Get answers to your questions about PCI data security standards
As a small business owner, you may have heard of the Payment Card Industry (PCI) Security Standards Council. Possibly you have wondered about PCI standards. These are guidelines followed by your merchant account provider to oversee data security. The goal is to reduce identity theft and credit card fraud.
There is no legal compliance requirement for your small business to meet PCI standards. However, credit card companies such as MasterCard and Visa may opt to stop participating in your merchant account if you do not follow PCI standards.
Finding answers to your PCI questions
So, how can you find answers to your questions about PCI standards? For starters, the PCI Web site outlines PCI standards and recommends that you also address questions to your merchant account provider. If you are a member of a trade association, that's another resource you can tap. If you are not a member of a trade association, you may wish to consider joining one.
What do PCI standards include?
PCI standards require that merchant account providers:
- Include firewall protection and antivirus software.
- Encrypt transmission of cardholder data.
- Assign a unique ID to each person with computer access.
- Restrict physical access to private information.
The PCI council was founded in 2006 by MasterCard, Visa, American Express, Discover and JCB International. Many of the trade associations that represent small business owners have complained that the group is one-sided in favor of the credit card companies, and they are pushing to have more of a voice in the formulation of PCI standards.
Suggestions for future PCI standards.
A group of small business trade associations released a memo on June 8, 2009 asking for changes in how PCI standards are established. It suggests that the PCI council should "take the lead in developing a collaborative approach with merchants in defining more open standards" for future PCI rules.
The memo also states that small business managers of merchant accounts have spent more than $1 billion since 2006 to comply with PCI standards for data security to combat identity theft and credit card fraud. At the same time, they pay merchant account fees in the range of 2 percent of total transactions.
The memo suggests that PCI should:
- Allow a short time span for small enterprises with merchant accounts to conduct reviews and offer comments, rather than issuing blanket rules.
- Allow more time for businesses to adopt PCI standards for updating their merchant accounts for improved data security to thwart identity theft and credit card fraud. Compliance with PCI standards already in place would be extended to Dec. 31, 2009.
- Adopt a new standard that includes end-to-end data encryption, which would create an extra wall of protection against thieves who obtain credit card information.
- Condense more than 200 PCI standards already in place by using the concepts of key controls and controls rationalization, which are the strongest overall tools to reduce risks of identity theft and credit card fraud.
- Give merchants the option of saving only authorization codes and a truncated receipt, rather than storing added credit card information for dispute resolution. The more information that is stored, the more risk is assigned to merchants and their credit card customers.
Trade associations that endorsed the June 8 memo include the National Association of Convenience Stores, National Retail Federation, National Restaurant Association, American Hotel and Lodging Association, National Council of Chain Restaurants, the Merchant Advisory Group and the International Franchise Association.
Published: June 29,2023