The official governing body of PCI Compliance is the PCI Security Standards Council and their website is www.pcisecuritystandards.org. According to their website, meeting PCI DSS (Payment Card Industry Data Security Standards) "means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that you are playing your role to make sure your customers' payment card data is being kept safe throughout every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches."
If you are a large business with both retail and internet sales, you probably are already familiar with PCI Compliance and why it is important...just ask Target. They had a program in place and they still had a breach. The reason I bring this up is that being PCI DSS compliant does not guarantee that you will not have a breach. It helps prevent a breach and hopefully will help reduce fines imposed by the card associations in the event you have a breach. That's right, the card associations, Visa, MasterCard and Discover for example, are the ones that impose the fines if you have a breach, not the PCI Security Standards Council. Clear as mud right?! The council is there to help you become compliant and understand compliance, not to enforce compliance.
So, what does it mean to be PCI Compliant as a small business owner?
If you do not touch the internet:
If you do not accept cards through the internet, say you only have a standalone credit card terminal that connects through an analogue phone line, you still have to be compliant. The basics are as follows...you need to make sure your credit card terminal has regular PCI encryption updates, you need written policies regarding who can handle credit cards and process payments in your workplace, you also need a written plan for the unlikely event of a breach, you need training materials for employees to teach them how to handle credit card information and you need to make sure that if you do store customer's credit card information, that it remains in a locked area that is not easily accessible to customers or non-credit card handling employees. The full list of requirements can be found on the PCI council's website, but these are the basics. Remember, fraud can be both external and internal.
This level of compliance requires you to either partner with a qualified PCI assessor (found on the council website) or you can self-assess by downloading the most recent SAQ B form on the council website under documents. NOTE...check with your processor first. Some processors do not allow you to self assess and require you to use their preferred vendor. This is usually because they want to profit from your compliance. My company does not profit from compliance and we allow our clients to choose whomever they want for compliance.
If you do touch the internet:
If your customer's credit card information touches the internet in any way, you will need a higher level of protection. Self-assessment is still an option, but you will have to find a qualified scanning vendor that will scan your system quarterly for vulnerabilities. Check the council website to see if your current IT or web hosting company offers this service or if they have a preferred vendor that is qualified by the council. This level of compliance is in addition to all of the requirements of the SAQ B. You need to make sure you do not have any internet vulnerabilities. This is how Target was breached, through the internet.
Many small business owners believe that they are unlikely to experience a breach. The fact is that the vast majority of breaches happen to small business owners...sad but true. With fines in the $40k range (and up) it is a good idea to take the time to make sure you are compliant. I personally believe it is worth the $40 - $125 a year cost to have a certified PCI assessor make sure that I am compliant. It is a necessary evil and a cost of doing business.
The 2013 Target Breach:
Little is known right now about the Target breach other than their system was breached. Cyber thieves stole card data from the magnetic strips between November 27th (Black Friday) and December 15th. Over 40 million customers credit and check card information was stolen. Target has a PCI compliance program. This can happen to anyone. Target is reacting very well and has hired a forensics company to help with the breach. The Secret Service is also performing an investigation.
If you shopped at Target during this time I recommend you keep an eye on your credit report, check your credit card account and bank accounts daily and possibly even cancel the cards used and order replacements. If you notice any activity, report it to your credit card company or bank (whichever applies) immediately.
If you’ve been in business for any amount of time, chances are someone has tried to “pull one over” on you. The merchant processing business provides for an abundance of examples of this scenario. I previously wrote about suspicious phone calls where someone calls acting like your current processor and before you know it you have been duped.
So how do you know when to look into an offer and when to tell them to take a hike…or flying leap? In most cases you should tell them to go away and not come back, but what if you are looking to switch?
The first thing you should do is to calculate your net effective rate or NER for short. You do this by taking ALL of your processing fees and divide them by ALL of your merchant processing volume. For example, if your fees total is $2500 for the prior month and you took $50,000 in credit cards last month, then your NER is 5.00%. This is very high, but unfortunately I have seen higher.
So what is a “good” net effective rate? The lower the rate is…the better for your bottom line. If most or all of your transactions are “card not present”, “MOTO” or “keyed” then you should have a NER of 3.00% or below. I have clients below 2.00% that key all of their transactions. Your rate will depend on how much your processor is charging you and what type of cards your customers pay with. If you are a retail location, your net effective rate should be much lower. Your range should be somewhere between 1.50% - 3.00% depending on your business type and customer card types. Some retailers are fortunate and have rates well below 2.00%.
If you feel your rates are too high after calculating your NER, then you need to find someone that offers interchange plus pricing with no contract and no fluff fees. This is not very easy. Most companies will do and say anything to earn your business, only to change the rates and rules after they have you locked into a contract. Also, most reps in this industry are not empowered to honor the promises they will make so make sure you get it in writing with their company logo on it. It is very important to get everything in writing up front. Review every single line of every paper prior to signing anything.
If you decide to let someone do an analysis for you, make sure you mark out your merchant ID (MID) on every sheet of paper you give them as well as your banking information. Tell them they need to provide you with a detailed analysis showing if and how they can save you money. If they will not or cannot share their detailed analysis with you, IN A WAY YOU CAN UNDERSTAND, then they need to go away.
If they provide you with a detailed report and they explain it in a way that makes sense, then you should ask them to send over the application showing all of the fees they charge. Compare these fees to the analysis they provided you on the application. The fees should match and there should not be any fees other than what was on their analysis. The only exception is interchange cost that did not apply to the month they analyzed, but be careful here. Look up the charge they show as interchange cost online. It is there, you may just have to dig for it. Look below for a link to Visa and MasterCard’s websites.
I place all of my clients on interchange plus pricing with no application fee, no annual fee, no monthly minimum…no fluff fees period. There are a few others out there like me. I have met them, but they are very few and very far between.
The bottom line is, if the offer seems too good to be true, it probably is too good to be true. You will need to get DETAILS and email me if you have questions.