The Payment Card Industry sets the standard for how merchants handle credit card data. The Industry is compiled of the 5 major credit card companies: Visa, MasterCard, American Express, Discover and Japan Card (JCB). These companies carry a large amount of risk on behalf of their card-holders and due to the increase of fraud and theft, the PCI Council mandated better handling practices at the merchant level. The merchant actually agreed to these terms when they signed the contract to accept credit cards. However, many merchants have not been complying with the terms of their contract which has contributed to the fraud and theft that we see today.
Therefore the PCI Council has set forth the PCI Compliance program to ensure better handling practices are being adhered to. Every merchant must prove that they are compliant. Proof must be validated by an Approved Scanning Vendor. Compliance includes the following areas of each business:
- Secure terminals
- Truncating credit card #’s on all print-outs
- Triple DES encrypted pin pads
- Secure internet shopping carts
- Firewalls in place on computers
- Secure data storage if they are storing information
- Properly disposing of sensitive information if they are not storing it
- Staff accountability
Many of our merchants use a computer to process. They must understand the importance of computer security. That’s why periodic scanning is mandated by the Industry and that’s takes more time…hence the higher cost.
Each merchant must accept the responsibility of maintaining a secure atmosphere at the point of sale. All of these issues will be addressed in the Self-Assessment Questionnaire.
Metro Merchant Services partnered with Control Scan to make this process as easy as possible. There are several companies who are approved by the PCI Council. We chose Control Scan because of their commitment to customer service and their rates were reasonable. Each merchant will receive a link to a website in an email that also contains a user name and password. A phone number is also included. The Self-Assessment Questionnaire will be found on this website. After submitting the SAQ, the merchant will be evaluated and either receives a certificate of compliance, or a list of what needs to be corrected. If they are not compliant, they will have 30 days from receiving the list to correct the non-compliant issues.
The cost breaks down like this: Every merchant will be charged $4.95 per month, regardless of how they process. For merchants with terminals, this is the only cost. Merchants processing through a computer (software, gateway, virtual terminal) will be charged an additional $3.95 per month.
- Merchants using one or more terminals $4.95 per month
- Merchants using computers $8.90 per month
- Merchants using both $8.90 per month
Merchants with more than one location have the following options:
1. They can keep each location separate
- Each location will be charged the compliance fee according to what type of processing equipment they use
- Each location will be assessed individually
- If there is a data breach, only the location in question will be subject to fines
2. They can roll everything into the corporate location
- They will be charged one fee for their processing, either $4.95 or $8.90
- They will be treated as one unit
- If there is a data breach, each credit card company can fine them per location.
- If there are 10 locations and they each take MC/Visa, they will be subject to as much as a $300,000 fine ($15,000 per card type per location)
The Merchant can choose whatever option they feel meets their needs, however, in a data breach situation, we have no control over how the fines are assessed or charged to the merchant. If all locations are rolled under the corporate location, the merchant runs the risk of being assessed fines for each location instead of just the location that had the breach.
For more information on PCI Compliance, you can go to the main website for further information: https://www.pcisecuritystandards.org
Thank you for supporting our program.