The noose is tightening around those that are processing credit cards. I hear a lot of complaining from merchants. Something we should keep in mind is that as a merchant you are being trusted to protect the information that your visitors provide.
This is financial information that has direct access to their money.
Working for a hosting company I know LOTS of websites and owners that do not put enough weight on the seriousness of the information they’ve been trusted with. Even if you are one of those people that believe it’s easy to take care of stolen credit cards by just calling your bank and having the charges removed, you still have to realize that it costs money somewhere. Someone is essentially stealing money.
Vendors are the ones suffering from these charge backs, banks have to deal with the cost of dealing with them. It costs the whole system money to deal with the plain and simple truth, it’s theft.
Sure banks have plenty of money, but they aren’t going to eat that cost, that gets passed on to consumers. Vendors need to raise their prices to cover lost product that gets charged back.
So moving along, what “PCI Compliance Level” are you at and what kind of requirements do you have to meet?
There is essentially 4 levels of PCI Compliance. Most small merchants are going to fall into level 4, this covers merchants that process up to 20,000 eCommerce transactions per year (or up to 1 million transaction in any channel other than eCommerce).
Level 3 is going to qualify for anyone up to a million transactions per year. Level 2 up to 6 million. Level 1 is anyone doing over 6 million.
The average small business is going to fall in Level 4 Compliance, if a business averaged $50 per sale you could still be Level 4 but you are doing a million in sales. The compliance levels are based off of the number of credit card numbers you have access to lose, not the amount of business you are doing.
Keep in mind if you suffer data loss, and loose customers information, you could easily get bounced to a higher level than you would normally reside. The result is higher scrutiny, higher requirements, etc.
Let’s focus on the requirements for the average Level 4 merchant.
While every merchant is going to have to fill out some form of SAQ (Self Assessment Questionnaire) which form you will be required to use will be based off of how you accept credit cards.
SAQ A – This requirement is for anyone who essentially uses no electronic means to take or store credit cards. This merchant maybe takes phone records, they might keep paper records of Credit Cards, but they do not store those cards electronically themselves. They entirely depend on a third party for processing and storage of card numbers electronically.
SAQ B – This requirement is for any merchant which uses an imprint machine or a stand alone dial-up terminal. This merchant might keep paper records, but still doesn’t store or accept credit cards electronically. The dial-up terminal must only use a phone line, and cannot be connected to the internet. Again they entirely depend on a third party for processing and storage of card numbers electronically.
SAQ C – This requirement is where most small businesses will fit. This merchant will have a payment application that is also connected to the internet. The payment application receives credit card information for processing but does not store them but uses secure methods to pass them onto their processing account, and uses only secure methods of connecting to their application. Paper records maybe stored in accordance with safe practices.
SAQ D – This is where the average small business does NOT want to end up. This is where all other merchants that don’t match the requirements on the previous forms. If you are storing credit cards electronically you end up here.
Obviously the lower on the list you end up the better you are. Most small businesses online with an eCommerce website will be in the C bracket, but you can get to the A bracket pretty easy.
If you end up being even suspected of a breach your business can be brought to a stand still by a team of PCI-DSS certified forensics. They’ll be reviewing your security policy, network vulnerability, penetration testing, manual computer testing, wireless security testing and phone line testing. Just plan on your business being stopped dead for several days while they are finished.
Whether you were responsible or not you will be required to pay for the forensics testing, which for a Level 4 merchant will be about $8,000 to $20,000. If you are found responsible for the breach you will be required to pay fines, replacement costs of credit cards, and additional fines based off of the fraudulent use of the cards you lost. The average is around $36,000 with it easily being over $50,000 in some cases.
So unless you have from $44,000 to $70,000 laying around for fun money, it’s important to take security seriously. More to come.
Related posts: