Navigating credit card security requirements

Compliance isn't cheap or easy

October 21, 2010 (published)
By Edie Lau

As the owner of a start-up mobile veterinary clinic, Dr. Ann Marie Schmid is especially watchful of expenses.

So when she jumped through a variety of hoops to set up a secure credit card acceptance system only to get hit with a $25 per month penalty for “PCI non-compliance,” the business owner in Franksville, Wisc., felt like she’d had enough.

“I’m pondering dropping credit cards altogether as the fees are killing me!” Schmid wrote in an Internet discussion hosted by the Veterinary Information Network, an online professional community.

Schmid found herself in good company in the discussion. Like small business owners of all types, many veterinary hospital and clinic owners are grappling with myriad fees and requirements imposed by credit card companies, not the least of which involves compliance with the Payment Card Industry Data Security Standard, or PCI DSS.

PCI DSS was developed several years ago by the major credit card companies — American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. — as a universal standard. Before that, each company had its own requirements to safeguard transactions. In 2006, the companies formed the Payment Card Industry Security Standards Council, an industry-run regulatory body that develops, disseminates and implements security standards for credit card account data.

The development of PCI DSS has spawned an industry of its own. Hundreds of vendors offer services to help merchants become and stay compliant with the security standards. As in a real estate transaction, it can seem like everyone and his brother wants a slice of the pie. Chief questions among veterinary clinic owners are: What is a reasonable cost for becoming and staying compliant? What am I getting for the money?

Although the security requirements are standardized, variations exist in how the standards are applied. Businesses that process millions of transactions per year must follow a more involved process to demonstrate compliance than businesses that process fewer than 50,000 transactions, for example. As a result, the steps required and expense entailed in compliance aren’t clear cut, but depend on the nature of the business.

To help veterinary business owners navigate the world of PCI DSS compliance, the VIN News Service put together the following Q&A.

Question: What is PCI DSS?

Answer: The Payment Card Industry Data Security Standard is a set of requirements that merchants who accept American Express, Discover, JCB International MasterCard and/or Visa must follow as a means of protecting cardholder data from theft. The standards aren’t new; they’ve been out since 2006, but the credit card industry focused its compliance efforts on the biggest merchants first, reckoning they posed the highest risk for security breaches, according to Matthew Mors, a spokesman for the Payment Card Industry Security Standards Council. Information and attention to smaller merchants — those that process relatively fewer transactions — has since “filtered down,” Mors says.

Q: What are the PCI DSS requirements?

A: There are 12 broad requirements. They are:

• Install and maintain a firewall to protect computerized cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters; assign robust custom passwords.
• Safeguard stored cardholder data.
• Encrypt transmission of cardholder data across open public electronic networks.
• Use and regularly update anti-virus software.
• Develop and maintain secure systems and applications overall.
• Restrict access to cardholder data to only those individuals who have a legitimate business need for access.
• Assign a unique identification to each person with computer access.
• Restrict physical access to cardholder data.
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.
• Maintain a policy that addresses information security.

Detailed specifications can be downloaded from the council’s website.

In a completely different presentation form, the requirements also are summarized in a light-hearted cartoon music video.

Q: Are the standards the same for everyone?

A: The standards are the same, but the process for demonstrating compliance is more involved for larger merchants.

Merchant size is determined by number of transactions processed annually. Each card company has a different way of defining merchant size, but in general, the smallest merchants are those that process 50,000 or fewer transactions per year. Click here to see tables showing how each card company defines merchant size.

To demonstrate compliance, small merchants must complete a self-assessment questionnaire each year and undergo a network scan each quarter by an “approved scanning vendor,” or ASV. (Businesses wishing to qualify as an ASV must take a test that demonstrates to the Security Standards Council that they are able to identify vulnerabilities and misconfigurations in a system.) The most recent list of ASVs maintained by the council shows more than 150 vendors.

Q: What does all this cost?

A: Rebecca Herold, an information security, privacy and compliance consultant in Iowa, has assisted companies large and small with PCI DSS compliance. She notes that, for starters, many of the 12 requirements may involve an expense. So the cost of becoming compliant “depends on where each merchant is at with these 12 activities,” she says.

As for demonstrating compliance, Herold says that completing a self-assessment questionnaire could cost nothing for a merchant who can do the work in-house. Hiring outside help, she says, could cost as much as $5,000, depending on the questionnaire that needs to be completed.

The self-assessment questionnaires (SAQ) come in four versions. Which questionnaire merchants should complete depends on how they process credit cards. For example, bricks-and-mortar businesses that do not store electronic cardholder data use one version; online-only businesses, another. Mors advises that merchants ask their bank or transaction processor which questionnaire to use.

Herold notes: “The most detailed ones will likely take several days, and several interviews with various internal staff, to complete. The time could be anywhere from a few hours to several days, depending upon the number of systems involved.”

Quarterly scans by an ASV are another expense. Herold estimates that a scan for a small operation may run $500 per quarter. If that sounds pricey, consider that the largest merchants may be spending upwards of $100,000. The scans themselves may take a few hours for a small organization to a few days for a larger one.

Herold notes that merchants who use a payment processor to handle all their transactions — along the lines of PayPal — typically need only ensure they meet the 12 requirements and perhaps fill out a self-assessment questionnaire.

The very largest merchants — generally, those processing transactions numbering in the millions — are required as well to be visited periodically by security assessors (known in the industry as QSAs, for "qualified security assessors"). Herold says such visits cost from $10,000 to $100,000 and up, and may last anywhere from a few weeks to several months.

Q: What if I am dissatisfied with the service provided by my credit card processor and/or the vendor providing my quarterly scan?

A: Try a competitor. Prices and services can vary widely. Mors, the Security Standards Council spokesman, compared finding a good ASV to finding a good plumber. “Because these things have become commoditized, basically, shop around,” he advises. “Do the due diligence you would with any other service.”

Q: I just read an article about a new system, Square Up, that enables anyone to process a credit card payment simply using a card reader that plugs into an iPhone, iPad, iPod Touch or Android phone. How would PCI DSS apply to this system?

A: This is Herold’s take: “If Square Up, or the similar wCharge from PayPal, is all that the veterinarian uses for collecting credit card payments, then they would likely not need to be ‘PCI compliant’ with regard to all the ASVs and QSAs and filling out SAQs,” she says. “They should still have security in place to protect the information they collect from their customers as a matter of good business practice and to demonstrate due diligence.

“So, if I'm a veterinarian traveling around visiting farms taking care of horses and cattle, and I want to let the farmers pay for my services as soon as I'm done, I could let them use their credit card and pay Square Up through my iPhone. Square Up keeps their percentage of the transaction and Square Up then makes an auto-deposit in my bank, sends me a check, whatever, for the remainder. So conceptually these could be good options for these small entities. Now, they would still need to make sure they configure their mobile devices appropriately.

“However, if they used Square Up or wCharge, in addition to taking credit card payments in other forms (such as writing down the numbers in their offices and then calling them in, etc.), then, in general, they would still need to comply with PCI DSS.”

Q: What are the consequences of not complying?

A: In the event of a security breach, the Payment Card Industry has established fines of up to $500,000 per incident. In addition, credit card processors may levy fines on merchants who have not demonstrated compliance.

Mors notes that merchants stand to lose client trust, as well. “When you agree to accept credit cards, you’re agreeing to protect the data that’s in there. That’s not only a contractual obligation between you and the processor or acquiring bank that processes your transactions and your agreement with the card brands, it’s also an implied trust by your customers,” he says. “Your customers, rightfully so, expect that if they turn over the credit card to you, you’ll protect it.”

Q: Once I’ve become compliant and successfully proven it, am I good to go?

A: Yes and no. Unfortunately, security is a moving target. Being PCI DSS compliant doesn’t guarantee you won’t have a breach. To address emerging threats as well as to try to keep the standards as simple and practical as possible, the PCI Security Standards Council updates the standard periodically, Mors says. The latest revision will be issued on Oct. 28, and becomes effective Jan. 1. However, validation against the older standard will be allowed through Dec. 31, 2011. “With an additional year, stakeholders have more time to understand and implement the standards, and provide feedback throughout the process,” he says.

The basic security requirements don’t typically change with the revisions; rather, the revisions tweak fine details behind some requirements, according to Mors. Those tweaks will be embedded within the self-assessment questionnaires. Small merchants, therefore, need not study up on the revision; they just need to fill out the most up-to-date questionnaire.

Herold says: “Having an effective information security and privacy program ... is an ongoing process that cannot just be put into place once and then forgotten. Like other business risks, information security and privacy risks must now be managed on an ongoing basis.

“Every time you make some change in your business — such as offering a new service, opening a new office, moving to a different location, changing computer systems and applications and so on — they will bring new risks to information. So safeguards will need to be adjusted accordingly.

“If you want to process credit cards," she concludes, "there’s really no way around it.”

The PCI Security Standards Council has put together a new website aimed at helping small businesses with the standards. The site is scheduled to launch on Oct. 28.

VIN News Service commentaries are opinion pieces presenting insights, personal experiences and/or perspectives on topical issues by members of the veterinary community. To submit a commentary for consideration, email

Information and opinions expressed in letters to the editor are those of the author and are independent of the VIN News Service. Letters may be edited for style. We do not verify their content for accuracy.