You may have heard about the Payment Card Industry - Data Security Standards (PCI-DSS). These standards were established by credit card companies to reduce theft of credit card numbers and related fraud. They are now being mandated on all organizations that accept credit card payments.
Not to worry, though! We're here to help you become PCI-DSS compliant.
Even if you are a small organization, becoming PCI-DSS compliant is not difficult. However, you will have to review and, in some cases, adjust your internal processes. This includes proper handling and destruction of cardholder information once it has been processed.
It also means using our software tools in a specific way depending upon the particular TCS Software application you are using. More application-specific details are provided below.
We have always taken credit card security issues seriously. For years our systems have stored credit card card data in an encrypted format and destroyed card details once the transactions were processed. However this new standard is much more strict and states that if you wish to collect or store credit card details (even temporarily) you must:
- store the credit information in a separate database
- that database must reside on a separate computer
- that computer must be behind a firewall with restricted access
- and it must have 24-hour recorded video surveillance
And that's just part of the PCI-DSS specifications. As you dig further, you quickly realize that it is unrealistic for small to mid-sized organizations to fully comply.
So the simplest answer is to use already PCI-DSS compliant systems and devices to process credit cards, namely:
How Urgent is This?
VISA has issued a mandate that merchants must be PCI-DSS compliant by July 1, 2010.
What If I Choose Not to Comply?
We do not know what the potential ramifications will be for non-compliance. However, we have witnessed instances where merchant accounts were placed 'on hold' for one reason or another. This essentially freezes all monies in the account until the issue is remedied.
Our best guess is that merchants who are non-compliant will have higher fees imposed, rather than face suspension of service. After all, the credit card companies stand to lose a lot of revenue if they begin 'turning off' their merchant accounts.
If you are not currently PCI-DSS compliant, you may still choose to keep processing credit cards the way you are currently doing it. We do not plan to disable any non-compliant features in any of our applications. However, we recommend that you become PCI-DSS compliant so that your merchant account isn't in jeopardy.
If you plan not to comply, we ask that you notify us by completing this form and sending it back to us.
You may want to contact your current merchant account provider or visit the PCI Security Council website to learn more about the PCI-DSS specifications. Visit www.PCIsecuritystandards.org. You may also contact us to discuss your specific details.
What Do I Need to Do to Become PCI-DSS Compliant?
The action you take depends upon the TCS Software application(s) that you are using. So here's a list of the applications and instructions for each. If you're unfamiliar with which applications your organization is using, please feel free to contact us.
WebSuite2™
This is our latest integrated website content management and contact management system. It offers full e-commerce, e-bulletins, membership directories, online forms and much more.
The Input Forms and Product Sales modules within this system allow payments by credit card. This system is fully integrated with your choice of three online payment systems: Authorize.net, XCharge or PayPal. Therefore it is already fully PCI-DSS compliant.
When visitors to your website place orders or complete Input Forms where monies are due, they are transferred temporarily to one of the online payment providers. Payments are authorized and processed at this provider site and then details (excluding sensitive data) are transferred back to the WebSuite2 system.
If you are using the Input Forms module of the AssociationWebSuite product with WebSuite2, you need to start using the newly-released Input Forms module of this application, since it offloads credit card processing to a third-party payment system.
To maintain compliance, you must not set up fields in the Contacts database or on an Input Form that will be used to store credit card details.
AssociationWebSuite™
This is the predecessor to our WebSuite2 product.
The Input Forms module of this system is not PCI-DSS compliant. We ask that you migrate to our WebSuite2 product in order to be PCI-DSS compliant. You will find that the new Input Forms Module in WebSuite has many new time-saving features - as does the rest of the WebSuite2 product.
Prevail Association Management Software™
This is our flagship product. It is a full-featured association management database system for Windows®.
To be fully PCI-DSS compliant you should record no more than the last four digits of credit card numbers (for reference purposes) into this system.
If you receive convention registrations or membership renewals via fax or mail, you should process these transactions using either your in-house credit card terminal device. Or you may process transactions using the web-based credit card terminal provided by your merchant account provider.
When you are done manually processing the credit cards, you should erase or destroy the credit card numbers printed or written on paper.
If you use the in-house credit card terminal, contact the merchant account provider to make sure that the device you are using is PCI-DSS compliant. This typically means that it does not store credit card numbers in any internal memory buffers.
Contact us about installing the latest update to the Prevail Association Management Software system.
PRIMA2®
This is Prevail's Internet-based extension suite. It adds online registrations, dues payments, website directories and member tools for tracking CEs, participation history, payment history and more. It transports the entire Prevail database to the web, providing staff read-only access in a member-centric view. It also offers a powerful built-in export tool that allows staff to create queries based upon combining of membership data and other secondary tables (such as registration or cash receipts history).
The Online Registrations and Invoice Payments modules within this application allow payments by credit card. Therefore, we have reegineered this application to fully integrate with your choice of three online payment systems: Authorize.net, XCharge or PayPal.
Contact us for help with setting up an account at one of these three providers (see details below). Once the account is established, contact us to activate this feature.
Once activated, instead of being prompted to enter credit card information, end users will be transferred temporarily to one of the online payment providers. Payments will then be authorized and processed at this provider site and then details (excluding sensitive data) will be transferred back to the PRIMA2® system.
When you import these transaction into the Prevail system, payment transaction will be recorded, but sensitive credit card details will be excluded. You will still need to proof and post these transactions. But you won't have to do the EFT proof and post steps to process the credit cards. Note that these transactions import with a payment type of 'Other 3/PCI'.
If you need to make adjustments to payments received, you will simply log on to the online payment providers' system and issue the credit there. You will then enter an adjustment transaction in Prevail as you would currently.
Contact us about installing the latest update to the Prevail Association Management Software in order to use these new PCI-DSS compliant features.
There's no additional cost to you for these software updates or for our support time to help you get set up.
To learn more about setting up an online payment provider, click here.
For more questions and answers, click here.
To learn more about becoming PCI-DSS Certified as an organization, click here.
If you plan not to comply, we ask that you notify us by completing this form and sending it back to us.
* * *