Since the deadline has passed for everyone to become PCI compliant, you most likely found this blog because your processor is asking you to demonstrate that your business is compliant and you want to know more or find out if it’s a legitimate requirement. Hopefully this blog will answer those exact questions.
Just so this is clear upfront, the Funds Transfer Alliance has a vested interest in every merchant becoming compliant. We don't stand to benefit directly from your business becoming compliant but data breaches hurt the industry. We don't care how you do it or what vendors you use. But we do very strenuously ask that you take this seriously. Any suggestions below about compliance are what the FTA recommends to our merchants. Ultimately, while we trust that the information below is universally applicable, you need to come to a resolution with your processor and their particular requirements.
Let’s start with the most frequent objections the Funds Transfer Alliance hears:
o PCI compliance seems expensive. At the FTA, based on our research of 3rd party compliance companies, demonstrating compliance ranges between $79 and $139 per year. We will explain how that works below. And you, like many merchants, have the same question buzzing around in the back of your head (we know because we’ve heard it so often): Is this just my processor’s way of extracting a new yearly fee?
o It seems like it could be time-consuming. It requires you, the business owner, to fill out a survey about your network and your data storing methods. At best, it’s an annoyance and at worst it’s an Atlas-sized burden because you may not have set up the network yourself or know all of the ways your customer’s data is stored, or even if it is stored at all.
o It seems unnecessary. You have mostly repeat customers. You haven’t had a problem in 20+ years in business. Why do you have to start doing this now? Isn’t this just for the huge chains who are the real targets of fraud?
The short answer is, like insurance, it appears on the surface to be expensive, annoying, and unnecessary until something catastrophic happens. Will anything happen to you? Probably not. Could it? Sure.
Though the scenario is unlikely, a security breach and subsequent compromise of payment card data is a really big deal, and a huge problem for everyone involved. The massive-headache inducing and far-reaching consequences for affected organizations include:
a) Ongoing regulatory notification requirements;
b) Loss of reputation;
c) Loss of customers;
d) Financial liability (for example, regulatory and other fees and fines); and
e) Litigation.
Not sure about you, but at the FTA, we’d rather avoid "all of the above!"
If it still seems uncomfortable, here’s a little bit of history about how this, at times confusing, requirement came to exist. PCI (Payment Card Industry) DSS (Data Security Standard) originally began as five separate programs: Visa’s Card Information Security Program, MasterCard’s Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program.
So what does this tell you right away? The industry’s biggest players recognized a need to cover their card-issuing behinds from large-scale fraud against their membership. These behemoths knew that if situations similar to the TJ Maxx/Marshalls scenario happened repeatedly (in that case, 46 million card numbers were exposed), the repercussions would be huge and, prior to 2004-2005, they had very little control over a breach because they were relying on the merchants to guard the data in a time when new technologies were emerging. Undoubtedly, many merchants have the best intentions but the road to Hades, where the most skilled hackers hang out and code, is paved with those intentions and no data security.
So the card brand giants originally set out, at first individually, and then collectively, to create a certain level of protection from this kind of exposure by ensuring that merchants, both large and small, meet minimum levels of security when they store, process, and transmit cardholder data. Makes sense, right? The PCI Security Standards Council (SSC) was formed and in 2004 these companies aligned their individual policies and released the PCI DSS, which became effective in 2005 with alterations occurring every two years since to make minor corrections designed to offer more clarity and consistency.
So what are the requirements and what do I have to do??? Good question!
Every merchant must be PCI DSS compliant. Yep, even you! Why would some businesses be allowed to skate by while others not? There is no way for the industry titans to know who’s doing what with cardholder data without a system in place to make that determination. A security bureaucracy, if you will. A cumbersome safety structure.
So here’s the gist: every merchant must not only be compliant but also demonstrate that they are compliant. This is the part that requires the annual fee. The card networks have contracted with independent 3rd party companies to aid business owners in meeting compliant requirements. The annual fee charged by your processor is the fee the 3rd parties charge for this service. In the case of the Funds Transfer Alliance, we have contracted with a company called Security Metrics to work with our merchants to verify to the card issuers that the merchant's system is secure and compliant.
When we were researching this blog, the Funds Transfer Alliance staff noticed a lot of confusion about what the requirements are for different businesses. For instance, if a business processes 40,000 transactions a year, where do they fall in the compliance matrix? This question is difficult to answer because the requirements for your particular business vary with the number of transactions you process each year, the policies of your acquirer, and the card brands (Visa, MC, etc.).
Keep this one fact in mind: Every business at every level in the processing chain wants to protect themselves from breach liability. So your processer is very, very smart to require your immediate compliance because Visa, MC, AmEx, Discover, and JCB will definitely be holding them accountable for your breach. Everyone’s liability is diminished with PCI compliance. Unfortunately, it’s the cost of doing business in a cyber-insecure world. Also, keep in mind, for large corporations, the cost of PCI compliance is in the hundreds of thousands of dollars.
Should you choose to put off compliance, you will likely be assessed a monthly fee by your acquirer, which is similar to the fee associated with failing to register your vehicle in a timely manner. In many cases, the annual cost of these non-compliance fees greatly exceed the cost of compliance. Here’s what we would do if we were you:
1. Complete the Self-Assessment Questionnaire (SAQ) according to the instructions.
2. Complete a clean vulnerability scan with an SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV (again, for example, Security Metrics for Funds Transfer Alliance).
3. Complete the relevant Attestation of Compliance in its entirety (located in the SAQ).
4. Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer. While our research has demonstrated that Security Metrics is an industry leader in this field in terms of cost and execution and the Funds Transfer Alliance can confidently recommend them based on our experience, we recommend you carry out your own due diligence and find the best vendor to meet your needs.
Additionally, if you would like to hear all of this information straight from the source's mouth, here are some sites for your perusal:
