500,000 Reasons to understand PCI

June 30th, 2005 marked the first deadline for Internet Merchants to submit their PCI Self Assessment Documents to their Merchant Banks.

PCI refers to the Payment Card Industry Data Security standard that has been authored by Visa and adopted by all the major credit card vendors. The PCI standard outlines the requirements and best practices for protecting cardholder data and has far reaching implications.

The standard itself was actually only authored in Dec of 2005, yet Visa required that all Merchants who authorize 20,000 transactions or more e-commerce transactions to submit a Self Assessment document and the results of a third party conducted Internet vulnerability scan to their merchant banks by the last day in June of 2005.

Those most affected by the new requirements are Internet based Merchants that have had a modicum of success selling products and services on the Internet. These merchants typically house their websites with a Web Hosting company, on a shared or dedicated server at best, neither of which would suffice according to the requirements of PCI.

PCI defines 4 levels of compliance for Merchants. The standard is immutable from Visa's perspective. To pass the assessment, all questions must be answered favorably.

Level 1 Merchants and Service providers must be prepared for 3rd party audits from qualified audit professionals. This process can easily cost $100,000.00 when you factor in the costs of the audits and the technology requirements.

Level 1 – 3 Merchants are all required submit a Self-assessment document and commit to remediation of any flaw uncovered in their current infrastructure.

The 4th level of compliance puts an emphasis on best practices and is not mandatory for Merchants authorizing less then 20,000 transactions over the Internet.

Unfortunately, Level 4’s are not off the hook because another provision states that if their website were to be hacked compromising Cardholder information, they immediately become a Level 1 Merchant

The best advice we can give to merchant is if you are collecting and storing credit card information then STOP. The most cost effective solution is to farm out the collection process to a Payment Gateway that offers a payment page. Payment Gateways such as SafeMerchant.com are equipped to store and contend with the safe storage and retrieval of cardholder information.

The penalties that can be assessed for compromised cardholder data can be as much as 500,000.00 or more per incident depending upon the number of credit cards that are in jeopardy. There are also significant penalties for Merchants that remain out of compliance.

Obviously, The payment industry is playing hardball here, but in lieu of the recent news that 40 million card numbers where at risk of being exposed and 200,000 confirmed stolen from Card Systems it is hard to blame them. Card Systems has since been put out of business since Visa decided not to allow them access to their processing network.

If you take into account the increasing pressure that Government is applying to the Financial and Healthcare industries as well as their efforts to protect the consumer from Identity theft, it is pretty safe to say that PCI is here to stay.

Merchants should seriously consider adopting the standard now taking advantage of their competitors that are apathetic to the problem.