Here are some tips for you to make the process easier:
- Implement Information Security policies for all users. Many security breaches actually happen within an organization, so it is critical that your policies are clear to your employees. Don't just send an e-mail to the employees who will be involved in these transactions. Instead, have meetings and issue printed information.
- Ensure all employees sign a statement that they understand and will abide by the policies. Keep excellent back-up records of all aspects of how your business is complying and validating the PCI standards.
- Be involved in all IT decisions regarding how your organization will comply with the regulations. Do not assume anything! Assumptions can cost your company tens of thousands of dollars.
Now that you have a better understanding of the PCI Compliance regulations and their impact on your business and your customers, you must implement these standards. To take the official PCI DSS self-assessment questionnaire visit www.isecuritypolicy.com/PCI. This is a straightforward “Yes or No” questionnaire that can be done in a matter of a few minutes. You may require the feedback from your IT staff or service provider for certain questions, but it will be worth the effort to see how your company is affected by the PCI DSS.
If you need a set of Information Security policies, procedures, standards, and guidelines that are specifically tailored to small and medium businesses, visit www.iSecurityPolicy.com and you can purchase a customized Information Security Policy Manual (ISPM) for $435. This is a bargain compared to the alternative of hiring a dedicate Information Security consultant for the sole purpose of creating the same product.
A good resource for Level 4 merchants is online training or eLearning. There's a great resource at: http://aegenistraining.com/ where Level 3 and 4 merchants can learn the basics of compliance and the opportunity to take other courses if interested.
Posted by: Mike | May 04, 2008 at 02:32 PM
Your link to the questionnaire is not correct. Please refer to the 1.1 version release in Feb. 2008 for the correct version.
Posted by: Rob | May 05, 2008 at 02:59 AM
Good catch, Rob. I updated the link to v1.1.
Posted by: Tom | May 10, 2008 at 04:28 PM