PCI-Data Security Standard Statement
At Smyth Retail we believe the current laws unjustly lay the burden of data security for credit card transactions at the retailer’s doorstep. If fraud is suspected the bankcard companies (Visa, MasterCard, American Express, etc.) can demand an expensive audit of your operation and if a security breach is found impose penalty fees that may well exceed most companies’ ability to survive.
This is a disturbing video to watch, but it is important for every retailer to understand the liability most don’t know they are obligated for.
Security of your store is your company’s responsibility and while it includes using certified solutions for bankcard processing, it is much more than the sum of the parts. Just because certified solutions are being used doesn’t mean your company is PCI Compliant. Being PCI Compliant requires the completion, and maintenance of a Self-Assessment Questionnaire designed to assure that credit cards are handled in a secure manner. More importantly, PCI compliancy isn’t a one-time event – it is an on-going process and requires the implementation of a security policy for every retailer no matter how cards are processed.
While this sounds like a daunting task, it really amounts to reasonable practices and network security that any business should implement. Frankly, it isn’t very expensive, and there are plenty of resources available to guide you through the process. Most bankcard processors, including our preferred provider, offer programs that help guide you through the process and implement some of the services, such as the required quarterly validation scanning.
Since Merchant Plus! operates outside the Cardholder Data Environment, it is considered “out of scope”, meaning it no longer needs to be PA-DSS certified. However, the solutions we utilize are certified as indicated by this Smyth EMV E2E Certification whitepaper. The Datacap NETePay solution we use is PA-DSS Certified as confirmed by this Attestation of Validation. The newest update to data security incorporates the use of End to End (E2E) Encryption technologies to significantly reduce risk. See our Datacap NETePay out of scope letter for the latest Merchant Plus! version 5 bankcard processing method.
The sure thing about bankcard security is that needs and requirements constantly change. Since the first requirements in the early 1990s there has been a constant need to stay one step ahead of the thieves and hackers. In 2010 we went through an expensive and exhaustive process to make the Merchant Plus! software PA-DSS (Payment Application-Data Security Standard) compliant (see our now expired compliance letter for Merchant Plus! version 4).
While the Merchant Plus! software is now considered “out of scope” and we don’t need to incur (and pass on) expensive audits, we believe that the same security guidelines (minimums) we were required to suggest by the PA-DSS process are still the same guidelines our clients should be implementing, not only as good business security practices, but more than likely to meet the PCI-DSS compliancy they are required to meet. We are always willing to discuss this at length with our clients.
Merchants who are not PCI compliant are not only exposed to possible fines or penalties, but also run the risk of having their credit card privileges revoked.
DO NOT RUN THE RISK OF HEAVY FINES, LOSS OF CUSTOMER CONFIDENCE AND THE INABILITY TO ACCEPT CREDIT CARDS IN YOUR STORE.
Make sure that the application and devices you are using for bankcard processing are either PA-DSS compliant or out of scope, like Merchant Plus! Regardless of how credit cards are processed you must implement a security policy that assures that you become and maintain PCI-DSS compliant. For more information about PA-DSS, please direct your browser to www.pcisecuritystandards.org).