• 800.776.6576

  • Celebrating over 50 years

  • ready. reliable. results.

PCI Compliance Primer

By now most merchants have at least heard or maybe even have a basic understanding of what PCI compliance is; however, many still don't know exactly what to do or the implications and impact of non-compliance.  It's crucial in this day and age of cybercrime and identity theft to act in good faith and make best efforts to protect your customers from these real threats of our modern time.

What is PCI or more specifically PCI-DSS?  This is the Payment Card Industry Data Security Standard, which was devised from early best practices to minimize exposures to card holder data being stolen.  The Payment Card Industry Security Standards Council (PCI-SSC) was formed on December 15, 2004 with the goal of aligning policies amongst the various payment card companies.  In a nutshell, if you are accepting credit card payments in your store and transmitting cardholder data you are subject to PCI requirements.  This applies to virtually every retailer doing business today.  While not a federal law, there are state laws already in effect to force aspects of the PCI standard.

According to the PCI Compliance Guide:

"The Payment Card Industry Data Security Standard (PCI-DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID)."

"Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data."

Why is this important?  There are several reasons.  Besides the fact it protects your customers and ensures their confidence in shopping and using their credit card to purchase merchandise in your store, it may also be the law in your state.  The credit card companies continue to ratchet up the pressure on the merchants to prove PCI compliance.  Breaches due to non-compliance are extremely costly.  The expense of possible fines, remediation efforts, and bad public relations fall out can be difficult to forecast, so it's a case of the old adage: "an ounce of prevention is worth a pound of cure".  Proactively avoiding a breach is much cheaper than reactively addressing all the adverse effects.

What do I do?  First, educate yourself and understand what it is.  You can start by visiting www.pcicomplianceguide.org.  You can also visit the official site maintained by the PCI Security Council as a resource: www.pcisecuritystandards.org.  Start an awareness campaign in your own organization.  Start identifying where you are capturing, processing, and transmitting card holder data.  Harden your systems.  Seek assistance from a PCI Qualified Security Assessor (QSA) or firm that can assist you with identifying the shortcomings so you can take necessary action to meet compliance.

And remember, by protecting your customers you are protecting your business.

"In a multi-store operation it is important to have control from a central point. STCR provides the systems and technical expertise to do just that."