Sounding Like a Broken Record on PCI Compliance

Posted by John Healy, Dydacomp CEO

The clock is running out on PCI compliance for payment applications…

The Payment Card Industry (PCI) has given all of us until 7/1/10 to have our payment applications officially PCI compliant and listed as approved on the PCI site.John Healy, Dydacomp CEO

I think everyone knows that PCI is the credit card industry’s effort to eliminate card not present credit card fraud globally. They have the total backing of all of the major credit card issuers. What you may not know is the definition of a payment application, so I thought I would share that with you and our source is the PCI Compliance Guide:

Q: What constitutes a payment application?
A: What constitutes a payment application as it relates to PCI Compliance? The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale System (e.g., Verifone swipe terminals, ALOHA terminals, etc.) in a restaurant to a Website e-commerce shopping cart (e.g., CreLoaded, osCommerce, etc) are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.

So both your order management system and shopping cart have to be PCI compliant. One or the other does not qualify. One study we looked at showed the majority of credit card fraud in North America comes from merchants using third party payment applications so this is something that the folks at PCI are very interested in having happen.

What it really means is that on 7/1/10 PCI and credit card issuers are probably going to start to clamp down hard on non compliance, especially if a breach occurs. Here is what the PCI Compliance Guide had to say on non compliance penalties:

Q: What are the penalties for noncompliance?
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.

To upgrade your software at least for Mail Order Manager and SiteLINK, if you haven’t already, is fairly painless and inexpensive. It is something you want to make sure you have done today and should not be put off.  By the time you read this note you are two more minutes closer to the deadline.
The clock is running out on PCI compliance for payment applications…

Tags: , , , , , , ,

Leave a Reply

You must be logged in to post a comment.