Your most valuable asset and your most vulnerable is your ability to get paid. If you cannot get paid for your services or goods, then you are out of business. For most of us that means accepting “plastic.”
The ability to accept credit cards is becoming more difficult and uncertain. Rules, regulations and merchant responsibilities are changing rapidly. Due to legitimate concerns regarding fraud, identity theft and money laundering, the federal and state governments as well as the card brands have instituted or enacted a growing series of regulations.
Failure to comply will put you at risk for severe monetary fines and civil penalties or may lead to your termination of card acceptance. In the most egregious cases, failure may lead to felony prosecution.
There are concrete measures you can take to protect yourself. First, understand your operation. Second, understand the rules and regulations that you fall under and, finally, put in place those measures necessary to cure any shortcomings.
Understand your operation. Every merchant needs to understand basic characteristics of its business. These include how products are sold via the Internet or via catalog.
What are the requirements to fulfill orders? When do I actually charge clients for goods or services? What are the specifics of the return policies? How many transactions are processed monthly by platform, card type and brand? What is the average ticket for my goods or services? What percentage of my payments are foreign? The list goes on.
Understand the rules and regulations. Every merchant needs to understand in detail PCI: the Payment Card Industry Data Security Standard. PCI applies to every merchant that accepts credit cards. No exceptions. Review the information, which is published in many places, as to the requirements, which change regularly. Determine which merchant category you are in, but remember that you can be made a category 1 merchant by having a security breach of any type or by the unilateral determination of any card brand.
Understand whether you must comply with rules of the Patriot Act or Graham-Leach-Bliley. Understand, outside of federal reporting and card brand reporting requirements, whether your state has reporting requirements if you have a security breach. More than 40 states do.
Understand your shortcomings. Answer honestly a self-assessment questionnaire available at Web sites including Visa and MasterCard. Are there questions you cannot answer? Are there questions to which you have to answer “no”? Well, that is the point of the assessment: to guide you to your vulnerabilities.
Once you identify these areas of concern, remediate them appropriately. If you think you cannot do this yourself, and, by the way, you cannot do your own required penetration scans, then seek professional assistance. We all must work continuously and diligently to preserve the electronic payment system from abuse and attack. Those who do not will be removed.
