Like the typical e-commerce entrepreneur, I was working late one night and going through a collection of bills and other paperwork when I stumbled across an alarming new fine-print notice in the statement from our credit card processing company.
The gist? I could be required to pay $1,700 to upgrade my card processing terminal. That certainly got my attention -- an unexpected $1,700 business expense is always unwelcome news.
The cost comes about because my current card terminal, according to the notice, "may not be capable of complying with new account truncation requirements." That's credit card-speak for a new security requirement that transaction receipts must NOT include a customer's card expiration date or full credit card number -- only the last four digits.
The notice went on to say that failure to comply might expose our little micro-business to "significant fines." I could avoid such a calamity, according to the notice, by spending $1,700 for a new credit card processing terminal.
The major credit card companies, of course, are doing all they can to improve security in a world rampant with identity theft, online fraud and phishing expeditions aimed at stealing account numbers. And I sure can't blame them.
But since liability usually falls to the lowest rung on the ladder -- and in this case, that's our little orchid company -- it's a matter of serious concern for us.
Fortunately, for a business our size, our old credit card terminal is just fine. We're still small enough that we won't be forced to buy a new machine -- we do about 100 to 150 credit card transactions a month.
Your Liabilities and Deadlines
Visa merchants
Still, the Visa Cardholder Information Security Program (CISP) and MasterCard Site Data Protection Program (SDP) define strict standards of care for securing cardholder data -- even for a company our size. And that goes for online transactions as well as real-world card processing.
According to a Visa spokesman, CISP "defines a standard of due care for securing Visa cardholder data, wherever it is located," and CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data since the program was mandated in 2001. Visa's merchant guidelines can be found here.
"While the security requirements have been in effect for several years, more recently awareness and compliance efforts become much more widespread," the spokesman said. In short, that translates into some critical deadlines that merchants need to keep in mind. In general, Visa-using merchants must be compliant by Sept. 1 -- or run the risk of financial penalties.
For large online customers -- doing more than 500,000 credit card transactions annually -- Visa requires a compliance questionnaire and a quarterly system perimeter scan performed by a Visa-approved security assessor. The scan must be performed on the merchant's external-facing IP addresses.
For small merchants that are not storing, processing, or transmitting Visa cardholder data, but rather have outsourced those functions to a third party service provider, the main thing is to ensure that a CISP-compliant service provider is used. Visa maintains a list of compliant service providers.
If a merchant is storing, processing, or transmitting Visa cardholder data, they must ensure their own systems comply with CISP and ensure that a CISP-compliant service provider is used for any outsourced functions.
Continued on Page Two: MasterCard and PayPal.
IE 7
Firefox 2.0
