This is probably a good topic to start this blog off with. Anyone who pays attention to the headlines knows that breaches of credit card and other financial information happen with amazing regularity. Names such as TJX, Hannaford, State & Local government entities and even some prominent Universities regularly appear in the headlines as having suffered a breach that led to the theft of credit card and other financial information.
As a result of the rather substantial losses borne by the banks and other issuers, in 2004, the major credit card issuers around the world combined their various security requirements and created the uniform Payment Card Industry Data Security Standard abbreviated as PCI-DSS or simply PCI.
Wikipedia has a good article on the PCI-DSS and if you are interested, you can read about it here. The standard has six main requirements of anyone who processes credit cards:
- Build & Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Mechanisms
- Regularly Monitor & Test Networks
- Maintain an Information Security Policy
Companies that store and process credit card transactions within their computer systems are held to the highest requirements, but any company that processes credit cards using any method must adhere to the requirements of the PCI-DSS. All companies have to certify that they are complying with the requirements of PCI-DSS, but the degree of that certification varies based upon the volume of transactions that are processed each year. Companies who process any credit card transactions are grouped into one of four catagories:
- Level One: Merchants who process over 6 million transactions per year or who have been identified by their credit card payment processor as being a level one merchant
- Level Two – Merchants processing 1 million – 6 million transactions per year
- Level Three – Merchants processing 20,000 – 1 million transactions per year
- Level Four – Merchants processing fewer than 20,000 transactions per year
It is important to note that the PCI-DSS is only concerned with the number of transactions, not the dollar amount of the transaction. My guess is that most small businesses would fall into Levels 3 or 4.
There are two assessment requirements that all merchants must meet – they must complete a PCI Self Assessment Questionnaire (SAQ) annually (Levels Two, Three, and Four) or submit to an annual onsite audit performed by a PCI certified auditor (Level One). In addition to this, if they process or store any credit card information on computer systems that they control (either onsite or hosted), they must additionally undertake a quarterly scan performed by a PCI-certified Approved Scanning Vendor (ASV).
As of this writing, the current PCI standard is 1.2 and the relevant SAQs can be downloaded here.
Now, at this point, you may be saying to yourself, “What the heck is all this about? No one ever asked me to do a SAQ. If I fill it out, what should I do with it? Well, whether or not an SAQ is required is up to the bank that processes your credit cards. They are responsible for asking you do perform the SAQ, onsite audit, and/or Quarterly Scan. If they have not asked for one, then you are under no obligation to do anything.
That said, it might not be a bad idea to take a look at the SAQ and if possible, go ahead and complete it. Sooner or later, it is likely that your payment processor will require it and if so, you are going to have to fill it out rather quickly. Be warned, the SAQ is not a quick document to complete. Even the simplest version of the SAQ, form A which is filled out by customers who have outsourced all processing functions is 15 pages long and asks questions to which you may not have a good answer for the first time you go through it. Any deficiencies you identify when filling out the SAQ will need to be remedied in a timely manner, so it is best that you know what you have to do before the hammer falls.
At our company, we fall into the Level 4 merchant category. We process maybe a couple dozen credit card transactions annually and everything we do is through a touch tone telephone service. We do not store any cardholder data on any computer system, but we do keep copies of the credit card slips for a short period of time in the event that we need to deal with a disputed charge. The credit card slips are stored in a secure fireproof safe and only a handful of people at our company have access to it. Additionally, even for our repeat customers we tell them that we do not retain their credit card data past our short retention period (about 90 days) and ask that they provide their credit cards anew each time we process an order.
We are also very specific about what data we retain. Our credit card processor does not require the CVV code (the three digit number on the back of Mastercard and Visa cards or the four digit number on the front of American Express) so we never ask for it. Some processors do require it, but it is important to note that this number should never be retained in any form, written or electronic following the processing of the transaction.
One thing that continues to annoy me is some companies that ask that this CVV number be written down when mailing in a credit card payment. This information should never appear anywhere on a piece of paper. If you are forced to use it by your processor, my advice is to ask the customer to call it in. You can then enter it into your credit card processing system and be done with it. At no time should it ever be stored in your facility or in any place under which you have control including credit card forms that customers are mailing to you. Having the CVV number stored in any way any place that is under your control is an invitation to serious PCI problems.
In summary – if you process credit card transactions, you need to familiarize yourself with the PCI-DSS. If you ever have a problem, this is one of those cases where as they say, “Ignorance of the Law is No Excuse”
