What, if anything, are you doing about the new privacy/identity theft PCI DSS regs?

I'm not sure I understand them or what they REALLY mean to a merchant.

The company I have my merchant account with has recently launched a security protection program that they claim "somehow" protects the merchant. It's only $90/year, but frankly it feels like paying "protection money" to the mob.

Got a link? I'm not aware of any new regulation for those using merchant accounts (which doesn't mean there aren't any...), are you storing credit card numbers?

Dave

https://www.pcisecuritystandards.org/

We're only storing customer card numbers in the sense that we keep the signed copy of their CC receipt.

ETA: This may actually be more informative: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Will, if you are using a 3rd party provider to handle your credit cards, then it is THEIR responsibility to be PCI compliant. If you have a custome site where you process orders and store the credit cards in a local database then YOUR are responsiblie for being PCI compliant. However, I would venture to guess that 99% of photographers use a 3rd party provider to handle credit cards for them, and don't need to worry about PCI.

Remember, PCI is not a government compliance. It is a standard defined largely by Visa, and supported by the other credit card companies. These credit card companies are largely concerned with CC processors and the largest eCommerce sites (Amazon, Best Buy, Wal Mart, etc).

I thought you were referring to a *new* PCI requirement - these links don't show anything that hasn't existed for several years as far as I can tell. The last time I went thru PCI I found their checklist quite simple and helpful. I don't remember whether there are any requirements relating to the copy of the CC receipt, but you could probably go thru the checklist in less than an hour to make sure that you've covered anything they have in it.

Dave

Thanks Dave and David,

Yes, I knew about the existing PCI DSs regs. And I do use a third party (NPC) for my processing.

About 2 months ago they sent out information about their "Platinum Security Protection Program". They stated that all merchants(who use a landline terminal) would automatically be enrolled, at a cost of $90/year. that this program would certify the merchant was PCI compliant and indemnify the merchant for up to $50K.

When I requested to opt out, they sent me a stack of forms that made my eyes glaze over.

The whole thing feels/sounds like a scam.

I've searched the NPC (National Processing Company) website, and they have no information online about this program for me to share. The only thing I have been able to find was this: http://forums.monstersmallbusiness.com/index.php?showtopic=20640

Feels like a scam to me as well. I would talk to the folks at PCI about this and see what they have to say. Seems like if you can verify you're compliant, why would you need a $90/year insurance policy on it?

Dave

Will, if you are using a 3rd party provider to handle your credit cards, then it is THEIR responsibility to be PCI compliant. If you have a custome site where you process orders and store the credit cards in a local database then YOUR are responsiblie for being PCI compliant. However, I would venture to guess that 99% of photographers use a 3rd party provider to handle credit cards for them, and don't need to worry about PCI.

Remember, PCI is not a government compliance. It is a standard defined largely by Visa, and supported by the other credit card companies. These credit card companies are largely concerned with CC processors and the largest eCommerce sites (Amazon, Best Buy, Wal Mart, etc).

+1 to everything.

Nothings changed, still business as usual.

I hope that I am not responding to an outdate thread here.

The biggest things you need to know about PCI DSS compliance are as follows.

Processors, Terminal Manufacturers, online shopping carts and online processing solutions must be PCI DSS Compliant or face losing their ability to process for VISA/MC.

Merchants are not obligated to be PCI DSS compliant in most states.

As a merchant you are ultimately responsible for the security of a transaction for your clients! VISA/MC can and in many cases do impose penalties on the merchant in the case of a security breach. In many instances it was not something the merchant did wrong, in fact in some cases it was a lack of security with a software/POS, internet or terminal vendor.

If you do obtain PCI DSS certification and still have a breach that is not your "Fault" it is alleged that VISA/MC will not penalize the merchant.

The question is not whether a breach will occur, it is When and how will the breach occur.

I have lots of data and information regarding PCI DSS compliance and would be willing to share with anyone interested.

Thanks,

Tim

I hope that I am not responding to an outdate thread here.

The biggest things you need to know about PCI DSS compliance are as follows.

Processors, Terminal Manufacturers, online shopping carts and online processing solutions must be PCI DSS Compliant or face losing their ability to process for VISA/MC.

Merchants are not obligated to be PCI DSS compliant in most states.

As a merchant you are ultimately responsible for the security of a transaction for your clients! VISA/MC can and in many cases do impose penalties on the merchant in the case of a security breach. In many instances it was not something the merchant did wrong, in fact in some cases it was a lack of security with a software/POS, internet or terminal vendor.

If you do obtain PCI DSS certification and still have a breach that is not your "Fault" it is alleged that VISA/MC will not penalize the merchant.

The question is not whether a breach will occur, it is When and how will the breach occur.

I have lots of data and information regarding PCI DSS compliance and would be willing to share with anyone interested.

Thanks,

Tim

The sentence I've italicized appears to be obviated by the sentences I've bolded.