PCI Compliancy for accepting credit cards now?

Jan 18, 2008
704
2
MASS.
Visit site
More and more, when I call in an order for supplies, my vendors are telling me they don’t accept credit cards anymore. They request I either send payment by check or I pay COD by cash or check. Now, I'm beginning to see why...

I figured by accepting credit cards, it’s a clean form of payment and it saves me trips to the bank. Also, my credit card terminal provides auto batch outs conveniently at night. I don’t mind the small fee they charge for each transaction. It’s a service for which I am willing to pay. My online store merchant account charges a small fee for each sale I receive through my website, and that’s fine by me too.

Now, because of credit card hackers, just like little geeky terrorists, I am required by my credit card merchant, to become “PCI compliant”. According to my merchant, this is not their doing, but the doing of Visa, MasterCard and others, in an attempt to combat credit card theft.

So, I call my merchant processor, who then directs me to SecurityMetrics. They ask me a number of questions related to how I receive credit card info from my customers. Yadda yadda yadda, I now am required to become PCI compliant by next Wednesday. They say my particular situation will cost me $139.99 per year.

Even if I use strictly PayPal, I still have to fill out a questionnaire and jump through some other hoops.

I’m a compliant kinda guy and I know that only good can come from following a straight line, but this is beginning to test my patience.

Here is the email they sent me, if you’re interested:

Thank you for choosing Sam''s Club and First Data Merchant Services for your Visa, MasterCard and other networks payment processing needs. Please keep reading for essential data security information about your account.

If you are concerned with the validity of this email, please call us at THE CUSTOMER SERVICE NUMBER LOCATED ON YOUR MERCHANT STATEMENT to validate this notice. This is a follow up to communications that were provided recently in your monthly merchant processing statements.

Why am I getting this e-mail?
We are the processor for your Visa, MasterCard and other payment card transactions. We are sending you this email to alert you to urgent actions you are required to take to help combat cardholder fraud and identity theft. THESE ACTIONS ARE REQUIRED BY VISA, MASTERCARD AND THE OTHER PAYMENT CARD NETWORKS.

Data Security Standards Background
In 2005, the payment card networks established a common set of industry requirements designed to help with the safe handling of sensitive payment card account information. These requirements are known as the Payment Card Industry (PCI) Data Security Standard. These PCI security requirements have been phased in over time and now apply to ALL merchants that accept Visa, MasterCard and other payment cards. More information about this security standard is available online at:

http://www.pcisecuritystandards.org

You can find specifics about the Visa and MasterCard security programs at the following sites:
http://www.visa.com/cisp
http://www.mastercard.com/sdp


What do I need to do?
IF YOU ARE NOT PCI COMPLIANT, IT IS URGENT THAT YOU BECOME PCI COMPLIANT WITHOUT DELAY. To help you to achieve PCI compliance, Sam''s Club and First Data Merchant Services has arranged for SecurityMetrics, a certified security assessor for Visa, MasterCard, American Express and Discover Card, to provide you with their "Site Certification" service. You can contact SecurityMetrics at 800-557-4684. You may also contact them online at: http://www.securitymetrics.com.

When do I need to do this?
You have been requested to resolve this by June 10, 2009, so please ACT NOW.

What if I fail to become PCI Compliant?
The Card Associations are very serious about data security. Security breaches have affected merchants of all sizes. If you are compromised, the Association fines can range up to $500,000 per Association. These fines are in addition to other liabilities you may face in connection with the security breach.

To assist in validating this email, Sam''s Club and First Data Merchant Services has included information about PCI DSS Compliance on the following website, http://www.merchantinsider.com/merchant ... tasecurity.
Please be sure to visit this website to learn about PCI DSS! You can get up-to-date information on PCI, including MasterCard's schedule of PCI educational webinars. You also have the ability to ENROLL directly with the SecurityMetrics Level 4 program by clicking ENROLL NOW found under the PCI Compliance for Level 4 Merchants topic.

Your participation in this program is essential in allowing us to help you be protected against any unwanted security breaches. We appreciate your time and assistance.

Sincerely,

Sam''s Club and First Data Merchant Services


I chose red font as a descriptive color of ire, rage and anger, because it's about how I'm felling right now.

...darned geeky hackers and the companies too, that use the excuse to charge for insurance against them and the potential for their geeky activities.

So, I may just go back to paper...
 

PinkRose

Super Moderator
Staff member
Feb 28, 2008
5,228
14
Near Philadelphia, PA
Visit site
Hi Cafe Biscotto

Wow! I can see why you're seeing red!

What does PCI stand for?

I just briefly read the PCI security standards document at http://www.pcisecuritystandards.org
and there are certainly lots of hoops to jump through. In a way it's good that someone is forcing people to comply, but it's a pain for those, like you, who keep a watchful eye on things.

You gotta wonder how many small businesses actually have secure credit card processing or even computers that have updated antivirus software. A friend of mine told me that she recently worked in a place that accepted Visa and Mastercard payments, both in person and on-line. It turned out that they had no antivirus software, and their computers weren't updated. She didn't discover it until her computer kept freezing up. She said she updated the Windows XP (there were so many updates that it took over 5 hours) and installed some free stuff, like Spybot Search and Destroy and Avast antivirus. Then she scanned the computer. She found all sorts of trojans, keyloggers, malware, etc. and brought it to the owner's attention. Unfortunately, he couldn't care less. That's the type of business that should be snagged for non-compliance.

Rose
 
Jan 18, 2008
704
2
MASS.
Visit site
Rose, I'm in a good mood now, since I just read what you wrote after your last spam bust, LOL.

So yes, not only do I pay for the services of having a Yahoo store, they being PCI compliant, I also have to prove I am PCI compliant. I already pay for virus protection. Now I have to pay to prove I use it and it is updated, LOL. A small business like mine is being nickle and dimed to death. Add in transaction fees from every which direction, inspection fees from local, state and federal, bar code fees, insurance premiums, etc. etc. etc.

Well, I've been running various businesses for over a decade now and I can tell you, the list of things you have to do and pay for is becoming longer every year. What's next? A mandatory fee to prove I actually am? Get it? I get irritated by geeky thievery, those genius little parasitic leaches, who their primary objective, is figuring out how to make life more difficult for the little guy... therefore I am.

Thanks Rose, I found a free PCI compliant host to take care of it for me for free, at least for 90 days. :D
 

PinkRose

Super Moderator
Staff member
Feb 28, 2008
5,228
14
Near Philadelphia, PA
Visit site
It sounds like you're okay on your end; however, it's still must be an inconvenience for you, because some of vendors that you order from aren't accepting credit card payments.

I can imagine that would be a real pain...

I don't like being inconvenienced when I want to buy something. I always get annoyed when places only accept Visa or Mastercard when I want to use my American Express!

Rose
 

jonperry

New member
Aug 19, 2009
1
0
Visit site
If you process through Paypal or a gateway where the credit card information is sent, processed and stored by THEM not you, then PCI compliance is their burden. If you are processing credit cards through the phone, your website (e.g. shopping cart with SSL) or brick and mortar, then you have some level of PCI compliance you must do. PCI stands for Payment Card Industry, which is the joint efforts of Visa, MasterCard, Amex, Discover, JCB and so on.

There are SAQs or Self Assessment Questionnaires that you fill out for the method you use to process credit cards, such as dial-up, Internet Protocol, etc.

PCI compliance fees by a processor are just enhancements to their top line revenue.

However, in this case, if you have a merchant account with Sam's Club/First Data, they are telling you that you must be PCI compliance because you are processing/transmitting credit card information through a credit card terminal or internet account.

Let's say you are running credit cards through a terminal that transmits the information through a standard phone line. You would use SAQ B, Stand-alone terminal merchants, no electronic cardholder data storage. This is a very simple two page form. Once you filled out the SAQ, send it to your processor. This will need to be done annually and should get them off your back. If it doesnt't, find another processor.

I have information about PCI compliance at http://www.merchantservices.cc/merchant ... ompliance/

If you are considering taking credit cards through your website, look for a Server Integration Method (SIM) versus an Advanced Integration Method (AIM). The SIM method will have the transmission and processing of credit card data by a certified gateway rather than your own secure socket layer. The SIM method places the burden on the gateway, not the merchant. Most merchants using SIM are very happy as they can brand the checkout process with their logo and information, even though the transaction is actually occurring on a certified gateway URL.

We partner with eProcessing Network for our SIM solutions. It's inexpensive, very effective and their gateway interface has tremendous flexibility.

Lastly, PCI compliance fees from acquiring processors in general, get you nothing. They get increased top line revenue, in general, providing you with nothing in return. A brief article on these fees are at http://www.merchantservices.cc/news/don ... ance-fees/

Jon Perry
Linked In: http://www.linkedin.com/in/jonperry
Twitter: http://twitter.com/dfwcard
 

mamun01

New member
Oct 17, 2009
1
0
Visit site
I believe this is only if they collect the numbers themselves, most online businesses don't do this anymore and use third party merchants such as PayPal and so on...
 
Top