Heads Up on Changing Credit Card Rules: An Introduction to PCI Compliance
by Liz Franklin
If you accept credit card orders for books or anything else, your credit card provider will insist on scanning your computers soon. This is because new regulations apply to publishers and authors who sell from their Web sites (as well as to a host of other credit card merchants). Who’s doing it? The payment card industry. Why? To protect customer data.
Merchants like you will have to comply with these new regulations by July 1, 2010, to avoid huge fines, fees, or even forensic audits. I’m a publisher, not a lawyer, so I can’t give you legal advice about complying with the new regulations, but I often write about business issues, and I’ve done the research to help you address as many concerns as possible.
It’s important to recognize that vulnerability occurs when stored credit card numbers and other information can be accessed—not just inappropriately accessed, but accessed at all. Storing data is far more dangerous than processing it.
This means that no company should store credit card data any longer than absolutely necessary. (Even when the data is in hardcopy form, you should shred it immediately after processing it.) When data comes in via your Web site or email, let the customers know the extent of their risk with a security statement; tell them, “Here’s why your data is secure,” rather than, “You are at risk.” When somebody gives me a card number over the phone, I ask whether they are on a cell, and if they are, I try to get them to switch to a landline. Then I delete or shred their credit card information as quickly as possible.
Remember: emailing credit card numbers is not secure unless you are using an encrypted server. Consumers should never be asked to send credit card information via regular e-ail. And they should never be told that sending half the card number in one email and half in a second email is a way around the risks. It’s not.
Credit Card Processing Perils
After it became obvious that hackers and fraudulent activity were here to stay, representatives from American Express, Visa, Discover, and MasterCard got together and decided to ensure security for their cardholders—and reduce liability for themselves—by requiring that all merchants who process credit cards guarantee security every time a card is scanned or entered.
To this end, they developed a new, global set of requirements called PCI Compliance. For most merchants, compliance means their provider will be scanning their computers to make sure the information on them is as secure as it can be.
Providers are the entities between you and your bank, the ones that process your credit card transactions. If you don’t know your provider’s name, contact your bank. Providers include U.S. Bank’s Elavon and Chase Bank’s Paymentech. PayPal is a provider too, but PayPal says it will guarantee compliance so you don’t have to. (Be sure to get that in writing; see the PayPal Web site for details.)
All merchants who process credit cards using a computer with an “outward-facing IP address” must adhere to the new PCI Compliance regulations, submitting their computers to the scanning process and completing a self-assessment questionnaire online. This questionnaire is a legal document in which each merchant attests to the security of its credit card processing system and vouches for the security of its computers, data, and Web sites. If the forms haven’t already been sent to you, you can find them on your provider’s Web site. It is your responsibility as a merchant to take care of every part of this process.
What If You Don’t Want Your Computer Scanned?
Your first line of defense is to use firewalls and security protocols that keep hackers out of your system. If you have a firewall that prevents the PCI Compliance scanner from getting into your computer, the computer will be considered compliant. But your provider’s scanners will try to find a way in.
What if your firewall isn’t as strong as you think it is, or your provider’s scanning capability is stronger? Then all the data on your computer could conceivably be read at any time. You say that you don’t care, that your system is secure? What if the scanners get in behind your firewall, and there’s still a credit card number (yours or a customer’s) on your computer that you recorded years ago and forgot about? Even if the card has long since expired, just having the data could cause you problems.
And then there’s the fact that many of us store private information on our computers, including personal data. What’s scannable and what’s not? If it’s on your computer, it’s scannable. Even your backup drive can be scanned.
So what’s a merchant to do? What are the alternatives? To avoid having your computer scanned, consider these two methods, both phone-based.
Get a point of sale terminal that can be hooked to a wall-mounted phone line (hardwired). First call your provider and ask for information about what machine you should buy, including the model number and price. Then go price-comparison shopping. Your provider will then program the device over the phone, which takes about 45 minutes.
When a customer is in your office or store and you run his or her credit card, your new POS terminal will approve (or deny) the charge and give you a confirmation number. It will then print out two receipts—you keep the one the customer signs, and the customer keeps the other, just as in restaurants.
The second method is to talk to your provider about signing up for a dial-in system (no equipment required) so you can punch credit card numbers into your phone. This phone-in system costs a little more in interest rates, but it’s great for people on the go.
However, both systems are unwieldy when you have a lot of credit cards to run, and neither can be used to run the same cards over and over every month without keying them in each time, because that would require storing the credit card data, which is the big central no-no. In fact, no matter how you process cards, you must sign an affidavit that says you do not store credit card data at all. The only alternative, if you must run the same cards regularly, goes back to frequent scanning of your computer, along with a special application and questionnaire.
The only other way you can avoid having your computer scanned is by canceling your ability to take credit card orders altogether.
OK, I’ll Bite: How Often Do I Have to Comply with the Scan?
You will not be able to pick specific dates and times for scans—that’s up to your provider—but, depending on your type of merchant agreement, you may have enough notice to go through your files just before a scan and make sure no credit card information is stored. (It’s a good idea to do this regularly anyway.)
Your provider will scan your computer as frequently as your merchant grade dictates—quarterly, weekly, or even daily. Quarterly is the minimum interval for a company using any computer with an outward-facing IP address that processes credit card transactions. Merchants who have more complex needs, or who want to guarantee tighter compliance, may choose to have their computers scanned more often.
You also have the option of using computers with two different IP addresses, but if they are both in the same location (building or office), the PCI Compliance scanner will have access to them both. Ask your information technology person or Internet provider for more details about your IP address. Also ask about the difference between a static and a dynamic IP, and find out which one you have on the computer(s) you use to process credit cards.
Ultimately, PCI Compliance scanners will find all your IP addresses one way or another, so the only sure way to avoid scanning entirely on a computer is to keep it offline permanently, and to be sure its wireless system stays off as well (on Mac computers, this is called AirPort).
Bottom line: Your choices are to apply, comply, and submit to having your computer scanned; to go to a phone-based or phone hardwired, one-at-a-time card processing system; to work with PayPal only; or to decline all credit cards.
Editor’s Note. This article does not offer legal information or advice, and readers are encouraged to consult an attorney with appropriate expertise for counseling on the subject of this article.
(With thanks to the Sacramento Business Journal.)
Liz Franklin writes marketing materials and business content designed to increase her customers’ gross incomes. To reach her, visit MizLizOnBiz.com, or call 800/447-3488.
For More About PCI Compliance