Back to Ganoksin | FAQ | Contact

PCI Compliant Merchant Accounts


#1

This post is for those of us with merchant accounts who handle
credit card transactions–or those thinking about getting merchant
accounts.

You should make sure you are aware of the term PCI/DSS (Payment Card
Industry/Data Security Standard) Compliance, what it is, and what it
means for you, because if you are a business that handles credit card
transactions of any kind you may need to change the way you handle
that particular portion of your business. Worst case scenario is that
you get breached, the credit card company (Visa, MasterCard etc.)
fines your Acquiring Bank (the merchant services issuer), and then
that Acquiring Bank passes the fines along to you. Some of those
fines and recovery fees can be pretty steep, as illustrated in the
video link below. And, you could lose your merchant account
altogether.

The December 31st compliance deadline is for Level II merchants;
however, smaller merchants should treat this seriously now, too,
because while there don’t appear to be any hard and fast deadlines by
the major credit card companies for Levels III and IV, the actual
Acquiring Banks (your merchant services providers) may have some. You
can still be held accountable in the event of a breach. Level IV
applies to businesses doing less than 20,000 credit card transactions
per year. For perspective, TJ Maxx is probably a Level I or Level II.

When I first started my business, my husband, an information
security professional, told me that he would prefer that I didn’t
actually get a “merchant account” and that I use something like
PayPal instead. With basic PayPal merchant solutions, the vendor
never has access to the customer’s credit card account-if there is
ever a data security breach, the onus is on PayPal, not you. And, you
don’t have to worry about the hassle of how best to store your
client’s transaction info. Just a comparison with regard to risk.

Start with this article.

In Data Leaks, Culprits Often are Mom and Pop (WSJ)

This video outlines everything quite nicely, and it also provides
some easy, common-sensical things you can do to protect yourself and
your clients’ If you don’t read any of the articles, you
should at least watch the video-it’s 12 minutes long.

They also have a link on their website called PCI Compliance basics
for credit card security in the left “For Starters” menu.

Then, if you’d like, check out these two.


At the minimum, Level IV merchants should be doing a “self
assessment.” Here is a questionnaire with some things you might want
to look over and consider as it relates to your business.

http://tinyurl.com/2ayk9w

And, of course, if you want to know more about PCI Compliance in
general, just Google “PCI Compliance Small Business.”

One of the main points to take away is that, yes, this can possibly
affect you. Period. Most of the time, if there ever is a breach, the
burden initially falls on the “merchant account providers/acquiring
banks”; however, what you need to be aware of, is they can indeed
pass that fine directly to you, the merchant, if something ever were
to occur based upon a data breach that is the result of the way
you’ve (mis)handled consumer credit card

PCI compliance is not necessarily anything new, and I don’t mean to
sound alarmist by any means.

Just an FYI.
Tamra Gentry
http://www.agjewelrydesign.com


#2

Hey all, Thought that I would refer you to ProPay. $60.00 a year to
accept Mastercard, Visa, Discover an American Express. Anywhere that
you have either internet access or more importantly, at least for me,
a Cell Phone Signal, you can take a credit card. It was quick and
easy to sign up online and I can just follow the directions and
process credit cards using my cell phone. They give you the ability
to send email invoices and reciepts, etc…Watch their Demo video.

After Tamra’s post I opened up a chat session with ProPay regarding
PCI compliance and below is most of the content from that chat
session, including permission to post it wherever I would like, so, I
am and I hope that you find this useful.

Keith H: Tel me about PCI Compliance and where Propay is on that
issue.

Kassandra O: ProPay is 100% PCI compliant, which means we meet all
of the security settings set by Visa, MasterCard, Discover, and
American Express

Keith H: Can you tell me what level of compliance that you are,
Please?

Kassandra O: There aren’t really different levels of compliance. We
are certified as 100% PCI compliant with the board that sets the
standards from those four major credit card companies.

Keith H: The December 31st compliance deadline is for Level II
merchants; however, smaller merchants should treat this seriously
now, too, because while there don’t appear to be any hard and fast
deadlines by the major credit card companies for Levels III and IV,
the actual Acquiring Banks (your merchant services providers) may
have some. You can still be held accountable in the event of a
breach. Level IV applies to businesses doing less than 20,000 credit
card transactions per year. For perspective, TJ Maxx is probably a
Level I or Level II.

Keith H: Is there an email address that I can send some information
to it will save cutting and pasting…

Keith H: If you are indeed compliant, then I think that you should
use this as a marketing tool. PayPal is compliant for example…

Kassandra O: Regardless of the amount that is processed through any
account, ProPay is 100% PCI compliant, as we have an appointed
compliance officer that certifies us.

Keith H: And if you notice, there are INDEED different levels.

Gary F: Hi Keith. I’m a supervisor here. We are Level I compliant.

Gary F: And we have someone dedicated to the task of ensuring we
remain compliant. Is there anything else we can help you with?

Keith H: Hi Gary.!

Keith H: I am a Client Support Specialist where I work and a jeweler
as well. I subscribe to a list for jewelers and one of them was kind
enough to post a pretty lengthy piece regarding PCI
compliance.

Keith H: If I could have an email address, I will forward it to you,
sir. There is much useful in it as well as video links
etc…

Gary F: Thanks, but we have a compliance officer already for our
company, so we will not be needing any or assistance with
PCI compliance.

Keith H: In the interest of your company doing well, I was thinking
of referring you to the list as a credit card processor.

Gary F: Is there anything else I can help you with?

Keith H: Well, It appears that you have no interest in additional
people using you as a credit card processor with that attitude. I was
pre-qualifying that you all were compliant and was going to use the
text of our discussion to help people be informed that your company
was a viable solution for them.

Gary F: Again we are PCI compliant and a Level 1 merchant. We take
compliance seriously and you can pass that on to whoever you would
like to pass that on too."