PCI Compliance - what is the credit card industry up to now?

PCI Compliance for 82North and its Clients

This paper has been prepared with the 82North client in mind and uses the Personal Card Industry Data Security Standard information provided by various sources as noted.

PCI Compliance means that you have security measures and procedures in place as outlined for your level of merchant account and credit card data activity. This compliance has been required effective July 2007, though it has evolved and is slowly being implemented by merchant account providers (Independent Sales Organizations/ISOs).

There are four levels of merchant account activity, each requiring its own set of measurements and standards. Organizations with merchant account activity between 20,000 and 1,000,000 transactions per year are considered Level 4. This level, the lowest of the standards, means that those organizations can self-assess their security, but it does not mean the requirements for that security are any less.

Now that you have determined what your Merchant Level is, you now need to determine which Self-Assessment Questionnaire fits your business model. Go to http://www.pcicomplianceguide.org/pcifaqs.php#4 or https://www.pcisecuritystandards.org/saq/index.shtml.

• SAQ-A is for merchants using 82North as the sole eCommerce solution and who do not store or process any credit cards any other way. 82North clients with no knucklebuster (hand swiper) or swipe machine can fill out SAQ-A
• SAQ-B is for merchants using a knucklebuster ONLY (does not apply to 82North clients)
• SAQ-B is also for merchant who use a swipe terminal only (does not apply to 82North clients)
• SAQ-C is for those 82North clients who use the 82North service as well as a knucklebuster and/or a swipe machine

As you know, those of you who have merchant accounts through Metro Merchant Services (MMS) are beginning to see requests for surveys which identify what type of merchant you are. If you use an online service, MMS is attaching an $8.90/mo fee to “certify” you as an online merchant. If you do not use 82North but only 1 swipe machine, you will incur a $4.95/mo fee. If you do not use 82North but have more than one swipe machine, you will incur the $8.90/mo fee.

This is the most important piece for you to understand – as a merchant account holder, you MUST certify yourself. If there is a data breach with your credit card activity, you can be fined!
“Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.”

In essence, your organization must implement security procedures to ensure any data you collect is safe and that you are PCI Compliant/Certified. However, if you do not store data in-house (ie, use 82North) you do NOT require a server scan.
But we aren’t finished there. As a merchant you must be certified, but the services you use must also be certified. This is where 82North and your online gateway come in. Remember, as an 82North client, you have three pieces to the puzzle - your merchant account, the online gateway and 82North as the web "portal":

1. You have the merchant account, many of you through MMS but other merchant account providers are represented as well. You have to certify yourself as a merchant (those SAQ levels).
2. Your merchant account has an online gateway through which 82North authorizes and captures credit card transactions on your behalf. This online gateway must be certified as well. Metro Payment Gateway, the gateway MMS merchants use is PCI Certified. If you use another online gateway, you must ask that gateway representative about their PCI certification – ask for nothing less than PCI Certified and make them prove it.
3. As an 82North client, you use 82North as your online transaction processor which also stores your credit card data. 82North must also be PCI Certified.
82North is now in the process of becoming PCI Certified. As a Shared Hosting Provider (SHP - we host your secure websites), 82North is required to complete SAQ-D. SAQ-D is for those SHPs who process between 20,000 and 1,000,000 transactions per year. 82North has determined that an upgrade to server hosting will have to be made and should be made by the end of 2009. To give you a sense of the effect on this service, hosting costs will now go from $2,500 per year to $14,400 per year, an 826% increase. Wow. No, the rates for 82North are not going up to match that hosting cost increase, but I share it with you to give you a sense of the magnitude of effect PCI Compliance has on a company like 82North.
There will be a few changes in the password requirements for the Administrative Interface. PCI Compliance requires a 7 digit password combining numbers and letters which is changed every 30 days.
As for the 82North database and storage of credit card data, it has been compliant from Day 1. We do not store the entire number and never have nor do we save the CVN and PIN. From a software standpoint, 82North has always been PCI Compliant.

In summary, what does PCI Certification and Compliance mean to you?
1. You have to fill out the MMS survey when they ask you to, and yes, pay the fee.
2. You have the choice to complete the SAQ which corresponds to your activity and become PCI Certified as a merchant. Once you do this, your certification letter can be sent to MMS and they will eliminate the fee. Self-certification costs nothing but your time, and I heartily recommend it.
3. In order to remain as value-based as it has, 82North requests that you send referrals! The best way to cover the increased costs of the PCI Certified servers is to increase revenue.
This is a major fork in the road for 82North, the third one since starting up in 2004. The first was redoing the software, the second was personally guaranteeing the merchant account activity in 2005 when it was no longer allowed for you to use the 82North merchant account and now we have the PCI Certification issue. 82North has shown to be committed to providing a cost-effective service for your needs. This new world of secure data continues to evolve and 82North continues to do the research so you are better informed – and be nimble enough to quickly evolve with the industry!
These requirements do not apply to DonorMarket clients, but are shared for your information. You DO have the responsibility to have secure procedures in place for any cardholder data. Consider filling out a SAQ-A for yourselves, though no need to send it anywhere.

As always, please contact 82North with any questions you have: EMoran@82North.com, 800-979-0082, 302-425-3658
Thank you for what you all do for your community!