According to a letter sent to MLSs and associations by NAR, “When associations use the Realtor Ecommerce Network, the burden of meeting the PCI security standards falls on NAR, the merchant, rather than the associations.” This is incorrect and puts these organizations at risk.
For those not familiar with PCI compliance, If your organization accepts credit cards, there is a set of rules you need to be aware of called “PCI Data Security Standards”. PCI stands for “Payment Card Industry” and includes the five major credit card companies. These companies have all agreed that any company that stores, processes or transmits credit card or debit card data must comply with a rigorous set of information security guidelines. By the end of 2007, any organization that accepts payment card transactions was supposed to be in compliance with the standards – and if not, the credit card companies (or the bank through which the cards are processed) could assess fines on non-compliant companies and even disallow further credit card transactions until PCI Data Security Standards compliance has been achieved.
To clarify this issue, I quote from the PCI Security Standards Council (https://www.pcisecuritystandards.org/) site: “Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted.”
The key words here are “processed or transmitted”. Let’s say I had a web site that sold widgets and I linked out to Paypal when people checked out on my site. To be clear, when the user input their credit card information, the URL in their web browser said “http://www.paypal.com” and no portion of the checkout process involving the credit card involved my web site. In that scenario, my web site has nothing to do with the credit card information – the information is never input on my web site, processed or transmitted from my web site – everything happens at Paypal – so they are the only one that needs to be PCI compliant. If, for example, NAR were to fully host and audit the association management systems AND other credit card systems where credit card information is processed and transmitted, then they could be solely responsible for PCI compliance – just like the Paypal example. However, MLSs and Associations take credit cards often on paper or via email (electronic fax), via point of sale devices, and allow for the input/processing and transmission of the credit card information via a system that is located on their local area network. Therefore, it is the responsibility of such MLSs and Associations to attain their own PCI compliance.
PCI compliance is not easy to attain and maintain, but it’s just part of doing business within the rules. My company, Clareity Consulting is working with a number of MLSs and Associations to help them attain PCI compliance – and our sister company, Clareity Security is the exclusive real estate industry reseller of McAfee Secure, which provides ongoing vulnerability scans required to fulfill the PCI requirements.
If you have management responsibility for such an organization and don’t have your PCI compliance documentation in order, you may wish to consider moving forward on that quickly in 2009.
Share this post: