If you accept credit cards as a form of payment, you are required to be PCI compliant. The Wired Mouse offers services which will ensure that your company (either ‘point-of-sale’ locations or internet-based) is PCI compliant. Please read below for additional information on PCI compliance.

 

What is PCI?

The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants, and service providers that store, process, or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.

The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card systems. Each company’s intentions were basically similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card programs in developing a standard program that can be applied to all card processing. On Dec. 15, 2004, the separate credit card programs aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

 

Who Has To Comply?

If you are a merchant or service provider and accept credit cards, you must validate PCI compliance at least annually. There is no way around this. Network Security Scans are required of all merchants and service providers with accessible IP addresses that collect, process or transmit payment account information. However, even if a business does not offer Web-based transactions, there may be other services that make the information Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

What are the certification levels and what do they mean?

Information about merchant levels and service provider levels can be found at https://www.pcisecuritystandards.org/

 

Who needs to complete the Self Assessment Questionnaire?

Your bank can confirm this for you, but typically all level 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.

 

PCI only applies to e-commerce companies.

That is incorrect. PCI applies to every company that stores, processes or transmits cardholder information. In fact, anyone who takes card-present transactions that involve point-of-sale (POS) devices is typically more at risk than e-commerce solutions. Quite often, these types of transactions involve storage of track data which is forbidden under PCI. (In other words, they keep all of the data that is located on the magnetic strip on the back of the card.) Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.

You only have to be compliant with the majority of criteria.

The pass mark for PCI is 100%. So, if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for; it is essentially a basis for further security measures. You must be 100% compliant or you are not compliant at all. Failing to achieve even one of the requirements is failing to meet the basic standard for handling cardholder information. All companies that routinely handle this type of data should exceed this established standard. It’s just good business. And, it protects both your business and your customers.

I only need to protect my credit card data, not ATM debit card related data.
Incorrect – both sets of information require protection. Many debit cards are can be used on both debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards.

I can wait until my bank asks me to be compliant.
The time for merchants to be in compliance is now. You, the merchant, is responsible for making sure you are in compliance. Waiting until the bank asks/forces you to become compliant could be very costly.

About PCI Compliance

Payment Card Industry (PCI) compliance is a complex and ever-evolving subject affecting millions of businesses – acquiring banks, Independent Sales Organizations (ISOs), processors, hosts, shopping carts, e-commerce and retail merchants and any other merchant that accepts credit or debit cards as a form of payment falls under this umbrella.

Source and more information: www.pcicomplianceguide.org