Payment Card Industry Data Security Standard (PCI DSS).

I have received an email telling me that I have to have my website checked due to the new security standards that apparantly have been in place since October 2007 (I think). I have absolutely no idea what they are talking about. At the time, I was not processing credit cards via my website but am now. Can anyone tell me anything about this?

Uh, who is the sender of this email and how much are they charging to check the security of your site?

I found some links in Google about this including a page in Wikipedia.

The sender of the email appears to be M&T Bank, the bank that I have a merchant account with and they are telling me to call Security Metrics and the cost is about $150-$200 annually. The email goes on to tell me to check the visa and mastercard websites and I have been there and it is nothing but confusing. Since processing credit cards via our website is relatively new...since January, we have only processed about $300 that way since January. We have another merchant account that is in the office and people pay when they come into the office, with their credit card or over the phone. That merchant account processing is substantially larger at about $8,000 per month.

I appreciate your help. I will look at wikipedia and see if I understand the whole thing better.

Karen

PSI DSS (Payment Card Industry Data Security Standards) are real. PCI is an organization founded by the major card brands; Visa, MC, Amex, Disc, and JCB. Visa and MC have had security standards in place for a while. Visa called theirs CISP.

You have to comply or your merchant bank (M&T) will report you to PCI. There are fines and eventually exclusion from access to credit card clearing. I know this sounds ominous, but move your website to an organization that is PCI compliant. Let them deal with the compliance issues.

So my non-profit, the California Botanical Society, of which I am the volunteer treasurer, was notified by our merchant service provider that we have to complete our self-assessment questionnaire by June 28th.  I've read the guidance and learned we need only complete questionnaire SAQ B, because we only use a stand-alone dial-out terminal for our few credit card transactions. We keep no member credit card information in any electronic form, but we do have paper order forms, invoices, and credit card machine tapes that have cardholder data on them.   Since our "office staff" consists of a volunteer membership person, a volunteer corresponding secretary, and a work-study student, our processes are pretty informal and, of course, not documented in any way.  From my first reading, it looks like we need to do the following to become "compliant:"  (1) write an Information Security Policy states defines identification, handling, storage and destruction of cardholder data when it is no longer needed, and that we do not accept cardholder data by way of unencrypted e-mail,  (2) document that all cardholder data is kept in locked drawers when not in use, (3) verify that the keys that lock the drawers containing cardholder data are unique to our organization, and available only to persons with need to access the data, (4) buy a crosscut shredder to shred the order forms and machine tapes when we no longer need them.

Some of questions on the questionnaire are a little tricky.  It looks like they are worded so that if you say "Yes" to every one, then, Yes, you are compliant. For example, "9.7.2 Is the media sent by secured courier or other delivery method that can be accurately tracked?"  the obvious compliant answer would be Yes.  However, in our case I would answer, "No, we never send media with cardholder data anywhere."  Truthful, but the wrong answer for the questionnaire.  I was hoping for a place to explain answers. Has anyone been through the web form compliance questionnaire, and was there a place for explanations?

Finally, we have some work to do before we can give compliant answers to all the questions.  There is an option to giving truthful, non-compliant answers, and a date by which we can be compliant.  For us botanists who should all be out in the field from now until September or so, I'm tempted to say we can be compliant in 9-10 months. But, I wondering if anyone has completed the questionnaire with non-compliant status and a date for compliance, and what was the reaction from your merchant service provider?

 

 

I think it is important to note that PCI DSS compliance is one of several identity data protection areas that may impact non-profits.

I can tell you that PCI compliance is a real initiative that needs to be followed, even by Paypal or other 3rd party users.  Some real merchant account providers charge extra for a PCI program that they've implemented for their merchants (many more will in the future).  But at the least merchants need to find out from their processor is they are PCI compliant because it is not a fake program or scam, but a real initiative that's not backed by the government to ensure that card data is protected.

Any questions may be emailed to info@donorcharge.com or msinfo@merchantseek.com

Thanks,

Joe

 

Tomas. If you're self-reporting to your merchant bank, then by all means you want to report that you're PCI-compliant. Most PCI-approved QSA firms will have detailed forms with room for explanations in them. What these firms can also help you with is deciding whether or not certain requirements apply to your company (encryption, data hosting, etc). It's worth it to know that if some of the 12 requirements are N/A, you can state that (with a justification) and get out of having to do certain documentation.

PCI-compliance is a real thing that nonprofits have to be aware of, as many others have stated. We have a couple of articles that discuss new regulatory standards that nonprofits may have to adapt to (depending upon what they do online and what sort of client data is processed) that might be helpful to look at on this topic.

Many of PCI-compliance regulations also criss-cross with HIPAA compliance (Health Insurance Portability and Accountability Act) so you may need to look into whether your organization needs to comply with the new standards in place from both sets of regulations.

• An Introduction to Transport Layer Security (covers whether your site needs to have a higher security standard and how to implement SSL/TLS)
• In Search of HIPAA-Compliant Software (covers both HIPAA and PCI compliance issues)
• New Laws for Organizations that Accept Online Payments (reviews both PCI and HIPAA standards)
• A Few Good Methods for Processing Credit Cards (discusses payment methods and what to look for for PCI-compliance

Hope these are helpful in your quest for answers and compliance!