Many small online merchants don’t understand much about the powerful technology behind their e-commerce store or how vulnerable this technology is to being hacked. We rarely read about a small merchant's computer system being broken into, because the large ones are so much more spectacular. But some security experts now say it's not a question of if you will be hacked, it's when.
The Pain of Non-compliance
Small merchants with on-site credit card processing who are hacked and have not put PCI standards in place can be fined $20 to $30 for each stolen card number (up to $500,000). If the breach is large, they may also be required to undergo a forensic audit (the cost of which starts at $10,000), be subject to more stringent standards than other stores of their size and may be sued. In addition to the horrors of dealing with the original breach, this is enough to effectively wipe out any small merchant. By using off-site credit card processing, small merchants may avoid many of the hassles and security risks of on-site processing, because the merchant never touches the credit card information.
A Little Background Info
PCI (Payment Card Industry) Data Security Standards (DSS) were designed to be a baseline minimum standard for credit card security. The standard emerged in 2004 when five separate programs — Visa, Mastercard, Discover, American Express and JCB — were combined into a single standard. The group first turned its attention to large retailers processing many millions of transactions per year, dubbed Level 1 to Level 3 retailers. Now, small merchants are in the spotlight and the standards council began addressing the Level 4 Merchants who represent the vast majority of online payment transactions. Level 4 small merchants are defined as those with fewer than 20,000 Visa transactions, and fewer than 1,000,000 total transactions per year. Most small vendors will fall into this category. Beginning October 1, 2009, credit card processors and their agents who accept Visa will begin de-certifying all vulnerable payment applications. This means many small merchants will suddenly receive notices that they can no longer accept credit cards unless they have begun steps toward PCI security compliance. The de-certifications must be completed within one year. The time to take action is now, before your store is de-certified.
What can you do to minimize the risk?
The easiest way for small businesses to begin compliance is to switch to an off-site, third-party credit card processor and not to store any personally identifiable information on their Web site. That information includes full track data (on the magnetic strip), CVV2, CVC2 and CID codes (three and four-digit codes) and PIN data. If businesses need to store name, credit card number and expiration date, it needs to be secured either internally or stored remotely. Credit card tokenization, a remote storage technology, allows for a unique customer ID to be created for each record which is then used to remotely initiate transactions or change customer files without ever handling any sensitive credit card data.
Regardless of a business's current situation, the cost of a breach can be enormous. A larger dollar retailer will be able to weather the storm, but a smaller organization may not have the same financial depth, which means the consequences may be much more severe. So whether or not the required resources are available to pursue PCI Compliance and proper data storage, it might not be a bad idea to make it a priority in your organization.