Audits for compliance to the Payment Card Industry (PCI) Data Security Standard are on the rise. What does this mean to you and your business?

Most merchants who accept credit card payments know they must maintain compliance with PCI standards. Some are finding out the hard way that real enforcement is now the rule rather than the exception.

Multiple organizations are involved in auditing procedures, ranging from the U.S. Secret Service and the FBI to the various card brands and acquiring financial institutions. The process is typically expensive, frightening, time-consuming and may lead to civil and criminal penalties.

Risk Assessment

When Visa published the May 2007 issue of the CISP bulletin, it was made clear that banks are responsible for understanding and monitoring the risks in their portfolios of category-four merchants. The bulletin also offered some insight into risk rating.

According to Visa documents, when it comes to risk rating, the obvious is not so obvious. For example, Visa listed five categories of risk prioritization: acceptance channel, payment technology, transaction volume, number of locations and merchant category. While this may seem intuitive, the actual risk stratification is surprising in many cases. For example, card present is a higher risk then card not present; standalone POS terminals are of lower risk than integrated POS terminals; and high-risk merchant categories include restaurants and universities.

Enter Self-Storage

So where does that leave the average self-storage facility? Clearly in the high-risk category. Most facilities accept cards in the card-present modality; most of their POS equipment is integrated; and many offer the same risks as restaurants, including the fact that most workstations are unprotected.

Merchants are categorized by two factors: the number of transactions they conduct and the type of transaction, whether e-commerce or other. Its fair to say the vast majority of storage operations are category-four merchants. This is defined on a Merchant Identification Number (MID) basis. Merchants processing fewer than 20,000 e-commerce transactions monthly or 1 million annually per MID are considered category four.

The important point here is if youre going to continue accepting credit cards, you must become PCI compliant. Many merchants have not because they dont understand the rules or believe compliance is important. Neglect will lead to significant difficulty and financial harm. The penalties for not being compliant include civil and potential criminal sanction, and can range up to $500,000 per event.

Dont Get Caught With Your Pants Down!

More than half of all payments received by the typical self-storage operator are via credit card. The risk profile of the average operator is toward the high end of the continuum. Banks are on notice that they must monitor the quality of their merchants within their portfolios relative to PCI compliance.

Any suspected breach must be reported within 24 hours. The reporting agencies include the FBI and Secret Service. The potential threat level your operation poses to the system will, in many ways, dictate the odds of a not-so-random audit. Make sure youre compliant, and you have nothing to worry about.

Under Fire

If your business is audited, youll need to provide correct documentation to the auditor as well as access to your systems. You should have the required polices and procedures in a binder with correct labeling. Next, provide your security-awareness program with details of when it was given to staff, evidence of staff completion, and proof the program is current.

Be ready to demonstrate that the correct physical security measures are in place, and all wireless computers or access points have been and are currently being monitored and sniffed as per the regulations. Its advisable to have the requisite background checks of all employees who handle credit cards on file and ready for review. The list goes on and on.

Help

The umbrella organization for assistance in these matters is the PCI Security Standards Council. Visit www.pcisecuritystandards.org and familiarize yourself with this valuable resource.

If you decide to seek assistance, find someone who is qualified. Check references, resumes, publications, presentations and length in providing these services. At a minimum, make sure the company you hire has at least five years experience, is a member of the PCI Security Standards Council and has active references.

Hopefully, youll have taken all necessary precautions beforehand and can rest assured youre already PCI compliant. That, of course, is your safest bet.

Ross Federgreen is a co-founder of CSRSI, which provides an integrated approach to the analysis, design, implementation, deployment and management of electronic transaction services and systems. Since 1999, the company has helped more than 350 public and private institutions reduce the cost of acquiring money and minimize liability exposure related to payment transactions and customer data. For more information, call 866.462.7774, ext. 23; e-mail [email protected]; visit www.csrsi.com.