The Skinny on Compliance

Until recently, compliance for acceptance of Visa and MasterCard was at best voluntary and at worst ignored. This is no longer the case; failure to comply with the regulations set by the Payment Card Industry (PCI) Security Standard can lead to termination of card acceptance privileges and more.

Let’s debunk three common misconceptions:

• PCI only applies to large merchants True or False?
• PCI only applies to Internet merchants True or False?
• PCI only applies to MasterCard and Visa True or False?

The answer to all three questions is False. PCI applies to all merchants, no matter their size or business format. It also applies to all card types. Any merchant handling, transmitting, storing or touching credit card information falls under the rules of PCI, without exception!

PCI was developed to reduce the risk of security violations and fraud within the credit card acceptance industry. To ensure companies achieve compliance, PCI uses a 12-step program that includes an external penetration scan to make sure hackers can’t break the merchant’s site, where payment/account information is given. Unfortunately, passing a penetration scan doesn’t protect your site from hackers; it simply means your site passed when the scan was conducted with techniques employed by a particular scan company.

PCI identifies four categories of merchants. The number of transactions you process annually defines how you will be categorized. Typically, self-storage companies fall into level four, which includes merchants who process less than 20,000 Visa e-commerce transactions and fewer than 6 million total per year. However—and this is important—a merchant can unilaterally be moved to any category by Visa or other processors.

The category-four requirements are relatively benign compared to those for a category-one merchant, which includes hefty businesses like Amazon.com. Still, self-storage owners must complete a self-assessment questionnaire and a quarterly penetration scan. The self-assessment must be validated by the merchant, and penetration scans by an independent certified assessor.

Some self-assessment questions are highly technical. In general, the questionnaire follows PCI format with each series of questions relating to a specific card-industry component. If the questionnaire confuses you in any way, seek expert advice. Companies that incorrectly complete or fabricate their self-assessment, for whatever reasons, will be examined and potentially classified as fraudulent. The punishment is immediate termination.

Penetration scans are provided by a number of companies. MasterCard now provides scans without charge. The only requirement is the merchant follow defined procedures and protocols.

Now that you’ve read the skinny on compliance, take the necessary steps to protect yourself and your customers from credit card fraud.

Ross Federgreen is a co-founder of CSRSI, which provides an integrated approach to the analysis, design, implementation, deployment and management of electronic transaction services and systems. Since 1999, the company has helped more than 600 public and private institutions reduce the cost of acquiring money and minimize the liability exposure related to payment transactions and customer data. Its products include monitoring of merchant service activities for fraud, charge-backs, credits and disputes, as well as the Credit Card Analysis System. For more information, call 866.462.7774, ext. 23; e-mail rfedergreen@csrsi.com; visit www.csrsi.com.