PCI Compliance and You

Whether your own business accepts credit cards or you give your own card information to others, such as your MLS or Association, there is a set of rules you need to be aware of called “PCI Data Security Standards”. PCI stands for “Payment Card Industry” and includes the five major credit card companies. These companies have all agreed that any company that stores, processes or transmits credit card or debit card data must comply with a rigorous set of information security guidelines.

By the end of 2007, any organization that accepts payment card transactions was supposed to be in compliance with the standards – and if not, the credit card companies (or the bank through which the cards are processed) could assess fines on non-compliant companies and even disallow further credit card transactions until PCI Data Security Standards compliance has been achieved.

There are different levels of PCI compliance required, depending on your type of business. Level 1 includes companies that process over $6 million dollars of credit card transactions per year, or that have experienced an information security breach. These companies must pass a special yearly security audit by the card company or bank internal auditor or undergo a yearly audit performed by a Qualified Security Assessor (QSA), as well as undergoing a quarterly network security scan with an Approved Scanning Vendor (ASV). Most companies that Clareity works with in the real estate industry are only Level 2 ($1-6 million/year) or Level 3 ($20,000-$1 million/year), and achieving PCI compliance for these companies is easier – involving an annual self-assessment questionnaire and a quarterly security scan performed by an approved scanning vendor.

What does this mean to you? If you provide your credit card to others, you may want to find out if they are PCI compliant. If your organization takes and processes credit cards, either through software hosted by your organization and/or a ‘point of sale’ credit card device, you had best ensure that your company and any application service providers it uses related to credit card processing are PCI compliant. If not already compliant, it’s time to become PCI compliant quickly – the deadline for PCI compliance is already long past and your company could be facing fines and a card processing service interruption at any time.

More information: http://www.pcicomplianceguide.org/

About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.