Companies that manage credit card information have just over a month to comply with new data-protection requirements being pushed by MasterCard International Inc. and Visa U.S.A. Inc. amid growing concerns about identity theft and fraud.

The Payment Card Industry Data Security Standard, or PCI, lists 12 items that retailers, online merchants, data processors and other businesses that handle credit card data will have to start meeting by June 1. The standard sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates such as the need to implement formal security policies and vulnerability management programs.

http://www.computerworld.com/industrytopics/retail/story/0,10801,101312,00.html

Hmmm, I'm just becoming aware of this little factoid ... my shopping cart host (mals-e) is now compliant and a reseller for ScanAlert.

But then, this message has been up for a month and a half, with no replies. Is there another thread somewhere that everyone hoarded to? Is this a hot air balloon that no one takes stock in, and not even worthy of conversation? Was everyone else already compliant, or did everyone rush to get compliant and it was so easy they just went back to their Google conversations without a second thought?

Unless you missed it, I'm a bit lost here. From what I understand is that larger corporations were already pinned to this compliant standard, and that the little guys now have to suit up as well.

According to what I've read, although I don't store credit card information and I only do 4-5 sales per week on average, just for the fact that it passes through me from my shopping cart vendor to my payment processor, I'm to be held accountable by this standard just as a Honda Dealership would be.

Am I missing something? Is this a no brainer and I'm having a brain freeze?

ScanAlert makes the reports for you if you subscribe. The biggest thing is data security. You have to also have a self-assessment done, which basically is a document saying that we know that we're handling sensitive data and this is how we're protecting it, and we've done background checks on anyone that is handling that data.

If you're a ScanAlert subscriber, it takes a few minutes most of the time. If you're not, it can take a few days. Keeping up to date on the server security doesn't sound like it's going to be a problem if your host is a ScanAlert reseller, so you're gong to mostly have to worry about the internal side of things.

Brian.

My shopping cart host is ScanAlert-ready. Not sure about ProPay, but I'm sure if they're not, they will be. Problem for me is my web host (who hosts my domain). They're not quite compliant, and don't believe that this compliance standard is being mandated for smaller companies that don't produce a certain level of transactions or revenue. Therefore, I'm not too sure they'll be bending over backwards to get there.

This wouldn't be too big a deal if my domain wasn't part of the security checks. I didn't think it would be because it never sees 'any' credit card/sensitive data. But the big umbrella standard says that my domain has to be checked too because there's only one standard that suits all cases, and although I appear to be a minority, I'm not an exception. But my customer's sensitive data goes from Mals-e directly over to ProPay (via me, yes, but not my web site).

I'm just surprised I haven't seen more chit-chat on this.

I saw a few a while back, but the general idea was "They won't have time to look at little ol' me." It's mainly mid-sized merchants like ourselves that have taken it seriously. With our 40 employees (yes, we trimmed a few lately), we're not falling under the radar of nearly as many service providers and laws.

Many of the smaller merchants seem to be ignoring it yet. That's really too bad, as they're usually the easier targets for hackers due to smaller IT staff and no security officer in place.

Brian.

Many of the smaller merchants seem to be ignoring it yet. That's really too bad, as they're usually the easier targets for hackers due to smaller IT staff and no security officer in place.
Guess that's got to be it. Makes perfect sense now. I knew it was a brain freeze ;)

Here's the real deal, direct from Visa:

----- Interpreted from VISA -----
http://www.usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html?it=il|/business/accepting_visa/ops_risk_management/cisp.html|Merchants

Merchant Level 4* = Any merchant processing fewer than 20,000 Visa e-commerce transactions per year

Validation Action: Annual Self-Assessment Questionnaire (Recommended)
Validated By: Merchant

Validation Action: Network Scan (Recommended)
Validated By: Qualified Independent Scan Vendor

Due Date: TBD
*Level 4 merchants must comply with CISP (which is based on the PCI framework); however, compliance validation for merchants in this category will be determined at the acquirer's discretion.

We don't fit there. We've done well over 20,000 this year already. That's probably why our merchant account providers called as soon as the announcement was made that there was a due date. We had them the info they needed within 20 minutes, so I haven't heard from either of them since.

Brian.