Credit Data Compliance: Does Your Business Meet the Standard?

Tam Harbert -- Expert Business Source, 2/10/2007 11:44:00 AM

Every retail business owner understands the importance of securing debit and credit card data collected through point-of-sale terminals, the telephone, the Internet or through the mail. But how many know whether their business is compliant with the emerging standards for protecting that data?

The Payment Card Industry Data Security Standard (PCI DSS) is a two-year-old standard that defines practices for the way computers handle card-based transactional data, along with specifications for network and physical security, documentation of security policies and training programs for employees. Last fall, the five major credit card companies formed the PCI Security Standards Council in order to maintain the standard, educate businesses, encourage compliance and qualify security auditors.

The credit card companies are concentrating initial education and compliance efforts on large corporations. But over the next two years, their focus will turn to medium and small retailers, says Seana Pitt, chairperson of the Council and vice president of global merchant policy and data quality for American Express. The reason: hackers and identity thieves will be looking for easier targets.

“As the larger merchants become more secure, the bad guys will start to look at smaller businesses,” Pitt explains.

With large corporations complaining that the standard is overly stringent, complicated and expensive, the compliance barriers for small businesses could be overwhelming. Those barriers include the technical complexity of the standard. How many small businesses, for example, would understand this question from the 11-page PCI self-assessment questionnaire: “Are egress and ingress filters installed on all border routers to prevent impersonation with spoofed IP addresses?”

Today, PCI Council members are more interested in educating small businesses than policing them. Small companies should take advantage of this time to decipher the self-assessment form, determine whether they are compliant and fix the areas where they aren’t. There’s a risk in waiting: The individual card companies (not the Council) will monitor compliance and have the power to impose strict penalties for non-compliance.

Although card companies are unlikely to go after small businesses with much vigor, the potential penalties should give any retailer pause:

Non-compliant companies may be required to submit to (and pay for) a full, annual on-site audit
For any data breaches, companies could be assessed fines of $50 to $90 per compromised card plus restitution, according to PSC
Card companies could revoke a merchant’s permission to process their cards.

The level of complexity for compliance – and the costs involved – will vary by the type of business, says Pitt. If the company does not conduct business over the Web, securing data could be as simple as “locking paper receipts up in a cabinet,” she notes. But PCI requires any company that uses the Internet to hire a PCI Council-approved auditor to assess its network and computer security procedures.

There are plenty of resources on the Web for small business owners who want to take a closer look at their data security policies: