If your company takes payment from customers using debit or credit cards, you should know that there is a complicated set of rules surrounding how these cards (collectively called “payment cards”) are to be handled by you, the merchant.
PCI Security Standards Council
In order to help standardize global rules on how to maintain payment card security, the payment card industry’s five largest players (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and VISA) formed a company called “PCI Security Standards Council”.
The Council simply ensures standardized rules exist, and help with documentation and training. They do not enforce the rules – that job remains with the separate payment card companies and their merchant agreements.
Their website is https://www.pcisecuritystandards.org/merchants/index.php, and it includes all of the standards you need to know for handling your payment cards.
The core of the PCI requirements is called the “PCI Data Security Standard” (PCI-DSS). The website defines the DSS as follows: “The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.”
There is a link on the Merchant’s page that is called the “Quick Reference Guide” which is described as a convenient guide to the standards. When you click on it, you get a listing of 27 different documents with acronym-loaded names.
The rules, and the documentation, are extensive and technical. In fact, the extent and complexity of the documentation easily sends the message that “help is needed” to ensure your organization understands all of these requirements.
The FAQs will hint at some of the basics for your company: do not email a credit card number; lock up paper records with card numbers on them; use encryption for ERP and online card processes, and it sure seems that the rules hit the fan where e-commerce is concerned.
Small Company 911
If you are a credit manager in a medium to large-sized company, likely someone has done this work. Check with IT, accounting or your privacy officer if you are not the person who is responsible for this work.
If you are a small company who takes payment on cards but does not have extensive internal resources, you have some options that do not necessarily involve hiring an expensive consultant.
Your merchant card services provider can assist you with compliance, as they are fully compliant (or should be!) with PCI Standards and are usually audited by the card companies on a regular basis. Companies like MTS Allstream in Manitoba also offer training and consulting services. Your bank or credit union is also a resource you can consult. These companies can offer help in ensuring that you are compliant, and if you are getting into e-commerce and online payments, often have the right products and software to deploy right on your website.
PCI Standards are an important but complicated area of business. As credit manager you have everything to lose if your processes do not meet the standard. If internal staff do not know, reach out to your business partners and make sure you comply. Your company will thank you for it!