PCI Compliance (Payment Card Industry Data Security Standard (PCI DSS) as established by Visa/MasterCard/ Discover/Amex/JCB) is most often a requirement when setting up a merchant services account to provide security when processing credit cards.  PCI is designed to make paying by credit card safe and secure but ultimately, this is about much more than just credit card information. We need to remember that along with credit card information, we are also talking about customers’ sensitive information including checking account information, names, addresses and date of birth (I.e. Any information that can be used in the process of identity theft). PCI helps us to understand some simple things we can do to help keep this information safe.

Although basic security measures may seem to be a trivial or common sense practice, information comes into payment accepting organizations in a wide variety of ways, and there are a lot of opportunities for said organizations to inadvertently lose control of that sensitive information and expose customers’ safety and security.

PCI exposure can occur in several ways: 

  • Payment Information written on paper statements
  • Payment Information kept in binders and spreadsheets for future use
  • Payment information kept on CRM, membership or accounting systems where the number is not masked or encrypted
  • Payment information taken over a phone and written down
  • Payment information taken at an event to be processed at a later date

PCI exposure can occur due to computer and network risk: 

  • Computer Anti-virus and Mal-ware software are not current!
  • Keyboard software can be injected into computers to capture information entered through keyboards.
  • Unauthorized network access can expose information on the organization network
  • Login and Password Policies for employees and volunteers are not implemented or enforced.
  • Wireless networks are not secured with proper and controlled password access.

A very common example of sensitive information exposure that your organization may be subject to if you don’t follow the best practices of PCI is when a customer sends in their credit card number written on a paper statement.  Often times that paper is thrown in a trash can after use which is risky behavior. The document should always be shredded after use to prevent someone from gaining access to the card number.  (It is not recommended to ask a customer to write down their credit card information on a statement or other document in the first place as this becomes another piece of paper that needs to be handled, and another opportunity for the wrong person to see that information.

It is highly recommended by the payments industry that you complete a PCI questionnaire when setting up your merchant services account and continue to maintain a high level of security with yearly renewal. There are various different companies that the Merchant Service Providers work with such as Compliance101.com to monitor and run the questionnaires.  With completion of these questionnaires your organization will generally receive a discount on the cost the banks charge to manage and maintain security standards.  Ask your representative at either the Merchant Service Provider or Technology Provider for more information.

PCI FAQ’s, FYI

  1. Where can I find out specifically what we need to do to become compliant?
    1. Obtain 3rd party service to review and implement policies and procedures. We recommend using the PCI service provider recommended by your merchant service provider.
  2. How long does PCI compliancy take?
    1.  PCI compliance is not a one-time effort. It is an on-going practice.
    2. There are 5 key Steps to becoming PCI Compliant:
      1.  Learn, Prepare, Questionnaire completion, Develop Policies and Practice
  3. Where can we find more information?
    1. An example of a PCI service provider is www.compliance101.com.
  4. How can we find the best PCI deal?
    1. We recommend only using the PCI service provider suggested by your merchant service provider. You may be solicited by other providers that offer easier solutions or lower costs but it can be difficult to determine if they are the best solution and may not be accepted by your merchant service provider as a valid service.