Treat your customers' card data as you would want others to treat yours.

If you have a merchant account, protecting your customers' credit card data has always been your obligation, but you probably never had to prove it. If you've ever personally had a payment card compromised, you wish everyone were compliant to give your card number a fighting chance to remain private. It's also alarming to realize that credit card fraud funds terrorism around the world (psst: because so far, it's been a cakewalk).


An unstoppable freight-train is about to plow through your building (if it hasn't, already) and the residual damage is up to you! PCI (Payment Card Industry) and CISP (Cardholder Information Security Program) compliance has directly affected small and large merchants as the train makes its way through the business community. The order is according to assessed risk, and the consequences of non-compliance are severe (not to mention the "it's the right thing to do" factor).


Particularly in the rental unit business (the nature of a reservation is detailed information), personal data storage is a critical issue. The credit card information portion of that data is so hot, you do not even want to store it if it is at all humanly possible to avoid that scenario.


Alas, you may think compliancy only has to do with software. Get ready to re-think that idea, because there is a slew of other considerations along the lines of who is looking over the shoulder of your personnel when they are handling sensitive data.


Interesting, applicable links to help you sort through the conundrum:

  • Don't Store Data if You Can Help It
    ~ corporate.visa.com/md/nr/press667.jsp

  • What You Have To Do To Be PCI Compiant
    ~ https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

  • Merchant Levels Defined
    ~ usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_management/cisp.html|Defining%20Your%20Merchant%20Level#anchor_2

  • Level 4 Merchant Compliance Program Requirements (by the way, this is probably YOU)
    ~ usa.visa.com/download/merchants/level_4_merchant_compliance.pdf?it=c|/merchants/risk_management/cisp_alerts.html|Level%204%20Merchant%20Compliance%20Program%20Requirements%20-%20%3CBR%3EMay%2014%2C%202007

  • Payment Card Industry (PCI) Data Security Standard (This is an easy self-assessment to help you get ready for proving you're compliant.)
    ~ https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf

  • A list of validated payment applications (including who they had to pay to validate them).
    ~ usa.visa.com/download/merchants/validated_payment_applications.pdf
    ~ https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

  • What it takes to get an application version certified.
    ~ usa.visa.com/download/merchants/cisp_payment_application_best_practices.doc?it=c|/merchants/risk_management/cisp_tools_faq.html|Payment%20Applications%20Best%20Practices

  • Read an excellent, logical industry white paper (it doesn't have any acronyms in it). And, your business would benefit if you and each employee in your organization were required to read Credit Cards 101.
    ~ http://www.shift4.com/ii_falsesense.htm
    ~ http://www.shift4.com/best_practices.htm

    #####

    Posted by Eddie and Tina Nelson
    December 2007
    www.TheCompanySoftware.com