DATA SECURITY          

When a credit card is presented for payment, the payment card industry (PCI) standard established on June 30, 2005 goes into effect.

In essence, all companies that are accepting credit cards with a high risk merchant account, must  among other requirements, make sure all credit card data is encrypted, must do network scans and must  actively monitor all transactions.

The acquiring banks, they are the ones that give merchants the O.K. to accept credit cards, have to follow PCI standards.  Failure to do could bring fines up to $500,000.00 per occurrence.

An outstanding issue is one of  compliance. Compliance usually is based on self-assessment – but should be based on audits from a third party.

At present the only companies that are required to comply are companies that have over six million transactions a year – while other companies have to answer a simple yes or no self assessment.

Then there is the question – How do you know the merchant is telling the truth? Obviously more controls are needed.

According to a Stamford, Conn based data security vendor, Protegrity Inc., more than half of the respondents to their questionnaire, said they would flunk an audit because they do not understand PCI requirements.

Another point is, what penalties are assessed when needed? Vagueness has to be removed from the industry and strict attention should be paid to PCI’s standards. Once this begins to happen a more responsible, positive feedback will evolve from the members.

PCI has established a solid basis for a good start. Growth must continue from this point forward for a healthy and viable data security environment.