PCI DSS – Credit Card Compliance
What You Need to Know!
Identity theft is a major issue today. On August 6th, 2008, the Wall Street Journal’s headline read, “Federal prosecutors charged 11 men in five countries with orchestrating a high-tech operation that stole more than 40 million credit card numbers from U.S. retailers including TJX Cos., Barnes & Noble, Inc., Office Max, Inc., and Sports Authority,” More recently, financial institutions and processors have been breached as well. Because of these issues, the major credit cards have agreed on new, strict compliance requirements. Compliance with PCI DSS is not optional. All merchants are required to be in compliance.
The following sample security policy is provided for your convenience only to assist you in developing a policy to address the security of cardholder information as required by the Payment Card Industry Data Security Standards (“PCI DSS”). This sample is a template only, but it is your responsibility to ensure that the security policy you implement meets all of your security needs.
In addition to complying with PCI DSS, you are also required to comply with all local, state and federal laws that apply to your business. One such law is the Fair and Accurate Credit Transactions Act (FACTA) that deals with the protection of the cardholder data.
FACTA is a federal law that states as follows: “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt to the cardholder at the point of sale or transaction.” 15 U.S.C. § 1681(c)(g).
It is every merchant’s responsibility to understand and comply with FACTA, and, in general, to protect the customer’s cardholder information. In addition, your business may be subject to other state laws that impact the information that you may print on receipts. It is a good business practice to regularly check the laws of your state to determine if you are compliant. You should evaluate your obligations under FACTA and all other applicable state laws and review your receipts to determine if the receipts are compliant with FACTA.
Additionally, effective December 31, 2010, all merchants will be required to truncate all but the last four digits of the customer’s cardholder number on the merchant’s copy of electronically printed receipts, and also mask the expiration date on the merchant’s copy of electronically printed receipts.
You should ensure that your security policy not only complies with the requirements of PCI DSS, but also complies with FACTA and all other applicable laws.
For more information, please call 1.877.479.6649 or visit the PCI Security Standards Council website.
Self Assessment Forms
- Questionnaire A: Merchants who process transactions via payment gateways.
- Questionnaire B: Merchant who process credit card transactions via stand alone dial terminals.
- Questionnaire C: Merchant who process credit card transactions via PC Software systems located in their merchant locations. These merchants do not store cardholder information electronically at their merchant locations.
- Questionnaire D: Merchants who process credit card transactions electronically and do store cardholder information electronically at their merchant locations.