PCI Compliance Coming to You

November 19, 2008 · by Jamie Estep

Since June of 2008, all merchants accepting credit cards have been required to become PCI-DSS compliant. PCI-DSS is a security standard to help prevent and control loses from businesses losing card holder data, specifically credit card numbers. PCI-DSS compliance requires merchants to complete a self assessment security questionnaire, and complete quarterly vulnerability scanning of their servers and network connections. PCI for large businesses has been implemented over the past several years, but compliance is now required for all businesses.

PCI-DSS is broken into four groups based on a business's processing volume and the number of transactions they process per year. The largest group, Level 4 (merchants with fewer than 20,000 Visa ecommerce transactions or 1,000,000 total transactions per year) , have largely been ignored as far as PCI is concerned. Even now, there is no fine for non-compliance from Level 4 merchants. PCI's initial focus was on ensuring that large businesses were secure because more damage could result from a single data breach as observed with the TJX and Card Systems breaches. But, that's all about to change...

Under pressure from card issuers, the government, and consumer advocacy groups, Level 4 merchants are being forced to become PCI compliant. The alternative for not becoming PCI compliant is a monthly or yearly PCI fee which can range from $20 - $30 per month, to several hundred per year. This trend started in July of 2008, and it looks to become the standard in the processing industry. While your processor may not have a PCI non-compliance fee right now, there's a good chance that they will in the near future.

Why are processors charging this?

Card issuers don't have the means to police the millions of businesses in the US and around the world, so they are placing liability for a data breach on credit card processors. Essentially, this means that the processor could be liable for all costs incurred if a non-compliant business suffers data loss. Most processors don't have near enough cash reserves for even a few small data breaches. A small breach of a few hundred card numbers can result in millions of dollars in damages.

The only option is an insurance fund to cover costs from data breaches that a processor is liable for. These funds are made up from the newly appearing fees that processors are passing to their non-compliant customers. Unless, processors are removed from the liability circle, these fees are likely to become a standard.

What can you do to avoid these fees?

The answer is to become PCI compliant yourself. PCI scanning ranges from about $50 per year up into the hundreds, but in almost every case can be cheaper than the additional fees that processors have been forced to pass down. The PCI Standards Council maintains a list of approved PCI scanning vendors that are allowed to perform the required quarterly scanning for compliance.

PCI compliance is more than simply filling out the questionnaire and having your networks scanned for vulnerabilities, it requires you to actually maintain secure networks, computers, servers, software, and equipment. But most small businesses can't withstand the cost of a data breach, and security is a business owners responsibility, no matter their size, whether they want it or not.

Relevant resources:

PCI Security Standards Council
Visa's Cardholder Information Security Program - CISP
Mastercard Site Data Protection Program - SDP
PCI Blog

This post is filed under Tools, Tips and Suggestions and has the following keyword tags: PCI-DSS, Payment Processing, Data Secuity.

3 Comments