When you purchase an item, you may not think twice about handing over your credit card. But with credit card fraud and identity theft happening to more than 10 million Americans each year, you need to make sure your information is secure.

The Payment Card Industry Data Security Standards (PCI-DSS), put into place in 2008, are a group of 12 broad rules, 61 processes and 148 sub-processes that define what companies accepting credit card transactions need to do in order to protect the security of cardholders’ information.

“Businesses are required to demonstrate their compliance, depending upon the quantity of credit card transactions they process, and the nature of the technology they use to process those transactions,” says Michael R. Dickson, CPA, CISA, CISM, director, Business Technology Group, GBQ Partners LLC.

If you’re a large merchant (Level 1), you’ll be required to submit to a third-party assessment of your PCI compliance. Smaller organizations (Levels 2-4) may engage a third party to assist them in completing the annual self-assessments and quarterly security scans.

Smart Business spoke with Dickson about the PCI-DSS and how to make sure your company is compliant with these standards.

How does PCI-DSS affect businesses?

The major credit card issuers developed the standards. Their vested interest in securing cardholder data and the merchants who use their cards is to reduce fraud and prevent financial losses. Initially, each of these institutions developed their own standards. They were all similar and aimed at protecting the privacy of user information, but they had their own specific way of communicating and enforcing these rules. PCI-DSS was designed to be adaptable to all brand institutions, so a business can be confident that, if they’re following these particular standards, they are in compliance with all bank rules.

The qualified assessments or self-assessments required for compliance give information about your organization and how you conduct business with your customers. The requirements are based on your size, the nature of your technology, and how you actually process cards.

 

What are some key things you need to understand about being PCI-DSS compliant?

Non-compliance has consequences. Many businesses, especially smaller ones, take a rather casual approach to compliance. Oftentimes, someone in the IT department will print off a form, check a bunch of boxes to say they are in compliance with the requirements, but don’t go into detail of how they do it. The business owner then signs the form without really understanding what the requirements are, and how well their organization is doing to meet the requirements. There’s a big risk for companies that take shortcuts. Consequences include potentially huge fines and the costs of notification, not to mention the damage to a company’s reputation and revenue stream that can result from a breach in customer credit card security.

More than 38 states have laws protecting consumers from data and privacy breaches and PCI compliance is the de facto standard for best practice in credit card protections.

There are no proactive enforcement mechanisms, unless a brand merchant chooses to react to a filing that has been submitted because they think it’s substandard.

If your merchant is not satisfied with the quality of your filings, and generally deems you to be a higher risk than its other customers, it may require a third -party assessment, or may even re-negotiate your fee structure or revoke your right to process credit card transactions through its institution. The biggest risk of non-compliance is if you have a breach and someone gains access to your information, or someone inside your organization sells or publishes it. The cost of dealing with lawsuits, insurance claims, canceled accounts and a damaged reputation can and will be significant.

How do you become compliant?

The first thing you have to do is determine what level of merchant you are. If you process less than 20,000 e-commerce transactions a year, you would be considered a Level 4 merchant, and can report annually on a self-assessment questionnaire. The criteria get tougher as you go up. A Level 1 merchant processes over six million transactions a year, and is required to engage a third party to complete the compliance assessment workpapers.

The second step is to perform an assessment of your technology environment to see how it measures up with a list of PCI specifications. Again, there are 12 high-level requirements, 61 different key processes, and 148 specific inquiries relating to those processes. For each of the requirements, it is advisable to have documentation of how your organization complies with each requirement. This documentation should be detailed enough to clearly explain the technologies that are in use, but it also should be clear and concise so executive management who must sign an attestation of compliance can understand what the requirements are, and what specific solutions your company has implemented to address the inquiry/risk. For each requirement for which you don’t have a procedure or technology in place to mitigate the risk, you are required to demonstrates knowledge of the specification you’re not performing, and explain why the other things (i.e. compensating controls) you’re doing meet the same objective. Ultimately your bank will determine if you’re in compliance or not. It wants to see if you’ve designed new processes and procedures, or that you’ve implemented the procedure that didn’t exist.

What are the benefits of compliance?

Your systems and data will be safe and secure, you’ll have a low risk of any adverse consequences occurring, and the customers’ trust you’ve built up over the years won’t be shattered in an instant by a careless lack of attention to detail when securing your card-holder data computing environment.

Michael R. Dickson, CPA, CISA, CISM, is the director of the Business Technology Group at GBQ Partners LLC. Reach him at (614) 947-5259 or mdickson@gbq.com.

Published in Columbus

With all of the debate surrounding the new health care law and its impact on business, another major issue promises to rear its head in the next few years — taxation of capital gains. Although Congress extended the Bush era cuts for another two years in December, the issue of capital gains promises to be at the forefront of political deliberation for months to come.

Tax is currently charged on capital gains, or the profits realized on the sale of a non-inventory asset that was purchased at a lower price. Almost anything owned for investment purposes or personal use are considered capital assets for income tax purposes.

“The most common capital gains are realized from the sale of stocks, bonds, precious metals and real property,” says Dennis R. Mowrey, the director of tax and business advisory services at GBQ Partners LLC.

Smart Business spoke with Mowrey about capital gains tax and some of the tax changes expected in the future.

What are some new updates with capital gains tax?

The special tax rates on long-term gains and qualified dividends expire on December 31, 2012. Starting in 2013, the tax rate on long-term gains will be 20 percent, or 10 percent for those in the 15 percent tax bracket.

Also starting in 2013, the distinction between ordinary and qualified dividends will disappear, and all dividends will be subject to the ordinary tax rates. Capital gains income will also be subject to an additional 3.8 percent Medicare tax in 2013.

What are some key things you need to understand about capital gains?

Tax rates that apply to net capital gains are generally lower than the tax rates that apply to other income. For 2010 through 2012, the maximum capital gains rate for most people is 15 percent. There are some special factors that apply to lower-income individuals, which can reduce their capital gains rates.

If your total capital losses exceed your capital gains, the excess can be deducted on your tax return and be used to reduce other income, but you are limited to an annual amount of $3,000, or $1,500 if you are married filing separately.

How are capital gains taxed, and how does this impact business?

Capital gains and losses are classified as long term and short term, depending on how long you hold the property before you sell it. Your capital gain or loss is long term if you hold the property for more than one year. Your capital gain or loss is short term if you hold it one year or less.

Long-term gains are subject to a more favorable tax rate than short-term gains. Rates for long-term gains in 2010 started at 0 percent for those in the lowest income tax bracket and topped out at 15 percent. Rates for short-term gains started at 10 percent and topped out at 35 percent. There are special rates for collectibles and the sale of certain small business stock.

A lot of times, businesses will provide dividends to their shareholders. Dividends are classified as ordinary or qualified. Qualified dividends are taxed at a 15 percent rate.

To be eligible as a qualified dividend, the dividend must meet the following two criteria:

• The dividend has to be from a domestic corporation or a qualifying foreign corporation.

• The stock must be held for more than 60 days during the 121-day period that begins 60 days before the ex-dividend date.

What special rules apply to capital gains inherited or received as gifts?

People often end up owning real estate and other property when the original owner has given that property to them. Transfers of property given before the original owner dies are gifts. The recipient of a gift does not pay any taxes or report any income when the gifted property is received. Capital gains or losses on property received as a gift are calculated with respect to the original owner’s basis in the property. When property is given, the recipient receives both the property and the property’s basis. The recipient also receives the donor’s holding period in the property for determining whether a gain is long term or short term.

Why is it important to keep good records of your capital gains and losses?

Your records help determine your capital gains and losses. Keeping good records is mandatory to be able to document and calculate the correct rates for your tax returns.

This includes making sure all items are dated, as this matters for calculating what type of gain you have — either short term or long term.

Dennis R. Mowrey is the director of tax and business advisory services at GBQ Partners LLC. Reach him at (614) 947-5273 or dmowrey@gbq.com.

Published in Columbus

The sales landscape is changing. To succeed, businesses need to focus on three key drivers of profitable growth — customers, pricing and innovation.

“If you think about those three things, sales is the critical nexus through which they all flow,” says Jim Lane, director of RedBank Advisors at GBQ Partners LLC. “You can’t get a decent price if your sales people cave when they’re pressured. You can’t hear about innovative demands and needs from your customers if your sales people are not listening carefully. You can’t establish customer satisfaction with a sales force that is setting expectations that you cannot meet. Sales is a critical enabler of all three drivers of profitable growth.”

Smart Business spoke with Lane about how to understand the changing sales atmosphere and make sure your sales force can accommodate the changes.

How has the sales environment changed?

If you rewind a little bit, a lot of businesses thought their sales guys were absolutely amazing in the 1990s, and many of those sales people are still in place. Early in this decade, business leaders looked at sales people a more little critically, but then the sales group seemed to recover and hit their feet again. That all changed with this last downturn, and now no one seems to know how to sell.

Have the sales people really been getting better and worse? No, but what’s been happening is that our feelings about sales people track with the economy. So in the mid to late 1990s, the economy was raging along, and all you had to do was show up with a sales book to get an order. In the early 2000s, there was a bit of a downturn, so we looked at sales people with a bit of a critical eye. But we recovered and started to make progress again, so business leaders thought that sales people knew what they were doing. But it wasn’t until this latest downturn when we figured out that they really don’t know it all, and in many cases, are not suited for sales or don’t have the knowledge or skills to be effective at sales. As a result, we’ve seen a bunch of sales managers and sales people who’ve been exposed as not good at what they’re doing.

What are some key things business leaders need to understand about the changing atmosphere of sales and growth?

The key difficulty that business owners have when looking at their sales force and growth curve is that, once they know what their own desires and goals are for growth, they don’t separate out what they’re accomplishing versus what’s being accomplished because of the business environment. In the 1990s, we all thought we were geniuses. But over the last 18 to 24 months, we all thought we were idiots. Have we really changed, or is it just the performance of the economy that’s driving the change in the business? You have to separate out what you can control versus what the economy controls. That will help you determine the difference between an opportunity to improve and factors beyond your control.

How do you work with your sales force to accommodate this change?

The first aspect is getting the right people in place with the right psychological makeup. The second part is making sure that they have the skills and training that they need.

That first part is really a price of entry, it’s really a go or no go. There are a couple of key characteristics of a good sales person’s psyche, which deal with a willingness and commitment to do whatever it takes to make oneself successful. The other one is fortitude and the ability to hear no, keep on going and keep your drive up. If someone is lacking in those two elements, it’s probably not a good idea for that person to remain in sales for a career. You have to evaluate each sales person with a rigorous assessment tool so you can determine his or her potential. Then you can track progress against their potential each year as you go along.

Then you can train your sales force on a whole series of different skills. You can definitely impact these and improve performance through some of these skills in a way that has a return associated with it. When you first look at your sales force, you need to determine if you receive a continued return on investment. You might as well just trade them out or eliminate those positions if you do not. If you have a group of sales people who have those core psyche elements, then you can determine what the return on investment will be for that group. That’s where you see an opportunity to continue to invest in and improve the performance of the existing sales group.

Once you’ve been through this analysis, and you know how to invest in your current talent pool, then you can look at the gaps. You look at what types of sales people that you do have, and what types of sales people that you need to drive growth.

What are the benefits and risks of focusing on the key drivers of profitable growth?

Business leadership is a balance of looking at drivers of growth and profitability and looking at efficiency, which is more cost focused. Drivers of growth tend to be revenue and top line oriented. Drivers of efficiency tend to be cost and bottom line oriented. As with anything, if you focus too much on the left hand, you forget what the right hand is doing. You need to keep a balanced outlook.

If you do focus on profitable growth, the key benefit is that you become a much stronger organization. Companies that did well over the last 18 to 24 months were ones that had already taken up the challenge of being profitable. They came into the downturn with the cash to take advantage of buying opportunities and were able to invest in new capabilities and talent at a time when they were relative bargains.

Being more profitable makes you a much stronger firm. When another company is trimming to survive, you can attack their customer base and introduce new products. That financial strength enables you to do a lot of things when there are competitive opportunities to move.

Jim Lane is the director of RedBank Advisors at GBQ Partners LLC. Reach him at (614) 947-5257 or jlane@gbq.com.

Published in Columbus
Page 3 of 3