Several times during the course of the year at trade shows or on calls, get asked questions by business owners – do I really need to be PCI Compliant? It’s not a big deal because only big merchants get hacked and have issues! The underlining thought premise here – smaller merchants will not be a target.
Unfortunately, the above perspective comes with significant flaws as smaller businesses have been targeted, hacked and generally cannot survive the costs incurred. Bigger businesses get press when issues are presented, the smaller business will not make the reporting. The lack of reporting is what feeds the perception.
In a nutshell the PCI Security Standards Counsel (PCI SSC) created 4 merchant class levels based on the number of transactions a merchant transacts in a calendar year. Most small businesses will be either level 3 or 4. The difference is whether a merchant is processing more than 20,000 Visa e-commerce transactions in a given year. If less or any other transaction outside of Visa cards via e-commerce, the threshold is 1 million transactions and that classifies the merchant as a level 4.
The actual step for a merchant to become PCI Compliant is not complex just overlooked by the merchants and/or by their payment processing representative. If a merchant does not complete and submit the PCI – Self-Assessment Questionnaire, reaffirm annually (some may require quarterly scans), they are deemed non-compliant. That alone comes at a monthly expense which their payment processor will assess and be noted on the statement they receive.
The SAQ is not one size fits all. There are essentially five different types – based on how a merchant will accept and transact a payment card. Based on that type the questions will be geared. The actually completing of the PCI – SAQ generally can be done online via the payment processors – PCI Audit firm. In addition to the SAQ, if a merchant needs to have quarterly scans run of their website, IT environment, the enrollment and scan is done by the same audit firm. The total investment of time a merchant will need to complete the SAQ and if necessary details for scan can range from 20-55 minutes. Not a significant amount of time at all!
Another misunderstanding by merchants is that they are protected because the new payment technologies are secure. Their devices do point to point encryption and tokenize data. Correct some of the devices do that (not all), yet PCI Compliance goes beyond the actual device and require understanding of your IT environment, website, policies and procedures of the business. The compromise at Target was caused by a third party contractor leaving open a “back door” in which Malware was loaded into the POS environment. Were they PCI Compliant prior, yes. Did they follow policies and procedures, what is being understood is no, and ultimately that has impacted Target financially.
The PCI SSC rolls out new standards in fact later this year PCI DSS Version 3.2 is slated to take effect. Heck to many of the merchant class, whether is 3.2 or 1.0 – they have no clue. Never been compliant and generally never been informed. I have shared in prior articles you own a business and generally do proper due diligence when making a decision which can impact that business. Overlooking PCI and not becoming compliant contradicts such!
To help you understand which type of questionnaire your business will need to complete, talk to your payment processor. If they cannot assist or do not firmly know which one, reach out to us and we can help guide you accordingly.
The key here is becoming compliant. The monthly non-compliance fees the processor charges might seem nominal (around $20 or so) but if you are compromised and were not compliant the cost to reimburse card issuing banks for the fraudulent charges incurred against their base of cards, fines imposed by the payment brands and never leave out legal costs – it can cost you the business. In fact, it has happened, many small businesses do not survive a compromise.
This article is not meant to scare you but to awake those of you that have not completed this process. I am asked – what if I submit my SAQ and the way we transact is not compliant? Great question which then leads me to say – time to look at how your transacting and understand what is at risk. Maybe it’s a simple fix like adding Secured Socket Layer to your website. Could require an update on your Point of Sale or updating the payment card terminals. Could even be policy driven, how you take orders over the phone and record those orders. In the end – it will tell you what needs to be done and afford you the ability to make those adjustments to better secure your environment.
Is PCI DSS a law? The short answer is no. The long answer is that the payment card industry self regulates itself and according to the merchant card membership agreement every business signs in order to accept cards, they acknowledge they will understand and agree to the rules of card acceptance. Can the payment brands, card issuing banks and processors assess fees and fines, they certainly can? Again – you signed an agreement no different than your checking account agreement with your bank. Overdraft your checking account – can your bank impose a non-sufficient funds fee? The short answer is yes!
As I am heading off to another conference in two weeks, no doubt will be asked about PCI Compliance. Such a mystery yet really not that complicated when one takes the time to review it and complete the questionnaire. The majority of the audience reading this article, you are a level 4 which is simply completing the questionnaire and reaffirming it annually. If you are taking cards via a computer based software system whether local or cloud based – could require quarterly security scans. Again – this is not complicated and knowing that your secured and compliant is equivalent to making sure you have the proper hazard insurance on your business. Take the time to understand. SVBS
Joe Radest started his career in card payments in 1998 working for the industry giant First Data. Since FDC, Joe has worked with other notable processors – TSYS, Global Payments and Chase Paymentech. Over 4 years ago, Joe branched out on his own; providing complete end to end business process management and secured payment technology solutions, which affords business clients the ability to securely transact payments without having sensitive data touching their environment. He can be reached by phone at 770-731-0414 or by email at [email protected]