Ever hear of the Payment Card Industry Data Security Standard? Get to know it because not complying with the PCI DSS could cost you big bucks.
The PCI standard, a requirement since 2001 that's increasingly being enforced among growing businesses, is intended to help organizations protect customer account data. It includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Under the PCI DSS, American Express, MasterCard, Visa and other credit card associations mandate that merchants and service providers meet certain minimum security standards when they store, process and transmit cardholder data.
Merchant banks whose retailers don't comply with the PCI standard could be fined up to $500,000--and banks typically pass along penalties. Noncompliant merchants also face losing their card-acceptance privileges. Many smaller e-tailers aren't even aware they're out of compliance with PCI until they seek out a payment processor. It can be confusing.
"While merchants should be complying with the standard now, it's going to be [several] months before the card brands start enforcing PCI compliance for the [smaller] merchants, and when they do, it will be more rational than it is now," says Avivah Litan, vice president and director of research at Gartner Inc. in Stamford, Connecticut. "It will be clearer what [smaller merchants] will have to do. They are not going after these guys and fining them now. They are trying to be rational."
Complying with PCI might seem like a hassle, but not complying could bring even bigger headaches, says Martin Elliott, vice president of emerging risk for Visa USA. "The brand damage that can occur to a merchant if their customers' data is compromised can be far more damaging than fees or fines that Visa may assess," he says, offering these tips for complying with the standard.
1.Establish a policy on data retention that minimizes the time you hold data. If you don't need data, delete it.
2.Know where your data is stored. Software can save data in places you may not be familiar with.
3.Store only essential data--such as cardholder name, account number and expiration date--and destroy all obsolete cardholder data.
4.Use only vendors that are also PCI-compliant.
5.Make sure your payment application follows Visa's "Payment Application Best Practices," available on Visa's PCI DSS website.
Melissa Campanelli is a marketing and technology writer in New York City.
This story appears in the February 2007 issue of Entrepreneur. Subscribe »
