Credit Card Security for Your Association

By Amy Airhart, Guest Contributor

The term “PCI Compliance” generally elicits one of three responses: confusion, vague recognition, or mild panic. If that sounds like your organization, you are not alone. From the moment the Payment Card Industry Security Standards Council rolled out its credit card regulations, associations have been struggling with how to understand their meaning and how best to adhere to them.

What is PCI Compliance?

In 2006, the major credit card brands (Visa, Mastercard, Discover, American Express, and JCB) formed a security council. The goals of the security council were to ensure the safety of cardholder data at all times and reduce credit card fraud by developing standardized regulations (Payment Card Data Security Standards or PCI-DSS), the entire credit card processing industry must follow. It applies to any business that processes, transmits, or stores credit card data. The bottom line is if you accept credit card payments, you also accept responsibility for protecting sensitive cardholder information.

 

One of the biggest challenges for associations, with respect to PCI compliance, is moving beyond a “check-box” mentality. Payment card data security standards are becoming mandatory in more and more states. PCI compliance may not be law in your state yet, but its regulations are still enforced by the banks and by the card brands.

 

Is it the law?

The PCI-DSS is not federal law; however, several states have mandated compliance to many of the provisions. In 2007, Minnesota became one of the first states to adopt a set of enforceable standards that protect credit card data. Since then, Nevada, Washington, and Massachusetts have also adopted similar laws. Many other states are currently looking at similar legislation. While it may not be law in your state yet, it most likely will be soon. Regardless, these regulations are still enforced by the banks and by the card brands (Check with your merchant bank for additional deadlines). You may also be assessed a monthly non-compliance fee from your current merchant account provider.

How does PCI apply to my association?

Your day is already filled with mission-critical tasks, so taking on compliance is not something you want to think about. It’s understandable. Your association only processes a few credit card transactions a month, you have a trusted staff, and you use a compliant gateway for your transactions. Your credit card data is safe, right? Not exactly.

PCI compliance is actually composed of several key pieces: how credit cards are processed, who you use as service providers, and how you handle credit card information within the walls of your association office.

Think for a moment about how credit card data flows through your association. Do your members pay online? Do they fax credit card authorization forms to your office? Are there boxes of credit card numbers on registration forms in the back office? Those are just a few practical security points addressed by the Security Standards.

The good news is that implementing small changes can have a major impact on your security. There are guidelines in the PCI-DSS that address internet security and payment applications, and also ones that address how businesses handle credit card data on a physical level. Assessing your vulnerabilities is a great way to fix potential issues and educate your staff. According to some reports about data loss statistics, the majority of credit card fraud is caused by simple carelessness and theft. Office security policies that define procedures for changing passwords, storing information, and disposing of credit card data can make the difference between compliance and non-compliance.

Why now?

Until recently, most of the focus on credit card security has been on major retailers that process in excess of six million Visa transactions per year. All merchants, regardless of credit card processing volume, must now comply with the regulations. Failure to meet requirements can result in security breaches, costly fines, and forensic audits.

Accepting credit cards is a great way to offer a flexible payment option for your members and improve your cash flow; consequently, this means handling sensitive information that is very desirable to criminals. By following the Payment Card Industry Data Security Standards (PCI-DSS) guidelines, you greatly reduce your association’s vulnerability to a security breach. Most associations have found taking steps to become PCI compliant is a productive, beneficial “housekeeping” exercise for their office.

Becoming PCI compliant sends a strong message to your staff, your members, and your Board of Directors that the association is doing its due diligence to protect sensitive member information. The PCI process can create a greater level of awareness with your staff and volunteers when they handle credit card information, limiting the potential for a security breach and ultimately reducing the overall liability exposure of your organization.

How does our organization become compliant?

There are several steps every merchant must complete to validate PCI Compliance:

• Identify Validation Type (this is based on how credit card transactions are processed).
• Complete the SAQ (Self Assessment Questionnaire).
• Provide evidence of a passing vulnerability scan, if necessary, from an approved vendor on a quarterly basis.
• Complete the Attestation of Compliance.
• Submit the SAQ/Attestation of Compliance and evidence of a passing scan (if required) to the acquirer.
• Create comprehensive security policies and procedures: click here for more.

The association is compliant. Now what?

One of the biggest challenges associations face is moving beyond a “check-box” mentality when it comes to compliance. (“I have a Security Policy, check! I shred documents, check!”) To be truly PCI compliant, you need to not only be able to answer questions truthfully and accurately on your SAQ, but also be diligent in monitoring your association every day. If you have rock-solid policies and procedures in place, but only follow them four out of five days, it’s like having burglar bars on your windows and leaving the front door wide open.

Where do I go for help?

There are many PCI services and consultants that provide assistance with compliance. Questions to think about before selecting a company:

• Do they understand associations and how they operate?
• Will a live person be available to assist through the questionnaire?
• How much is the program price? (Costs vary between $95 – $1000-plus.)
• Does the program include vulnerability and website scanning, or is it extra?

Regardless of how you choose to comply with PCI regulations, it is important to keep the ultimate goal in mind–protecting your members and your association. By taking the time to evaluate the flow of cardholder data through your association and addressing security issues, you can achieve that goal.

 

Amy Airhart is the director of PCI Compliance for AffiniPay and has helped nearly 1,000 local, state and national associations achieve PCI compliance. For more information about the benefits of working with Naylor and AffiniPay, click here.

 

Rate this article 5 (Excellent) to 1 (Poor). Send ratings and comments here.

 

Recent Tweets