Compliance rules are in place to help the players in the merchant services industry reduce the frequency and impact of card-related data breaches. These players include credit card issuers, acquirers, processors, and merchants. Each has a role to help maintain the security and integrity of credit card transactions and help prevent fraud that adds an enormous expense to all players.
Payment Card Industry (PCI) compliance has been a struggle for many merchants. Recent changes have stated that Level 4 merchants may only use PCI-certified qualified integrators and resellers (QIRs) for point-of-sale (POS) applications and must conduct annual PCI compliance assessments. PCI Self-Assessment Questionnaires (SAQs) have been more common for merchants in recently years, but QIRs is a new element for merchants to understand.
Level 4 merchants can generally be classified as ‘small business merchants’ and defined as merchants processing fewer than 20,000 transactions a year or under $1 million annually in volume. Small businesses have fewer resources and time to focus on preventing credit card fraud. Those that use point-of-sale (POS) systems for card processing are a target of hackers attempting to compromise payment data. Often the security gap occurs in remote access that integrators and resellers use to provide monitoring and shared remote access IDs without regular password changes. The PCI QIR program has been designed to improve security by proper configuration and implementation of payment applications, thus mitigating the risk of a hacker gaining access to the payment data.
The compliance questionnaire has been around for several years, and merchants are becoming more familiar with this step. The self-assessment questionnaire is usually provided by a third-party and guides the merchant through several questions about their payment processing. First, the SAQ determines what methods a merchant uses to accept credit card payments (payment terminal, virtual terminal, mobile…) Then, the SAQ continues with questions to confirm the merchant is following best practices in each environment to reduce credit card fraud and security breaches. Additionally, if the merchant processes through the internet, a quarterly vulnerability scan should be run on the environment to ensure protection from outside sources. The scan should be from an Approved Scanning Vendor (ASV) and is often provided by the third-party providing the self-assessment questionnaire.
Merchants may view the PCI Compliance SAQ and scan to be more of an annoyance and just something to mark of the checklist. But, merchants should take their time going through the process and be sure to set up the policies and procedures to protect the security of their environment. By documenting the policies and keeping them up to date, the merchant has them available for employees for training and understand the steps to take if a problem arises. Many of the items noted to protect card data security are also applicable to overall security for the merchant, i.e. updating vendor releases, computer security patches, and changing passwords.
Jennifer Autian is the founder of TCA Business Solutions and an independent representative of merchant services. To learn more about PCI Compliance for merchants or explore other payment processing options, connect with her at 678-523-8760 or by email at Jennifer@tcabiz.com.