PCI Compliance
If you don't understand the current Payment Card Industry guidelines for your business, you may be putting yourself and your customers at risk

By Reed Richardson

Over the past three decades, as our society has increasingly shifted toward one where both consumers and merchants prefer credit over cash (as a recent Visa commercial not so subtly pointed out), the threats from fraud have also radically increased. Gone are the days when criminals are satisfied with the paper bills in your wallet, now they really want the numbers on the plastic in your purse. So, protecting all this financial data, which can be found everywhere from credit cards to company databases to online servers, must now be a major focus of even the smallest of businesses.



Make no mistake: Credit card fraud is expensive. In fact, it cost U.S. consumers and businesses an estimated $3.2 billion in 2007, up more than 35% from just four years earlier, according to a tracking study by Celent Communications. In fact, credit card security is now a major or moderate concern of more than three quarters of the population. And though small retailers have-so far-not been hit as hard, another recent survey found that as many as one out of six had experienced online credit card fraud losses totaling more than 1% of their annual revenue.

Therefore, after years of merchant confusion concerning different brand-specific requirements, along with the continuation of massive credit card data breaches, the five major credit card issuers joined together to create a single standard for protecting credit card data. As a result, the Payment Card Industry, or PCI as it's known, which consists of Visa, MasterCard, American Express, DiscoverCard, and JCB International (a Japanese credit card issuer), finally established an industry wide protocol of best practices in June 2005 called the PCI Data Security Standard (PCI DSS). The goal of the PCI DSS is to reassure customers that their credit card data and transaction information is safe from hackers or any other malicious system intrusion.

"But I only process a few credit card payments a week on my website, do these new rules apply to my small business?" you might ask. The likely answer is yes. "The rule of thumb is this: If you house credit card information, in whatever form, if you house the information in your server-the server that you own or you added-then you are basically responsible for complying with PCI DSS," explains Khalid Kark, an analyst with Forrest Research.

Get the Facts: Know Your Classification
To promote its compliance efforts, the PCI set up a website http://www.pcicomplianceguide.org/ devoted to helping businesses understand these new expectations. Fortunately, the PCI recognized that data security, as well as the ability to invest in it, varies greatly depending on the size of the company. Accordingly, the PCI separates merchants into four different levels, sorting them by their total annual credit card transactions. Most small companies fall under either Level 3 or 4 (less than one million annual Visa or MasterCard transactions) with the distinction between Levels 3 and 4 figured by how robust their online retail presence is (Level 3 companies are defined as having between 20,000 and one million annual e-commerce transactions, Level 4 firms are under 20,000 a year).

Spurred on by massive data security breaches like the one experienced by retailing giant TJX in 2005 and 2006 where the company took a $40.9 million hit to settle a lawsuit after it compromised more than 45 million Visa accounts the PCI initially focused on bringing larger, Level 1 firms into the fold. Smaller businesses were able to meet the PCI's 12 requirements through a less rigorous process that involved taking an annual risk assessment questionnaire and conducting quarterly network scanning. Both methods are fairly affordable for small businesses; the self assessment is free and many PCI approved scanning vendors (ASVs) charge between $12 and $40 a month for their services.

Recently, however, the PCI has broadened its focus to smaller companies for two main reasons: volume and vulnerability. Despite their small size, Level 4 merchants still account for 99% of all credit card merchants and, because of their limited resources, all these companies are more susceptible to security breaches. "Usually, Level 4 merchants do not have the technical expertise, nor the IT staff, to properly secure card holder data," notes Aaron Biddar, president of one of the PCI approved scanning vendors, ControlScan. "So, if I am a hacker, I'm going to go to the merchant that I know cannot afford the proper security or staff to mitigate that type of breach." As a result, Visa unveiled a new Level 4 merchant compliance program last May that seeks to educate small businesses on risk-profiling strategies and how to minimize the amount of customer data that they store.

The Risks of Non Compliance Are High
The role that the individual credit card companies play in the PCI compliance effort should not be overlooked. That's because enforcement of PCI compliance infractions is left to the specific credit card companies, like Visa, and their patience for non-compliance is quickly wearing thin. (In 2006, Visa alone levied almost $5 million in fines and, last year, the company imposed an $880,000 penalty against the bank complicit in TJX's mishandled credit card data.) Although most fines and penalties levied by the credit card companies target banks rather than small businesses themselves, there is a still a significant financial incentive to comply-it only takes one confirmed data breach at a Level 4 merchant to get that company reclassified to Level 1, which requires much more comprehensive and expensive security checks and audits.

Unfortunately, many businesses both large and small remain completely unaware of the PCI's requirements and the potential trouble their company could encounter if they don't comply soon. In fact, a recent poll on the PCI compliance website found a plurality of business owners 29% didn't even know their merchant level classification and a mere 11% said that they were currently in compliance. And, as might be expected, many myths about the topic have also blossomed.

In the end, PCI compliance should be considered just another cost of doing business in today's credit obsessed world. And though it might require an outlay of some capital and be a bit of an inconvenience, consider the cost of not safeguarding your customer's credit card data in terms of your company's reputation and ability to fight a long, protracted lawsuit. That's a price no small business is willing to pay.

Safety Is Important Online Too
In an interview on PracticaleCommerce.com in October of last year, John Munsell, founder and CEO of Bizzuka, a web design and development firm noted that online shoppers should make sure that their any business website where they plan to make a transaction should display a symbol verifying that it uses an approved scanning vendor, such as Scan Alert (Hacker Safe logo), ControlScan, Cybertrust, and VeriSign. "Merchants," he said, "should make sure that their vendors provide PCI compliance before proceeding." Also, he recommended checking to make sure that compliance by the vendor is ongoing, and not just during the delivery phase of the website. "I've seen a lot of merchants buy a shopping cart that was PCI compliant at the time of delivery, but 48 hours later, the cart became non-compliant and the vendor either disappeared or asked for more money to retain compliance."

The Data Less Retailer?
Still, Joe LaRocca, vice president of loss prevention for the National Retail Federation pointed out in an article on that organization's stores.org website recently that PCI compliance does not necessarily guarantee that a retailer is safe from having their customer data compromised. As a remedy, his organization is calling on banks and credit card companies to stop requiring merchants to store credit data in any manner. (Currently, retailers must store credit card numbers for up to 18 months in order to manage refunds, etc.) "If the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place," LaRocca explained. "If you're not storing any credit card data, there's no incentive for the criminals to breach your systems."

Reed Richardson is an associate editor/writer for Business Minds magazine.

Similar Content