Happy New Year to you and yours!  2010 is going to be a great year!

Payment card industry compliance is confusing for many ecommerce merchants. But it potentially affects every merchant that accepts credit card payments. Failure to understand the PCI compliance standards could result in higher merchant account fees and fines from the credit card issuers.

Merchants oftentimes have similar general questions on PCI compliance. We posed some of them to Tim Erlin, principal product manager for nCircle, a security consulting and compliance firm that offers PCI-related services, among other compliance services. Those questions, and his answers, are below.

What is PCI?

Erlin: “PCI generally refers to the Payment Card Industry Data Security Standard, or the PCI DSS. This standard was developed by the PCI Security Standards Council, which is a consortium of the major credit card brands (Visa, Mastercard, American Express, and Discover). It represents the combination of two previous separate programs: the Visa Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection program (SDP). The goal of the PCI DSS is to specify a common standard for protecting cardholder data from compromise.”

How does PCI compliance affect my ecommerce business?

Erlin: “If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you’ll need to carefully consider the requirements of the PCI DSS.”

“Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor. You can find out more details about merchant levels here.”

Where can I learn more about PCI?

Erlin: “The PCI Security Standards Council is the authoritative source for information. You can find their website at http://www.pcisecuritystandards.org. You can also look to the card brands themselves for additional information.”

My annual sales are very small. Do I still have to comply with PCI?

Erlin: “Every merchant that accepts credit cards must comply with PCI, but smaller merchants often achieve compliance by using compliant services. If you don’t store, transmit or process any credit card data, then your systems are out of scope for PCI DSS compliance.”

read more »

Welcome to Jenny’s Bookkeeping Service’s blog.  My name is Jenny and I will be posting articles about business and financial topics.  Feel free to chime in and if you feel like posting any articles, just let me know.