What is PCI Compliance?

For most business owners, maintaining security can be a daunting task with many confusing hoops to jump through and procedures to follow.  By sharing some background and context, we want to help you have a better understanding of what it takes to overcome the hurdles in becoming compliant with the industry’s requirements and keeping up with the many advancements in technology.

BACKGROUND:

Data security is more important than it has ever been with the rise of hackers and data theft.  PCI Compliance procedures were set in motion to decrease vulnerability and increase data security by the major card brands, and in 2004 were made mandatory for all businesses processing debit or credit cards. 

If you’re a business who currently accepts or would like to accept Visa, Mastercard, Discover, AMEX or JCB, you are required to meet a set list of practices that were created by the PCI SSC (Payment Card Industry Security Standards Council.)   Security Metrics* reports that in “2016 the number of data breaches tracked in the US rose 40% according to a study by the Identity Theft Resource Center (ITRC).”

PROCESS:

We understand that the process of becoming compliant can be a bit tedious, but is well worth the time spent to ensure your business and your customers’ data is secure.  Most merchant services providers will partner with a PCI services company to verify your payment processing protocol and run the scans on the internet connection. 

The process has 3 main steps:`

  • Filling out the self-assessment questionnaire

  • Initiating the scan on your public facing IP address

  • Recertifying your self assessment questionnaire annually

It’s really as easy as that. Generally the SAQ will not need to be filled out again and once you complete one scan, the PCI company will run scans quarterly to maintain your compliance. 

WHAT TO DO:

So how do you go about becoming compliant if you aren’t already?  Firstly, It is your merchant services provider’s responsibility to initiate the process of getting your business in compliance.  So if you’re not sure you’re compliant, reach out to your merchant services provider right away to find out.  Ultimately it is your responsibility as the business owner to finish the process of filling out the questionnaire, completing the scan and being sure you are in compliant status.  Generally you will have 3 months to a year (depending on the terms of your agreement) from when you open your account before penalties are applied, but if it is not completed you could potentially be charged non-compliance fees ($10-$40 a month ) in addition to your current processing fees. 

DO YOU NEED A HAND?

We at Calibr strive to educate our merchants on the full extent of what they need to know to be secure, smart and successful when it comes to accepting card payments.  Please reach out and let us be a resource to you regarding PCI Compliance or any other issues your business might be facing.  We also do a free, no obligation analysis to see if there are any ways you can maximize your company’s resources and minimize your expenses.  We would love to help your business thrive.

*Security Metrics is one of the country’s largest providers of PCI Compliance services. Quote taken from “PCI Basics for Merchants”: http://info.securitymetrics.com/pci-basics-for-merchants

Not a Fan of Throwing Away Cash?

Top 3 Silent Cash Flow Leaks

Running a small businesses is often an all-hands-on-deck operation and a lot can get lost in the shuffle. With years of experience working hand in hand with businesses, I have seen all kinds of things that cost businesses time and money. With companies big or small, these are the top 3 things that consistently eat away at the bottom line.

Issue #1:  Invoices Aged Over 30 Days

Collecting payments tends to be the most costly part of running a company.  Companies commonly don’t have clear payment terms or tend to soften them to win the sale. With no plan of action to tackle unpaid invoices, many companies resort to a phone call and hope the client answers and pays.

FIX: Preparation and Preplanning

  • Clear contract terms and documented payment agreements

  • Collecting (and securely storing) payment information for contracts or service agreements.

  • Recurring billing plans using accounting software or payment processor

  • Use of a simple customer interface to make payments

Issue #2:  No Reconciliation Process

“Reconciliation” may be a new term. It is defined as “the key process used to determine whether the money leaving an account matches the amount spent, ensuring the two values are balanced at the end of the recording period.”

For companies with linked accounting softwares and bank accounts, many think of this as a hands off task. However, human intervention is necessary to make sure your accounting books square up. When companies finally dig in, they find a variety of things:

  • Unpaid Customer or Vendor Invoices

  • Fee Increases from Vendors

  • Duplicate Charges

  • Unaccounted for Cash Withdrawals or Deposits

FIX: Two options, both will assist in cash flow and tax reporting:

  • Schedule time:  Block out a couple hours each month on your calendar as a recurring event. This will ensure regular attention to finding leaks.

  • Hire an hourly professional: Time is money. Bookkeeping professionals are efficient and as they learn your business, it will take less time to complete your reconciliation. Another set of eyes is also beneficial to see things you may have missed.

Issue #3: No Review of Services or Fees

This is common with mom and pop businesses all the way up to Fortune 500 businesses. Many companies don’t take the time to kick the tires on the fees they are paying to vendors. Because many take the stance of “If It Isn’t Broken, Why Fix It,” they are commonly overpaying. I have met with companies that have let 10+ years pass and overpaid thousands of dollars.

FIX: Knowledge is Power

  • Find your contract end / renewal dates for vendors. This may require reaching out to get copies of contracts.

  • Request an account review 6-9 months before the end of your contracts. They may find you now qualify for a new tier or reduced pricing.

  • Ask your tax or bookkeeping professional for recommendations.They are looking at companies’ expenses everyday and may have insight into where costs might not line up with industry standards.

Reach out to your local chamber of commerce, LinkedIn groups, or associations. Let others’ hindsight be your foresight.

Chip or Swipe?

To Chip or Not to Chip.  That is the question.

Are you curious about why you have to swipe at some stores or use the chip at others each time you go to pay? Take a look at this very informative article from the Washington Post about the new EMV regulations - Click Here for Article on Washingpost.com.

For Merchants, EMV compliance means the liability of that transaction does not solely fall on you.  There is urgency for merchants to become EMV compliant as soon as possible so that the acquirer who handles your processing account is held more responsible for the liability of each transaction.

For consumers, the data transmitted in a chip transaction is dynamic data, meaning it changes each time you use your card.  Swipe transactions transmit static data that does not change, therefore making it much easier for a scammer to create a fraudulent card and steal your account information.

Please contact Calibr for more information about becoming EMV Compliant, or with any questions regarding these new regulations and chip cards.  We would love to help you be a more educated consumer or merchant.