As of June 30, 2005, Visa requires that any organization that processes more than 20,000 credit card transactions annually be certified compliant with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is the card associations’ new universal security standard, which regulates how card data is stored, transmitted and processed by merchants. Where as previously there was a standard for each organization – Visa’s CISP, MasterCard’s SDP and American Express’ DSOP – now there is one common standard and one common certification process. These requirements apply to all payment channels including retail (brick-and-mortar), mail/telephone order and e-commerce.

For most merchants becoming compliant requires two steps. The first step is completing the self assessment questionnaire published by the card associations. The second step is receiving a quarterly vulnerability scan from an approved third-party security assessor. The vulnerability scan is simply a program that is run on your network from the Internet to see if you have any security holes or vulnerabilities that may allow unauthorized users to gain access to your network and potentially compromise cardholder data. If the scan pinpoints any potential vulnerabilities, they will need to be addressed.

For bigger merchants (6 million transactions annually or above), a detailed onsite assessment is also required. Even merchants who process less than 20,000 transactions annually are required by Visa to comply with the regulations. Whether or not they have to be certified as well is at the acquirer’s (their merchant bank’s) discretion. Regardless of your size, failure to comply can lead to steep financial and operational penalties. The first time any of your data is compromised and you are found not to be in compliance, the fine will be $50,000 or more. For any subsequent breaches, the fine goes up exponentially. More importantly, Visa, MasterCard, Discover and other credit card companies can and, in fact have, taken away the ability of the merchant to accept credit cards. Most businesses cannot risk that.

Many of you may be aware of these regulations either from recent articles in the press or from notices sent by your bank or processor. Unfortunately, some estimates show that less than 7 percent of merchant organizations are currently certified. What we have found by talking to customers, is that while many merchants are aware of the presence of these regulations, they feel lost or overwhelmed by the details like which merchant level do they fall into? What does the self assessment form entail? Who performs the scans? How much do they cost? What kind of problems are they looking for? How can they remedy a problem if they do find one? What are the legal liabilities if it’s their payment vendors who are not in compliance?

It is this confusion that has kept many merchants from becoming certified and protecting themselves against future liabilities. The best thing to do is educate yourself and to partner with strong, certified third-party solution providers and assessment firms. A list of certified scanning vendors can be found at https://sdp.mastercardintl.com/vendors/vendor_list.shtml.

“You really want to find a security assessor who will work with you throughout the process; one who will be available to not only perform the network scan, but to clarify any questions you have on the questionnaire, help you resolve any issues with your system and generally be your security partner,” said D.J. Vogel, CISSP, CISA and managing partner at 403 Labs.

You also want to make sure that you are working with property management and point-of-sale systems that are also fully aware of and compliant with the latest security regulations. In order to do that, you want to ask your providers if they comply with Visa’s Payment Application Best Practices (PABP), which were developed to help software vendors create secure payment applications. To be considered secure, these applications must not retain full magnetic stripe data or CVV2 data and must support your ability to comply with PCI DSS requirements.

The card associations do not currently require payment applications to certify compliance with the PABP standards. However, many processors are requiring that the payment applications validate their compliance with these standards through an independent third-party auditor in order to continue to send transactions direct. In fact, First Data is requiring that an audit be completed by October 1, 2005. In addition, any POS software vendor that connects remotely to merchants for the performance of maintenance, enhancements or updates must also complete an onsite PCI DSS certification audit with a third-party security assessor approved by Visa.

Be sure to ask your PMS/POS providers about their security practices. Remember, if they are not properly handling any credit card data, they can be putting your own data and your own compliance at risk, and it will be you who is ultimately held responsible for any breaches.

The last thing to consider is deploying a gateway within your payment process. At its core, a gateway is merely a translator that connects your various POS/PMS systems to the processors you deal with. But a good gateway will add a great deal more; including helping you quickly comply with today’s requirements and easily maintaining compliance as regulations evolve. The right gateway can take the burden of data storage and protection out of your hands and provide insurance against future security problems.

Regardless of the systems and processes you deploy, educate yourself on the latest requirements and protect the future of your organization.

Rebecca Kalogeris is director of marketing for Shift4 Corporation. She can be reached at rkalogeris@shift4.com.