This post is for those of us with merchant accounts who handle
credit card transactions–or those thinking about getting merchant
You should make sure you are aware of the term PCI/DSS (Payment Card
Industry/Data Security Standard) Compliance, what it is, and what it
means for you, because if you are a business that handles credit card
transactions of any kind you may need to change the way you handle
that particular portion of your business. Worst case scenario is that
you get breached, the credit card company (Visa, MasterCard etc.)
fines your Acquiring Bank (the merchant services issuer), and then
that Acquiring Bank passes the fines along to you. Some of those
fines and recovery fees can be pretty steep, as illustrated in the
video link below. And, you could lose your merchant account
The December 31st compliance deadline is for Level II merchants;
however, smaller merchants should treat this seriously now, too,
because while there don’t appear to be any hard and fast deadlines by
the major credit card companies for Levels III and IV, the actual
Acquiring Banks (your merchant services providers) may have some. You
can still be held accountable in the event of a breach. Level IV
applies to businesses doing less than 20,000 credit card transactions
per year. For perspective, TJ Maxx is probably a Level I or Level II.
When I first started my business, my husband, an information
security professional, told me that he would prefer that I didn’t
actually get a “merchant account” and that I use something like
PayPal instead. With basic PayPal merchant solutions, the vendor
never has access to the customer’s credit card account-if there is
ever a data security breach, the onus is on PayPal, not you. And, you
don’t have to worry about the hassle of how best to store your
client’s transaction info. Just a comparison with regard to risk.
Start with this article.
In Data Leaks, Culprits Often are Mom and Pop (WSJ)
This video outlines everything quite nicely, and it also provides
some easy, common-sensical things you can do to protect yourself and
your clients’ If you don’t read any of the articles, you
should at least watch the video-it’s 12 minutes long.
They also have a link on their website called PCI Compliance basics
for credit card security in the left “For Starters” menu.
Then, if you’d like, check out these two.
At the minimum, Level IV merchants should be doing a “self
assessment.” Here is a questionnaire with some things you might want
to look over and consider as it relates to your business.
And, of course, if you want to know more about PCI Compliance in
general, just Google “PCI Compliance Small Business.”
One of the main points to take away is that, yes, this can possibly
affect you. Period. Most of the time, if there ever is a breach, the
burden initially falls on the “merchant account providers/acquiring
banks”; however, what you need to be aware of, is they can indeed
pass that fine directly to you, the merchant, if something ever were
to occur based upon a data breach that is the result of the way
you’ve (mis)handled consumer credit card
PCI compliance is not necessarily anything new, and I don’t mean to
sound alarmist by any means.
Just an FYI.