WELCOME AND THANKS FOR COMING BY

The subject of credit card processing is not one of the favorites of any merchant. Each month, when they receive their statement in the mail, they cringe at the fees they've had to pay for this "privilege" of accepting credit cards for payment. This blog is meant to provide a more thorough understanding of how the industry works, what makes up the fees that you are paying and how you can improve on them. So, come by often or, better yet, subscribe to the RSS feed below and you'll be notified any time there is an update.

Monday, September 28, 2009

PCI Compliance…Are you at risk?

AS A MERCHANT, HAVE YOU EVER...

  • Processed a credit card transaction at your business and noticed the receipts contained the full credit card number and the expiration date? How about your copy of the receipt? If so, you are NOT COMPLIANT AND AT RISK.
  • Stored credit card numbers in a binder or on your computer in a spreadsheet for recurring billing? NON-COMPLIANT!!!
  • Configured your router or computer and used a easy, generic password such as 1-2-3-4? HACKERS LOVE THIS….YOU, AND YOUR CUSTOMERS ARE AT RISK. Create your own password and never use default passwords.
  • Had your terminal go down and started keeping credit card data written in a spreadsheet on your computer to charge the client later?
  • Imprinted a card and written down the CVV data (3-digit security code on back or 4-digit code on the front of the card)?
  • Not renewed your anti-virus software on your computer?
  • Spent years storing your receipts in a shoe box in your back office?

You may have seen in the news in recent months of the huge data breaches that took place which resulted in millions of credit card numbers being compromised. A couple huge payment processors and a major retailer were hacked into. You would think that these types of entities are the main targets of these international fraudsters. However, due to increased security being put into place, hackers and thieves are beginning to focus their attention on small, local, mom and pop type organizations. Consequently, you absolutely need to be aware and alert for the safety of you, your business and your customers.

PCI DSS is the real buzz phrase in the payments industry these days. It stands for Payment Card Industry Data Security Standards. Compliance is a standard of security established for any business that processes credit cards. Whether you have a computerized POS system, process over a phone and do manual imprints, process through a credit card terminal or have an e-commerce website taking orders, PCI establishes a series of best practices and minimum security protocols that must be observed for your business type.

Through the Fair and Accurate Credit Transactions Act of 2003, Public Law 108 to 159, the U.S. congress preempted what some individual states mandated on credit and debit card truncation to set a national standard. Under Title 1, Section 113 of the act, only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The laws vary by state regarding truncation of the merchants copy. Some states carry it even further and say that the expiration date can't appear on receipts either. To be on the safe side, I would suggest that you make certain that both copies are truncated totally. If your receipts are showing more than is allowed, contact your processor, or POS vendor, immediately and have them assist you in becoming fully compliant.

While you're at it, ask your processor about any PCI compliance fees they may now, or in the future, be charging you. Some are using this as a new revenue stream and charging excessive monthly, annual or a combination of both, fees with no corresponding benefits.
Posted by at 2 comments:
Labels: , , ,
Subscribe to: Posts (Atom)