P.O. Box 96041
Southlake, TX 76092

(817) 235-4200
[email protected]

As Bankers, you are all too familiar with the acronym PCI – short for Payment Card Industry – Data Security Standards.

Financial Institutions have had to completely upgrade their systems and processes to secure financial data and protect against data breaches.

PCI Compliance is now being required of merchants, all merchants. PCI compliance requirements actually started a few years ago with the largest merchants and has been gradually implemented for progressively smaller merchants. By July 2010, ALL merchants must certify that they are PCI compliant or they will not be able to accept credit card transactions.

Visa, MasterCard, and Discover are requiring all processors to obtain these PCI certifications from the merchants they process for no later than July 2010. Fraud in our industry is too great to leave even the smallest merchant in an unprotected state.

Needless to say, this is a big undertaking. Along with First Data, we will be introducing these PCI compliance requirements and a service to assist with the process. Here are the specifics:

What is PCI Compliance?
Merchant must complete the appropriate Self Assessment Questionnaire together with a Qualified Security Assessor. Merchant must also sign this Self Assessment Document and List Action items if they have determined to be non compliant. There are five different questionnaires based on how the merchant conducts business. The Self Assessment Questionnaire must be completed signed and submitted annually.

In addition to the Self Assessment, Merchants that use a credit card system using the internet (like a POS system, or on-line processing application) must contract with an independent Approved Scanning Vendor to conduct quarterly security scans of their network to ensure their network cannot be penetrated and there is no card data in the clear. For more information on PCI DSS visit https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.

Our Service Offering
Along with First Data, we have contracted with Security Metrics, Inc to assist all of our clients to achieve PCI compliance prior to the July 2010 deadline and ongoing after July 2010. Security Metrics is a leader in the PCI Compliance Industry and is both a Qualified Security Assessor and an Approved Scanning Vendor. Security Metrics’ service offers the following:

  • Ongoing PCI and Security communications to the merchant
  • Web Site where our merchants can go to obtain the appropriate questionnaire and completion guidance
  • A 24×7 professional help desk to answer questions and help the merchant complete their self assessment questionnaire/certification
  • Scheduled quarterly scans to fulfill the Network Penetration tests
  • Tracking and reporting of the Merchants compliance status reported to the card associations

Cost of Service
The fee for this service is $79 annually (a good value given the scope and depth of the offering). This price includes all of the services listed above.

Timing
Letters will be sent directly to all of our merchant clients around August 1 2009. These letters will explain PCI, detail the requirements for compliance and outline the service offering to help meet the requirements

The $79 service charge will be assessed in September and show on the September invoice received by the Merchant in October.

Non-Compliance
The merchant will be given five months to respond and complete the necessary actions to comply. Security Metrics will send letters every month until the merchant responds. For each month that they do not comply (after the five month period) they will be charged a $19.99 non-compliance fee.

Patriot FSP, coordinating with you, our bank partner, will also communicate directly, by telephone if necessary to make sure the merchant is doing what they need to do to become compliant and avoid non-compliance fees.

There is the risk of significant financial penalties should our merchants not certify their compliance and encounter a data breach. Beyond financial penalties, reputation risks could ruin their business. If Cardholders believe or learn that their card data was obtained from a specific merchant, business will suffer.

Summary
The cost of card acceptance has continued to increase do to the accelerating fraud experienced in payment processing. You as a financial institution are taking the hit for much of this fraud. Every time there is a card breach, you have to re-issue (or at least consider-re-issuing) that card. The process of moving our merchant base to a secure operating environment is a painful but very necessary action needed to reduce fraud and ultimately, bring down the cost of card based processing.