Small merchants who have been thinking that PCI standards aren’t for them are in for a surprise. Acquirers and payment processors now have Tier 3 and Tier 4 merchants in their radar and they are taking aim. The first shots have already been fired. Merchant911 members are reporting enforcement efforts have started.
There’s a lot of debate about the effectiveness of the PCI Standards in general and particularly the quarterly scanning procedures but, at the end of the day, merchants need to comply. Failure to comply will result in stiff fines and termination of their merchant accounts.
The Debates
If you’ve been following the news, you know that the Hannaford breach was accomplished while Hannaford had, according to most reports, met all the requirements for PCI compliance at their tier level. On the surface, that doesn’t say much for the standard. On the other hand, I never heard anyone say it was perfect.
I heard one merchant tell me that he had to turn off his security software to let the scanner through. Getting flagged for a vulnerability that is only there because you are forced to take all security down for the scan is pointless. If they can’t get through your actual running security, then it is not a vulnerability.
Many merchants are convinced that compliance scanning is just another way for the payment industry to reach into a merchant’s pockets for some cash. That’s understandable and there’s probably some truth to it. Pricing is all over the scale, ranging from free to hundreds of dollars. Of course the freebies have some hooks, but the price range is some good evidence of the pocket theory.
The Confusion
In short, every entity that is involved in credit card payments must be compliant. The four-level structure is pretty simple except for the level 4 merchants. According to Visa’s website, A level 4 merchant is any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Maybe it’s me, but I can’t seem to get my head completely around that.
But then it gets crazier for the little guys. It’s about that Self Assessment Questionnaire thing. Commonly known in the industry as the “SAQ,” there are not one, but five different ones depending on the type of merchant and the way you handle (or don’t handle) cardholder data. I love type 5: All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. I think that’s like the catch-all in my employment contract where it says, “And all other duties as assigned.” If they say you have to do the Self-Assessment, then you have to do it.
Recommendations
If you have any questions about CISP PCI DSS, I strongly urge you to visit the PCI Security Standards Council website. Everything you need to know is there. If you are not compliant, you need to buck up and make it happen. You might not like it but you don’t really have a choice, other than closing your doors, on-line or otherwise.
The Security Standards Council has the SAQ’s that you’ll need. When you’re ready to submit your site to the quarterly scans, it needs to be done by an approved scanning company. Merchant911 recommends McAfee’s $99 a year scans for it’s merchants but you can get a list of approved scanners here.
Similar Posts:
- Genesco suffers breach – Not PCI compliant?
- Smaller E-commerce merchants are being targeted
- Card Breach Victim Gets Twenty Years ‘Probation’
- Albert Gonzales may be in Jail but it ain’t over for a long time.
- Fraud Spree points to merchant security
Edward*
There is more information at http://www.merchant911.org/resources/McAfeePCI.htm... And you can also go directly to the McAfee site - http://www.mcafeesecure.com
- spam
- offensive
- disagree
- off topic
Like