PCI for Small Business: Lakewood shop’s ability to accept credit cards revoked – don’t let this happen to you

pciBy Ron Benvenisti. Recently a store in Lakewood had their store’s ability to take credit cards revoked. Don’t let this happen to you.

The Payment Card Industry Data Security Standards (or PCI DSS) apply to every merchant who accepts payment cards. Unfortunately, in my experience, most retailers either have no clue, think it’s not their responsibility, only their providers need to comply. If you don’t have even the most basic understanding of what PCI is, or how it’s enforced you are in a serious disadvantage when it comes time to make decisions around PCI compliance. Lakewood, being a township

with a very large UEZ, attracts many new businesses to open here. Here are the basics to understand PCI/DSS.

The Four Import Points

1) PCI is a set of industry rules – they are not laws.

PCI is NOT a government regulation, like HIPAA. PCI is a creation of the payment card brands, VISA, MasterCard Discover and American Express. Compliance is mandatory for merchants who wish to process, transmit, and store payment card data. But PCI is not a law.

PCI rules help prevent payment card fraud for which the card brands were ultimately responsible. An independent entity – the PCI Security Standards Council – was established to create the rules and educate merchants and their providers.

The PCI Security Standards Council does not penalize merchants directly. The banks have that authority according to the rules.

2) Non-compliant merchants are penalized by their acquiring banks.

If a merchant has a security breach and is found to be non-compliant with PCI rules, they could be subject to fines. Depending on the circumstances, merchants could pay anywhere from $5,000 to $100,000 every month until they address all compliance issues. If they don’t resolve the problem (usually within 90 days), they could have their ability to accept any all credit cards revoked.

The credit card companies (all the ones the merchant accepts) penalize the merchant’s acquiring bank – and the bank passes the loss to the non-compliant merchant.

The acquiring banks bear are responsible for the merchants’ security efforts. Each bank is different in their level of flexibility or severity of their PCI enforcement policies. Merchants absolutely need to know the cards acquiring bank’s policies.

3) The banks determine how a merchant must show compliance.

Because the banks are responsible for enforcing PCI compliance, they decide how they verify a merchant’s compliance and what the penalties are. Again, you need to be familiar with the bank’s PCI policies.

Merchants can show compliance by working through a self-reporting checklist on their own, or they may be required to undergo a full audit by a certified third-party security expert known as a Qualified Security Assessor. The type of compliance demonstration is determined entirely by the relevant acquiring bank.

Self-reporting may seem cheaper and easier but it almost always leaves room for errors. Misinterpretation of the rules and requirements are all too common. Audits usually take more detailed and tedious work and are costlier, but they give a merchant (and more, importantly, their bank) more certainty that the merchant complies. discuss the topic with their acquiring bank to see what is acceptable.

4) PCI compliance rules can be a useful resource.

No doubt, the rules and requirements of PCI are complex and onerous The PCI obligations mean spending more time and money. Network security is increasingly complex as each day passes with new threats and vulnerabilities constantly emerging. Keeping up to date to protect an organization and its customers can a full-time job. Nevertheless, security is increasingly essential for merchants, whatever it takes. Breaches can mean major financial, legal, and reputational damages.

Having said all that, PCI rules are really a valuable resource for business owners. They allow merchants to keep their security measures current – and allow their customers do business with confidence. There is a set of PCI Security Standards Council’s for small and medium-sized businesses. Merchants can learn more about their particular compliance requirements as well as recommended security strategies suited to their businesses. New business owners are especially encouraged to learn all they can about PCI, and use the resources available to protect themselves, their customers and their businesses.

You can learn more about small business compliance here: https://www.pcisecuritystandards.org/pci_security/small_merchant

See the accompanying chart for a graphical breakdown of the requirements and how to meet them.

PCI-Requirements-page-001

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

5 COMMENTS

  1. I wasn’t going to write this, because it is embarassing. It was my store. Now everyone has to pay in cash or check and my bank won’t take third party checks. We didn’t know what to do with the assessment report they made us do which cost us almost $3000. We were scared because the company that did the report scared us with the fines but wanted more than the fine to fix it. I gave it to the company that installed our computers and cameras and they couldn’t take care of it on time. Then it was too late. The bank fined us and suspended our merchant service with all the credit cards. It’s a bad situation but the bank gave us 30 days to fix the biggest problems which we need to finish. Our IT company told us they never had this issue before and they are dialing in and coming in everyday for free to fix it. Our computers are down half the time so we have to write everything down and give hand written receipts. I hope they get it done on time because a big company wants several more thousands to make everything right. My computer company is also going to give us $5000 worth of support for free. Problem is I had to pay already the $5000 and I won’t get that back. I don’t want to go to court with them because I’m not sure if it’s my fault or theirs. A huge headache. My advice is take care of this stuff right away, don’t get burned like I did.

  2. This is a serious issue. I don’t want to advertise in this forum where it is inappropiate to do so… but there are services as low as about $50 -$100 a month that assist with compliance, training and insurance for loss of business if a issue causes revocation like this. Sadly we live in difficult times from a technology perspective in terms of fraud and it is important to stay ahead of these things.

  3. Be careful, if your ISO says they will take care of PCI for you, & doesn’t have you take care of it, or tells you to lie about a network to avoid a scan, or who fixes your network to let a scan pass & then opens it up again after you pass.
    It used to be the big places were hacked we are now hearing of the small ones. Be very careful, if your software is out of date, and non-compliant . BTW Windows XP OS isn’t PCI compliant, & hasn’t been for some time now.
    Even if you do pass & are compliant, it isn’t a guarantee. Even if there is insurance, it is void if you didn’t tell the truth. Be wary about those who claim not to charge for PCI compliance, you do need QSA company to do it, and they do have expenses & licencing fees. There is no free lunch.

Comments are closed.