Saturday, January 26, 2013

PCI Compliance for Small Businesses

I've researched and written before about PCI compliance for a level 3 vendor (back in 2009), this time I'm  trying to see the general situation for small business PCI compliance.

As background, it seems like everyone takes credit cards these days.  Between Paypal helping people take credit cards and the little attachments for our smart phones, it seems like a routine activity that does not incur any special obligations or concerns. But this is wrong, not true. There are some clear lines that companies cross as they take credit cards for payment. Once these lines are crossed, there are more legal obligations to maintain security and financial risk.

The rules are developed and described on the website of PCI Security Standards Council. The council was founded and is run by the credit card companies to have a joint system on security. Specifically by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Small MerchantsYou must secure cardholder data to meet Payment Card Industry rules! Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale. If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!


I'm in the SAG category of "card not present": 

A
  The PCI site then has a self-assessment questionaire which should be filled out and submitted.  Here's a critical part of the intro:
Once filled out, the self-assessment questionnaire should be submitted to the acquirer. My acquirer has never asked for one. It's not clear to me how often I'm supposed to submit it.  And when I've asked around, I've never found another online retailer who has ever heard of or filled out this questionnaire. Any thoughts anybody?
----
Plusbyems. Thanks for your great response and the call out. Here's a live link to your post: http://plusbyems.wordpress.com/2013/01/28/in-response-to-our-friends-at-credit-cards-online-101-on-pci-compliance /

Credit card disputes - New York Times


This morning's NYT has a long informative article on disputes. Although I'm deeply involved with businesses that are 80% paid for by consumer cards, I learned a bit about how the banks look at and think about dealing with requests for chargebacks. It turns out to be an expensive and difficult process for them too.

Here's some excerpts from Disputing a Charge on Your Credit Card..  
f you have ever disputed a charge with your debit or credit card company, you know what a potent weapon this type of complaint can be. The card issuer generally takes your word against the merchant or service provider at the outset, restores the money to your bank account temporarily or issues a credit and then goes about its investigation. It essentially demands that the merchant or service provider who supposedly did you wrong prove that it did no wrong at all....You have had the legal right to correct these mistakes ever since 1975, when the Fair Credit Billing Act went into effect. The law dictates that there be a process by which you can question unauthorized charges, billing errors and transactions involving goods or services you never received or merchants did not deliver in the way they were supposed to....
This creates problems for merchants. Plenty of people pretend that they never received products that were supposed to arrive by mail and then dispute the charge, hoping their card company won’t be able to figure out that they are liars and thieves.
The rest require a lot of manual labor. Every time someone initiates a dispute, the bank that issued the card must look into it. Someone has to contact the merchant and wait for a reply that may include a receipt or other documentation.
Merchants must carve out time to respond to each dispute. They also pay one-time fees for the privilege and may end up paying higher overall fees to accept cards if disputes are too frequent. Or they just get cut off from accepting cards altogether.....many banks will simply absorb the disputed charge on a consumer’s bill and never contact the merchant if it is below a certain threshold.
That number will differ for every bank, though it probably averages around $25. Some large retailers, it turns out, have similar strategies, according to a 2009 Government Accountability Office report. So even if the bank contacts a merchant about the dispute, the merchant may allow the customer to win the dispute without bothering to investigate the complaint. The report did not say what the threshold was, and the G.A.O. is not permitted to identify the retailers it spoke to.
...“When you go to a bank’s Web site and you see a button that says, ‘Dispute This Transaction,’ it doesn’t say that this is going to hurt the merchant and could actually increase the costs of buying a service from this business,” she said. “It just tells you that there’s a quick and easy way to cancel your subscription right here. And you can get a refund! If you don’t want to pay your whole bill, just click on this button.”
...The proprietors at Enchanted Attire, an online clothing retailer, wish to inform you that “you agree not to file a credit card or debit card chargeback with regard to any purchase” and that “in the event that a chargeback is placed or threatened on a purchase, we also reserve the right to report the incident for inclusion in chargeback abuser database(s) of our choosing.” Oh, and by the way, “being listed on such databases may make it more difficult or even impossible for you to use (any of) your credit card(s) on future purchases with us or other merchants.”
Movers have been known to do this, too.This violates Visa’s and MasterCard’s rules, for starters, and none of the experts I spoke with this week knew of anyone keeping a database for this purpose that merchants could contribute to and that other merchants could gain access to.
Very interesting article.  I think there should be a database of consumer repeat offenders. We find that 99% of the people deal with us with integrity and good intentions.  We certainly try to deal with them that way. But a few times each year, we realize that someone has been working and scamming us with repeated calls and approaches to us which result in us cancelling or refunding their bills.  Eventually, when we realize that we have a customer committed to not paying us and getting service, we refund ALL of the money that htey'v ever paid us and ban them from our service.  I'm not sure how the dollars and cents actually works out but it does wonders for the morale of our service center.