Does your organization accept credit card payments?
Are you PCI-DSS compliant?

by Lisa Snide, VP Operations, TCS Software, Inc.

As a non-profit organization and small business operation, you've probably already ventured into the area of accepting credit card payments from your membership - after all, it's a convenient and reliable way to do business.

However, with the widespread use of debit/credit card transactions (particularly online transactions), merchant account providers are now tightening the reigns on credit card data. In 2005, the ‘Payment Card Industry - Data Security Standards' also known as 'PCI-DSS' was established. These standards were developed by the major credit card companies to create a comprehensive and uniform set of requirements for protecting cardholder data from theft, fraud and misuse.

Most recently, VISA has established a mandate effective July 1, 2010 stating that all U.S. merchants must use only PCI-DSS compliant payment applications.

So, what are the PCI-DSS requirements?

PCI DSS offers a number of security policy requirements for ALL businesses that store, handle, access, and transfer cardholder data. The standard applies equally to brick-and-mortar establishments as well as those processing payments online. It also applies equally to large and small merchants.

Here's a summary of the six primary PCI-DSS security objectives:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
 

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

You can view a detailed listing of the requirements by visiting the PCI Security Standards website.

What does PCI-DSS compliance mean for your organization?

Depending on the size of your organization, annual credit card transaction volume and methods for processing credit card transactions, you'll need to provide your merchant provider with varying assurances that your organization is compliant with PCI-DSS.

If you're reading this thinking "Our organization is a small operation, this couldn't concern us?" then you better think again. Although PCI-DSS compliance is not a federal mandate or law, you are required to adhere to the standards according to the terms of your merchant agreement. It would be unwise to wait for your merchant provider to discover that you are not complying with the PCI-DSS standards. Imagine what could happen if you are in the middle of peak registration time for your annual meeting and your merchant account was suddenly ‘frozen'. Your merchant provider can, with a single switch, put a hold on your account and funds will not be deposited to your bank account until the issue is resolved. Don't let this happen to you.

What can I do?

• Check with your bank or merchant account provider to verify which level of compliance you must adhere to; and verify that the applications you're using to process credit card payments are PCI-DSS compliant
• Check with your IT department or technology provider to ensure that you have fundamental network security protocols in place (ie. firewalls, anti-virus applications, passwords, etc.)
• Do not store credit card data on your servers or individual systems
• When card data is not in use, information must be secured or destroyed (ie. Store paper documentation in locked file cabinets or fire-proof safes; shred any documents when done)
• Ensure staff are trained on appropriate use of credit card information; and run background checks on all employees that have access to credit card data
• Establish and provide written documentation on best practices for handling credit card information within your organization

Keep in mind that as an association executive you might also need to become a source of information for your members. Chances are if they are running a small business, then they need to comply with the PCI-DSS standards too. Remember, you're not in this alone. It's best to consult with your peers to establish best practices and determine what works for your organization as you work toward compliance.

Where Can I Learn More?

For additional information, visit the following websites:

• PCI Security Standards Council
  www.PCIsecuritystandards.org.
• Download a complete outline of the requirements at:
  https://www.pcisecuritystandards.org/education/prioritized.shtml
• View VISA's compliance validation requirements
  http://usa.visa.com/merchants/risk_management/cisp_merchants.html
• See if your payment application is PCI-DSS compliant:
  https://pcisecuritystandards.org/security_standards/vpa/