Commentary by Gregg Larson
RISMEDIA, April 21, 2008-Whether your own business accepts credit cards or you give your own card information to others, such as your MLS or Association, there is a set of rules you need to be aware of called “PCI Data Security Standards.” PCI stands for “payment card industry” and includes the five major credit card companies. These companies have all agreed that any company that stores, processes or transmits credit card or debit card data must comply with a rigorous set of information security guidelines.
By the end of 2007, any organization that accepts payment card transactions was to be in compliance with the standards-and if not, the credit card companies (or the bank through which the cards are processed) could assess fines on non-compliant companies and even disallow further credit card transactions until PCI Data Security Standards compliance has been achieved.
There are different levels of PCI compliance required, depending on your type of business. Level 1 includes companies that process over $6 million of credit card transactions per year, or that have experienced an information security breach. These companies must pass a special yearly security audit by the card company or bank internal auditor, or undergo a yearly audit performed by a qualified security assessor (QSA), as well as undergoing a quarterly network security scan with an approved scanning vendor (ASV). For companies that are Level 2 ($1-6 million/year) or Level 3 ($20,000-$1 million/year), achieving PCI compliance is easier, and involves an annual self-assessment questionnaire and a quarterly security scan performed by an approved scanning vendor.
What does this mean to you?
If you provide your credit card to others, you may want to find out if they are PCI compliant. If your organization takes and processes credit cards-either through software hosted by your organization and/or a “point of sale” credit card device-you should ensure that your company, and any application service providers it uses related to credit card processing, are PCI compliant. If not already compliant, it’s time to become PCI compliant quickly-the deadline for compliance is already long past and your company could be facing fines and a card-processing service interruption at any time.
For more information, please visit www.ClareitySecurity.com/Hackersafe.cfm.
Gregg Larson is the CEO of Clareity Security.
For more information, please visit www.ClareitySecurity.com.