Do you accept payment under either the Visa & MasterCard logos? If so, are you certified as PCI DSS (Payment Card Industry Data Security Standard) compliant?

If you don’t know what PCI DSS is, join the crowd. While we believe Visa & MasterCard really haven’t raised enough attention with this yet, things are changing swiftly. If you are accepting credit or debit cards, then you are required to be PCI DSS compliant once you accept the first transaction; however, you may not have been required to certify that you were compliant.

This is causing confusion recently, especially with relatively smaller merchants – less than 20,000 transactions per month. Merchants in this tier are labeled as “Level 4”. However, few merchants at this level know anything about PCI DSS, that they are required to be compliant, or that they may even be required to be certified. Smaller businesses have enough immediate concerns to worry about before this.

Since these standards were developed, “Level 4” merchants have always been required to be compliant, but were never required to certify compliancy . . . so the vast majority never really gave it any thought whatsoever, and happily went on their way processing credit card payments using all manner of vulnerable applications, networks and processes. The same could be said for a lot of web hosting companies that support these smaller merchants online.

Blissful ignorance of PCI DSS is coming to a close quickly now, though. Visa is putting all of the responsibility for breaches of cardholder data for this level of merchant squarely on the shoulders of the acquiring banks – the providers merchants go to for their merchant accounts (such as their local bank, a local MSP/ISO such as Humboldt Merchant Services, or a global network such as Elavon or Card Services International). Visa is putting the responsibility of the costs of these breaches squarely in the laps of the acquiring banks, so processors are now much more motivated to prod their “Level 4” merchants to certify compliancy, lest they be left with the bill for the fines.

The big problem is when there is a breach: there are huge costs to pay – a minimum of $10,000 to $50,000 in fines alone, and most merchants at this level can’t afford this. So they go out of business leaving someone “up line” to foot the bill.

According to Visa Inc., “All entities (including merchants or service providers) that process store or transmit cardholder data need to be PCI DSS COMPLIANT at the time they handle cardholder data. For Level 4 merchants, the VALIDATION or PROOF of the PCI DSS compliance is at the individual acquirer's discretion and may have deadlines set individually.”

That is, while any merchant accepting credit cards is required to be compliant, it is up to processors to prod merchants into certifying that they are compliant and to set deadlines for compliancy.

Processors such as Elavon (used to be NOVA) are moving swiftly. Local merchants might have an Elavon account if they set up their merchant account through Costco or a good number of other providers. Elavon has notified their merchants that they must certify compliancy by March 1, 2009 or be assessed a $20/month fee until they certify themselves as compliant. To add a carrot to the stick, they negotiated a “bulk rate” with TrustWave for all of their merchants – less than half of what certification services typically charge, and less than the $20/mo. penalty fee would cost them over a year.

Merchants of all stripes accepting card payments need to make sure they understand PCI DSS and what their responsibilities are for securing cardholder data. Larger merchants know this, but “Level 4” merchants are not as aware, though they will be getting a knock on their door soon. If your bank or merchant service provider is not offering you these features, you should make further inquiry to make sure they do.

If you are a merchant processing 20,000 transactions or less per month, you may not yet know much about PCI DSS, even though you are still required to be compliant. You should educate yourself on PCI DSS and find a Qualified Security Assessor (such as TrustWave) to certify you soon. And if you are a merchant selling online, you should be both more concerned and more dedicated to making online shopping safer for everyone.

PCI DSS compliancy is only one of the ways technology may impact your business. To learn more about ways in which technology may affect your business, join and become active in the Redwood Technology Consortium.

# # # #

Sean Connors is the owner of and Chief Project Manager for Web Merchant Services. Connors is a business member of the Redwood Technology Consortium. A fuller version of this article is provided on the WMS blog at: blog.WMSmerchantservices.com.

Copyright 2009, Eureka Times Standard Newspaper. The print version of this article first appeared in the 4/2/09 edition of the Times Standard.