3Pointer: Take Credit or Debit Cards? Here’s
What You Need to Know About PCI Compliance
Whether you receive one payment card a year or thousands, a PCI audit will cross your path if it hasn’t already. Those three little letters have small businesses wide-eyed and at attention. Companies that don’t comply face stiff penalties, higher fees or are simply shut down.
To bring you up to speed, PCI stands for Payment Card Information. An independent council – not a government agency – sets standards to protect merchants from compromised data security and fraud. The PCI Data Security Council is comprised of five founding global payment brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Since individual brands enforce compliance standards, PCI audits are often triggered when merchants undergo an annual review or change payment card vendors.
Which is exactly what happened to 3Points client Clesen Wholesale, a third-generation grower, broker and distributor of wholesale seasonal annuals. They noticed credit card fees creeping up and sought a better solution. In their switch from Bank of America to FirstMerit Bank, the company was audited. Both illuminating and painful, the eventual PCI-compliant stamp of approval was worth it according to Anne Laverick, Clesen Wholesale’s Controller. Her reason is inspired by the one group of people that make or break every business …
Customers. “As a company, it reflects what you want to do for the customer. They are buying from you, and we’re saying ‘we value you as a customer and we are not putting you at risk,’ ” said Laverick. Clesen Wholesale handles about 500 payment card transactions per year.
A PCI audit is self-directed; there are no black suits walking in asking for stacks of files or computer access. A thirty-page Self-Assessment Questionnaire includes about 450 technology and business questions. Companies are queried on firewalls, router configurations, vendor-supplied defaults for system passwords, cardholder data protection, encryption strength and protocol, access control measures, physical system access to cardholder data, network monitoring and testing, security system testing and processes, and information security policy. Laverick said, “The questionnaire was ridiculous. It didn’t matter if you had a single terminal or if you were a Home Depot or Dominick’s. It was crazy.”
In the end, though, Laverick feels good about the infrastructure now in place, “We are compliant now. We are safe and secure. People cannot get into our network and steal people’s information.”
3Points CEO Steve Banke counsels clients on PCI Compliance. “Last year, we had zero clients getting audited,” he said. “In the last three months we’ve done three audits, all in completely different industries: a healthcare company, business-to-business distributor, and a wholesaler.” With more B2B companies accepting credit cards, he expects the number to rise. Banke describes the questionnaire as long and somewhat intimidating, commenting, “Our clients get the questionnaire and they don’t know where to go. We encourage anyone who is concerned about PCI compliance to contact us for help. We work together with our clients, and we can make the transition to PCI Compliance fairly easy.”
Once compliant, companies undergo quarterly scans by ethical hackers to expose security weaknesses. “The standards are evolving,” said Banke. “That’s why these scans are done quarterly. There are new threats and new types of resolutions that need to be implemented regularly. It’s important for us to have a close partnership with our clients on these audit procedures so we can help them immediately solve problems.”
3Points follows specific procedures to assist clients in becoming fully compliant on both the technical and administrative sections of the questionnaire, assisting them in filling out a third to half of it. After an audit is submitted, and a company receives notice of deficient areas, 3Points corrects problems that might range from replacement firewalls, and updated application software, to new VPN technology.
Clesen Wholesale failed their initial compliance audit in two areas. “It took about two months to fill out the questionnaire,” Laverick said. “Once we got all the parties involved, it took about three weeks (to fix the problems). There were software updates across multiple platforms and people. If someone’s information is stolen, a company that is not compliant is open to big fines. There’s a huge liability if you don’t do this. For example, it X’s out everything except the last four digits (of a credit card number). Customer information is in the system, but you can’t see the number or expiration date on a card. That was a big change from our old software.”
In a perfect world, companies aren’t caught off guard observes Banke. “We want people to be compliant before their merchant services provider does the scan,” he said. “We want them to be ahead of the game. Nothing would be better than to have them go through an unexpected PCI audit, and to have them already be PCI Compliant.”
Product Focus: The 3Ponts PC Replacement Plan
It’s Super Bowl Sunday. Victory is in the air, right along with the scent of chili. And, then, the unimaginable happens: you lose satellite cable. An even more nightmarish outage occurs when computers break down. Business stalls, productivity nosedives and, hey, let’s get real, it’s painful to spend money on an unexpected line item.
The 3Points PC Replacement Plan helps small businesses budget for new desktops and laptops, eliminate down time caused by computer crashes, and stay up-to-date on the latest technology.
Dawn M. Daujatas, Firm Administrator for Chicago-based law firm Dowd & Dowd, Ltd., says, “Our billable hours increased with our PC Replacement Plan, making the Partners extremely happy.” For Dowd & Dowd, there are no extra service costs. Computers are ordered one month before a monthly onsite appointment at which time a technician handles installation. So far, 15 machines have been replaced over the last 18 months.
“Typical life of a laptop is three years depending upon usage. If parts go bad, it can be hard to find them in an industry that continues to innovate and grow,” said 3Points’ Kelly Paroubek. She points out that a computer down requires two or more weeks for quoting, approving and ordering.
PC Replacement Plans: Top 4 Questions to Ask
- Does our business want an easier way to budget for workstation investments?
- Can people in my company afford to have their workstations down for two or more weeks?
- Are we a proactive or reactive company?
- If our workstations were maintained on an ongoing basis, would there be less business interruption and greater overall convenience?