From 1st October 2009 all merchants processing less than 1 million transactions annually must process using a PCI DSS certified provider or provide certification of their own PCI DSS compliance to their acquirer. This mandate follows changes to Visa’s Account Information Security Programme.
Acquiring banks are required to provide reports to Visa and Mastercard on all merchants with non-compliance issues. The resulting fines levied by the card schemes can be high. Daily fines can be levied and card processing facilities can be suspended if your system subsequently experiences a security breach.
A commonly held myth is that merchants need only to complete a self-assessment questionnaire to become PCI compliant. If they are using their own payment pages merchants need to ensure that they comply with all twelve PCI DSS requirements. Quarterly scans of the business network need to be done if cardholder data is stored, transmitted or processed on the network. This also affects MOTO (mail order / telephone order) merchants that process card payments via a virtual terminal, even if they do not also process payments online.
More information can be found on the PCI Security Standard Council’s website. Merchants can contact their payment service providers who should be able to offer advice based on the merchant’s payment processing package. PayPoint.net has also issued a guide to getting PCI compliant with information on what steps you need to take to meet the requirements.
