The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
“PCI compliance symbolizes the unity of all card brands setting a standard to protect cardholder data,” says Brian Maruna, a merchant banker with FirstMerit Bank. “Before the PCI council was established, each card brand had its own standards for security. With PCI, all brands now utilize a single standard with the expectation of having secure card data.”
Merchants who do not adhere to these standards run the risk of having significant fines levied against them.
Smart Business spoke with Maruna about how companies can use PCI standards to improve transaction security.
What is the importance of PCI compliance?
PCI compliance helps protect both merchants and consumers; it obviously helps reduce fraud. Merchants who have realized breaches and compromises historically have not been PCI compliant. While current PCI compliance requirements are not the all-encompassing answer to fraud, it is a process merchants can follow to secure credit card data for their customers.
What do merchants have to do to ensure that they are compliant?
All merchants are expected to be compliant. The newest requirement is the validation of their compliance. At minimum, everyone needs to complete an annual questionnaire. The content of the questionnaire is determined by a merchant’s processing practices and how they obtain the cardholders’ information: through e-mail, phone or fax, or from the actual card. An additional issue is if credit card information is stored on their computer systems and how it is stored.
For example, if you’re an Internet merchant that receives credit card information via e-mail, your questionnaire is going to be more complex than someone who receives the information over the phone. Merchants who actually process orders through their Web sites are required to have their sites scanned on a quarterly basis to ensure they are not vulnerable to a breach.
What are the penalties of noncompliance?
If a merchant is breached and is found to be noncompliant, the first and most important casualty is the loss of public trust, which can have a major impact on all merchants. If a breach occurs, the merchant is required to have a forensic investigation performed, for which the cost can be quite substantial. In addition, there are the fees and fines levied by each of the card brands and those fees could add up to hundreds of thousands of dollars. For small business merchants, this would be enough to put them out of business.
What would you recommend a merchant do to avoid that situation?
Follow the PCI standards as they’re written to the letter. Many merchants want to take shortcuts and circumvent the process. Merchants need to properly manage their risk and protect payment card data.
Many merchants are challenged by the cost involved to upgrade their systems to properly process and store data. Costs can greatly vary, from a few hundred dollars to thousands of dollars, depending on their system. However, the cost of not doing it could be far greater.
The media will report on breaches that have occurred at large retailers or large card processors. However, they don’t report on the small or average sized merchants and businesses that are compromised. You’d be surprised by the number.
Small businesses say, ‘PCI seems pretty serious, but it doesn’t really apply to me because I’m not a large national retail chain. I’m just a small mom-and-pop store in Ohio, so it’s not a big concern for me.’ Actually it truly is. It’s just as important for the small businesses as it is for the larger ones, and considering the costs of noncompliance listed above, it’s probably more important.
How do merchant services tie in with PCI compliance?
Merchant services, such as e-check, help curb fraud and improve transaction security. E-check is the ability to convert a check into an electronic transaction in order to speed up the availability of your funds. Typically, you can also opt to have the e-check transaction guaranteed. Depending on your average ticket, eliminating one to three returned checks a month may pay for this service and will reduce your overall exposure. As an added benefit, you may be able to reduce the number of times you have to pay employees to run to the bank to make deposits.
But, be careful with merchant services. As with everything in life, you get what you pay for. Make sure the deal is as good as you think. Do your homework on the actual provider and its stability, not just its sponsor bank. If you pick a bank that directly offers merchant services, you get the added advantage that the bank can track all of your activity from point of sale to what is deposited in your account. When there is a problem with settlement of your card or e-check services, this can save headaches and time trying to work through issues with two different entities.
Brian Maruna is a merchant banker with FirstMerit Bank. Reach him at (216) 251-5102 or Brian.Maruna@firstmerit.com.