CHICAGO – Come January 1, any business that takes credit cards must adhere to the policies and procedures set forth in the third version of the Payment Card Industry Data Security Standard. Even small companies that rely on third-party payment processors to store and handle their customers' credit card data are not exempt.
According to many merchants interviewed for a recent article in Crain’s Chicago Business, anxiety is high as the compliance deadline approaches. Although the Payment Card Industry, or PCI, rules were first introduced more than three years ago, the reality of meeting the PCI standards can be daunting, especially for a company with multiple locations. (NACS Magazine analyzed the PCI rules in a cover story, “Bite the Bullet,” back in April 2009.)
The latest round of rules reflects the PCI Council's move beyond security standards that focused on so-called "perimeter firewalls" to prevent outsiders from gaining access to companies' servers. Now that mobile and other remote-access devices have become ubiquitous, perimeter firewalls are less effective. Newer rules focus on securing not just the server but the data itself, via improved password protocols and more specific firewalls.
In past years, companies that used a third party had to address fewer than 30 points to be PCI compliant. Most were fairly basic questions to ensure that companies did not physically record and store payment information submitted by customers. But because so many companies now rely on third-party providers that receive cardholder data and store it in the cloud, the latest PCI rules put more responsibility on everyone involved.
The PCI Security Council has not adopted a formal fine structure to deal with merchants who do not comply to the standards. Huge losses, however, can come from having to pay to replace customers' credit cards, as well as having to refund the charges from fraudulent purchases. Because the retailers are the ones who actually accept the transaction, they're also the ones left holding the bag in the event of security breaches. Companies that are shown to be noncompliant also risk losing their ability to process credit card transactions.