The Complete Guide to Credit Card Processing Laws for Merchants

Credit card processing laws are notoriously difficult to keep up with. Every year, new legislation is passed that impacts how you process credit cards and the fees involved in doing so. The last thing any business owner needs is to be out of compliance with these complex rules, so it's essential to stay on top of them at all times.

PCI Compliance

The Basics of PCI

The acronym PCI stands for Payment Card Industry. The PCI is in charge of enforcing a strict set of rules known as the PCI DSS (Payments Card Industry Data Security Standards). It's a set of industry-wide guidelines aimed at preventing fraud.

The Data Security Council, which is made up of significant credit card companies such as Mastercard, Visa, American Express, and Discover, created the PCI DSS.

All merchants, financial institutions, payment processors, and merchant services providers are responsible for adhering to the PCI DSS credit card processing laws, which help protect the cardholder's data during a transaction.

PCI compliance will protect your business from data breaches and help you avoid the crippling costs of fraudulent transactions. Furthermore, failure to comply with PCI standards is punishable by large fines, so it's best to learn about them as soon as possible.

Why Is It Important to Know These Laws?

On a fundamental level, understanding these credit card processing laws will help ensure that your business is protected from criminal activity. The fines can be prohibitively high for those who aren't compliant with PCI DSS regulations, so it's vital to make sure you're following the rules as closely as possible.

We see an increasing number of lawsuits being filed against businesses by credit card companies and consumers regarding these laws. We have seen a lot of good information coming out about this topic over the past few years.

However, it is still very confusing for many merchants. Not knowing what you can or cannot do could end up costing your business thousands in fines if you happen to violate these laws.

How Can You Ensure That Your Business Is PCI Compliant?

The first thing you need to do is educate yourself on these laws. Many resources are available, but one of the best places to start your research will be your credit card processing company or merchant services provider because they should have plenty of information about compliance regulations that apply directly to them and their business model.

If you use a third-party payment processor, ensure that your chosen company has worked hard to become PCI compliant. If they haven't done so yet, you may want to look for another provider.

The best way to ensure compliance with credit card processing laws is by following them carefully and staying on top of any changes made each year. It's a time-consuming process, but it's a crucial one.

The Four Levels of PCI Compliance

Level 1 PCI

Businesses that process more than six million payments per year are eligible for this program.
The most expensive option.
It includes the costs of hardware and software and the costs of training an internal auditor.

Validation requirements

A Qualified Security Assessor (QSA) or an internal auditor must submit an annual Report on Compliance (ROC) every year.
An ASV performs a quarterly network scan.
Form for Attestation of Compliance

Level 2 of PCI

This program is for companies that process one million to six million payments per year.

Validation requirements

Quarterly network scan by ASV
Attestation of Compliance Form
Annual Self-Assessment Questionnaire (SAQ)

Level 3 PCI

For companies that process 20,000 to one million eCommerce payments per year.

Validation requirements

Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form

Level 4 PCI

Businesses that process up to 20,000 eCommerce payments or one million payments through other channels per year are eligible.

Validation requirements

Annual SAQ recommended
Quarterly network scan by ASV, if applicable
Compliance validation requirements set by the merchant bank

How Do Credit Card Processing Companies Maintain PCI Compliance?

Companies that process credit card payments must adhere to the standards set by PCI DSS. The Payment Card Industry Data Security Standard is a series of requirements for security protection.

It applies to all companies involved in storing, processing, or transmitting customer credit card data. These laws are necessary because they help protect businesses from breaches due to cyberattacks on their systems.

This standard was created specifically for merchants who store sensitive financial information about customers' payment accounts.

The violation fines can be crippling if your business does not meet these compliance rules as outlined, so staying up-to-date with changes each year will ensure you're never caught off guard by something unexpected happening during an audit.

Conclusion

PCI compliance laws are created to protect both merchants and consumers. Merchants must comply with these rules, or they can face hefty fines for noncompliance, so staying up-to-date on changes each year is critical.

Credit card processing companies have an even greater responsibility for PCI compliance because their business model requires that they store payment account data securely at all times.

They are also held accountable by auditors if there is a breach of security that leads to the loss of customer financial information, so you should only work with providers who maintain high levels of service quality standards within their company culture.

Contact BNG Payments to learn more.

Practical Ways Your Business Can Be PCI Compliant

I’ve talked a lot about PCI Compliance on this blog, primarily because it impacts all of our customers’ monthly processing statements.

Merchants are charged an extra monthly fee for every month they do not complete their PCI Compliance requirements for keeping customer data secure.

Once a year, your business is required to complete a questionnaire from your processor. If you don’t complete the questionnaire or you are not keeping sensitive payment information PCI compliant, you’ll receive a monthly non-compliance fee until you complete the questionnaire.

If you want to read more about the questionnaire and how to answer the questions, you can read more here. However, there’s are pretty simple rules to follow to become PCI compliant.

There are some pretty easy steps you can follow to get and keep your business ready for the questionnaire. Here are three quick steps you can take when evaluating your business to assure private information is safe and secure.

Have a secured network

It’s never a good practice to have your WIFI or network you use to run your payment processing or point of sale system on an open network. Keep your network behind its own firewall and on its own router, away from other networks such as the Guest WIFI.

As a merchant, you are responsible for keeping your staff compliant when it comes to keeping customer card data safe. Work closely with your employees to craft a plan that gives everyone an equal part in protecting cardholder data.

Secure mobile card readers

Mobile card readers like PayAnywhere and Phone Swipe are popular and offer a great solution for a business that travels or needs portable terminals for tradeshows.
The PCI Compliance Council has published security guidelines for securing mobile payment solutions you use with your smartphones or tablets.

Here’s the highlight of their requirements:

“Your mobile payment solution thus requires additional technology, including encryption, to secure cardholder data acceptance. The first part of a secure mobile payment solution is an approved “point of interaction,” which is the technical term for an approved PIN entry device (PED) or approved secure card reader (SCR) used to capture and encrypt cardholder data for a transaction” (PCI Security Standards).

From data encryption and tokenization to fraud prevention, protecting you and your customers is the top priority. On top of encryption, you should also ensure your mobile devices and tablet readers are kept safe and are secured from theft, unauthorized use, or malware.

When in doubt, ask your processor

While there are steps your business can take to make sure your business is taking payments securely, it's best to talk to someone knowledgeable. When you actually receive the PCI questionnaire once a year some of the questions are written in industry jargon that's bound to make you scratch your head in confusion.

Remember, answering incorrectly through misunderstanding could cost your business a monthly fee on your statement for having weak security. Talk to your payment processing company and they will counsel your business on becoming PCI Compliant.

How to Avoid PCI Non-Compliance Fees

Chances are if you’ve used payment processing services for at least a year, the term PCI Compliance has come up.

Whether you received an email notification from your processor, or noticed unfamiliar fees on your credit card statement, you’ve heard about it. PCI compliance is a bit of a confusing topic for merchants since they aren’t really sure what they should do to be compliant. Most probably think they are keeping their customers payment information safe, but probably aren’t in the eyes of the processor.

Which begs the question, how do you properly prevent your business from incurring Non-Compliance fees?

The 3 step process.

Now, most merchants attempt to search for answers on how to be PCI compliant online, only to find a bunch of miscellaneous jargon terms that talk about the penalties, instead of what actions to take.

However, there’s a pretty simply methodology to follow when trying to become PCI compliant. Here are three quick steps to take when evaluating your business.

Analyze

The best place to start is to look at your basic procedures. How do you take credit or debit card payments? Do you take payments over the phone? Do you store customer card numbers on an excel spreadsheet for recurring payments?

All of these create vulnerabilities in how you handle customers’ sensitive credit information. The best way to catch all of these potential risks is to look at what your IT assets are, and your company procedures for handling sensitive information.

Correct

Once you recognize your weak areas, you’ll need to work to take steps to fix existing vulnerabilities. One of the best ways things you can do is to not store customer personal data.

Now if you’re a brick-and-mortar store, it’s not necessary for you to keep sensitive data. But if you run a business that processes card-not present transactions, you have to assure that data is properly handled and stored.

You may need to reconsider how you process payments and look for a more secure method of handling payments.

Report

Once you’ve finished with the first two steps, submit your report to your processor. This is the only way to show processors your business is PCI compliant. If you had non-compliance fees on your statement, and you are evaluated as now being PCI compliant those monthly fees should disappear.

Want to take payments smarter?

PCI Compliance and Security for the Holidays

As 2016 comes to a close and the Holiday season is upon us, we wanted to go over some key guidelines to keeping your customer's data safe. Here are our tips for PCI Compliance security around the Holidays.

Before we dive in, let us clear the air to what PCI compliance applies too.

Any business that transmits, stores or processes primary account numbers (also known PAN) is required to comply with the PCI DSS guidelines. Along with the above regulations, merchants are also required to keep PAN data protected. Including their account numbers, name expiration date, and service codes. You should also be aware that Sensitive Authentication Data (SAD), is considered to generally be prohibited.

Once a year, your business will receive a survey and questionnaire directly from your processor, in which you’ll be required to fill out. If you don’t fill it out or are not keeping sensitive payment information PCI compliant, you’ll receive a monthly non-compliance fee until you complete the questionnaire.

***Quick note: emails notifying you tend to get caught by spam filters, so you may not realize it until the fee shows up on your monthly statement.

Keep a long term view on PCI security.

Don’t make the mistake of focusing only on receiving the “all clear” from your PCI compliance report. Trying to pass just the guidelines means you’re ignoring some wider security risks that can affect your business. Work on establishing a long-term mission of taking payments securely.

Actively monitor security controls.

One of the best practices your business can get into the habit of doing involves documenting your business's effectiveness, adequacy, and status of all the security controls.

How often will depend on things like how frequently a control is likely to change, whether it’s on a high impact system. Sampling may be necessary for data collection, but make sure the sample captures variations. Samples of system components should include every type and combination in use.

Want to take payments smarter?

Oops! We could not locate your form.

3 Best Practices To Keep Your SMB PCI Compliance Friendly

How many of you have heard of PCI Compliance?

And how many of you are filled with anxiety or confusion when someone mentions PCI Compliance?

PCI Compliance is a complex and broad subject. Merchants are told constantly they need to make sure they’re compliant, but aren’t told how to actually do it.
Have no fear, we’re here for you.
Today we’re covering three basic best practices to make sure your business is following PCI and guaranteeing that sensitive information is secure.

1). Do not store sensitive data, and if you have to; lock it down

E-commerce merchants:

If you’re running an E-commerce store, make sure your site is not automatically storing information on your pages.
If you have a professional website that is managed by a company, talk to your designer and make sure your site is not storing sensitive information on your server.

Brick-and-mortar merchants:

If you have a brick-and-mortar store, keep documents with customer information locked up and out of site from customers and employees.
If you like to keep all your paper receipts, or turn them into PDFs. Keep them locked. Have a secured computer that only either an accountant and yourself have access to, or have secured storage place for the paper receipts and cardholder information.

2). Keep your website updated and protected with a firewall

If you’re running any sort of payments online, you need to guarantee that your website is constantly updated. Without consistent upgrades, you’re essentially leaving your site open for hackers.
Make sure your web designer is consistently managing updates for you and making sure you’re not leaving yourself vulnerable for hackers online. Also, make sure you have the necessary online firewalls to repel cyber attacks.

3). Train your staff on how to handle sensitive information properly

Nothing is more important than keeping your customers’ information safe. Sadly, lots of errors that give fraudsters access to private information are human errors.
Make sure your staff does not give out information over the phone or via email. Also, make sure they are correctly using the computers at work and correctly storing cardholder information. Only approved staff should be actually handling sensitive information.
Keep yourself aware of who has access to customer information, and regularly check to make sure your staff is handling sensitive information with care.
If you want some additional reading about PCI, or want to test your business, read more here at the official PCI Security Standards Council.

Don’t let these best practices fall by the wayside!

Want to talk to an expert about PCI? Talk to our merchant services specialists.