For the past 5 years or so, we have seen an increase on the number of service requests about something called PCI. In a nutshell: client gets email from PCI/his-her bank or merchant provider, client thinks it’s spam, client defaults compliance without knowing it.
What is PCI? The Payment Card Industry Data Security Standards (PCI DSS) are designed to provide merchants a single set of requirements for safeguarding sensitive data. These standards have been adopted by all the card brands in conjunction with the PCI DSS. The standards require that all merchants (regardless of their size or type of payment system) that store, process, transmit or have access to cardholder data must be in compliance to protect that data. (Source: Chase)
Here’s where the issue stops being a bookkeeping/accounting matter and becomes a complex and perplexing IT ordeal: clients usually get a link or a (very long) PDF file containing an extensive questionnaire about how they store and keep Personal Account Numbers or PANs a.k.a. credit card numbers. Questions like “do you use load balancers?”, “what kind of encryption your business uses?” “when was the last time you ran a vulnerability scan?” and the list goes on an on. Needless to say, our clients try to complete these as much as they can but, in our experience, they don’t get too far when the super geek mumbo jumbo kicks in.
Here’s how a typical PCI dashboard from a solution provider looks like:
Business that take credit card payments must comply. In Canada, big players like Moneris and TD Bank offer a suite of services to help large business with multiple locations to manager their PCI Compliance. Small business owners usually work with their IT service providers in getting compliant. Businesses are required to get a “seal of approval” once a year.
For more information, the PCI Security Standards Council has an excellent website that provides very useful information about how to protect your data: https://www.pcisecuritystandards.org/merchants/