Original URL: http://www.theregister.co.uk/2010/06/30/pci_compliance/
Visa tightens rules for small sellers
You have 24 hours to comply
From tomorrow small businesses that take credit card payments will be obliged to enrol in the credit card industry's Payment Card Industry Data Security Standard (PCI DSS) compliance programme.
From 1 July small and medium enterprises using electronic point of sale terminals and e-commerce systems need to reach basic compliance with an entry-level version of the standard or face higher merchant fees or, in extreme cases such as in the aftermath of security breaches, the withdrawal of merchant statuses.
Larger firms need to comply with the full versions of the PCI DSS standard by 30 September.
The latest (v1.2) objectives for PCI DSS compliance cover 12 requirements, written by the payment card industry, for the safe processing of credit and debit card transactions.
Requirements include a mandate to build a secure network and protect cardholder data. Compliance is achieved by self-assessment for mom and pop shops processing less than 20,000 e-commerce transactions a year and compulsory external audits for e-commerce heavyweights.
The PCI Security Standards Council website has a number of resources available to merchants and service providers, including a self-assessment questionnaire, which firms can use to understand how card security rules might affect them. "By using the range of self-help files and questionnaires on the PCI council's Web site, companies can save themselves a lot of expensive legwork in terms of pre-compliance procedures," said Jeff LoSapio, security practice manager for application security specialist Fortify.
"Through adoption of a best practice approach, companies can actually save themselves money in the longer term, and may even avoid the need to hire an expensive consultant who may not actually tell their board anything extra that their IT department doesn't know already," he added. ®