PCI Compliance 101
As technology advances and credit card usage increase, the threat to both cardholders and merchants of bankcard account theft continues to grow. Large corporations such as Home Depot, Neiman Marcus and TJ Maxx have all fallen victim to data breaches from cybertheft. These instances end up costing corporations hundreds of millions of dollars and affect tens of millions of cardholders who used these retailers. In an attempt to prevent future attacks and protect the information of the cardholders, the PCI Security Standard Council was formed.
In a joint effort between the five major card companies; Visa, MasterCard, Discover, American Express and JCB, a standard for payment security was drafted. The requirements insure that merchants are handling cardholder information in a manner that is safe and secure. The guidelines have become mandatory for any merchant that processes or stores cardholder information. Merchants that refrain from becoming PCI Compliant may have higher fees and charges due to the increased risks associated with accept cards in a non compliant environment.
There are 6 different objectives that have a total of 12 requirements in order for a merchant to be in compliance.
1. Build and Maintain a Secure Network and Systems
- Install and Maintain a Secure Firewall to Protect Cardholder Data.
- Create Secure and Unique Passwords. Do Not Use Vendor Supplied Logins.
2. Protect Cardholder Data
- Protect Cardholder Data when Stored.
- Encrypted Transmission of Cardholder Data Across Networks.
3. Maintain a Vulnerability Management Program
- Prevent Malware by Using Updated Anti-Virus Software on all Systems.
- Develop and Maintain Secure Systems and Applications.
4. Implement Strong Access Control Measures
- Restrict Access to Cardholder Data to Only Individual Authorized to Use Data.
- Assign Unique IDs to Each Individual with Computer Access.
- Restrict Physical Access to Cardholder Data.
5. Regularly Monitor and Test Networks
- Track and Monitor All Access to Networks and Cardholder Data.
- Regularly Test Security Systems and Security Processes.
6. Maintain an Information Security Policy
- Maintain a Policy that Addresses Data Security.
PCI Compliance Levels
There are 4 levels of PCI Compliance that are given by Visa and MasterCard. Each level is determined by the number of credit card transactions processed each year.
- PCI Compliance Level 1: Over 6 million Visa and/or MasterCard transactions per year
- PCI Compliance Level 2: 1 million to 6 million Visa and/or MasterCard transactions per year
- PCI Compliance Level 3: 20,000 to 1 million Visa and/or MasterCard e-commerce transactions per year
- PCI Compliance Level 4: Less than 20,000 Visa and/or MasterCard e-commerce transactions per year
Level 1 Companies must have yearly on-site reviews by an internal auditor and a network scan by an approved scanning vendor.
Levels 2, 3 or 4 Companies must complete the PCI DSS Self Assessment Questionnaire annually and have quarterly network security scans with an approved scanning vendor.
Merchants deemed non compliant can face increased fees and additional security costs. Per the card associations agreements, merchants need to abide by the guidelines set forth or run the risk have having additional measures taken. This can include increased fees, higher processing rates or being required to be compliant at a higher level. Non Compliance can also result in merchant account closure.
As the card associations focus on eliminating fraud and data breaches, it is going to be essential for merchants to become PCI Compliant. Following the guidelines set forth and performing routine security checks is not only beneficial to merchants, but will also reduce long term costs.
In the adult payment processing industry, merchants are generally viewed to be “risky” or a “high risk merchant”, which can create complications when applying for a merchant account. Depending on the underwriting guidelines of each payment processor, a merchant can have a different perceived risk level between each processor. Most payment processors focus on general retail and eCommerce business models. Fortunately for merchants higher risk industries there are payment processors that specialize in medium to high risk businesses, including adult merchants. In this post we will try to help explain what is a high risk merchant account and how they work.
A business could be considered high risk for a number of reasons. This could vary from the financial history of the business or the business owner to the location of the business. Businesses or business owners with low credit or a history of payment processing issues could make a merchant higher risk. Businesses located outside of the USA (offshore) will also make them a higher risk. The most frequent reason for a high risk classification is the business model itself. Operating a business, such as adult, will not work with a majority of the payment processor’s underwriting guidelines after assessing their risk potential.
Merchants in adult and other high risk industries unfortunately do not have many options when it comes to finding payment processors. These higher risk payment processors tend to operate with higher fees than most retail and eCommerce processors. Merchants generally have to accept these terms and operate with the higher fees if they want to continue processing payments. During the application process, merchants should research every processor and determine if their funds are safe. Many of these higher risk payment processors have a history of closing accounts and not paying merchants. Know the companies you are dealing with and check with current merchants to see their opinions before applying for a high risk merchant account.
Another element that is important for merchants pay attention to are the fees, terms and conditions associated with the merchant accounts. Many times these processors with not only charge high transaction fees, but also have application fees and may collect a reserve. Application fees, or sometimes charged after the account is approved as a set up fee, can usually be negotiated down since they are generally a junk fee. Many times the broker is marking up this fee and just padding their pocket. Another fee, the reserve, is something put in place by the processor to insure that the merchant can cover chargebacks and other fees associated with the account. Reserves can either be collected and held or they can be set up as a rolling reserve, where funds are held for 6 months then released on a monthly basis while new fees are being collected. These funds are usually based on a % of total sales – and that number is commonly 10%.
Merchants looking for an adult merchant account need to understand what they face when searching for a payment processor. One thing is that their fees will be higher than most other e commerce businesses. Established adult websites have leverage when applying, but merchants will have to show they have good monthly volume. Adult merchants though should always pay attention to all the fees associated with their account and try to negotiate some of the setup or application fees. Though reserves might be required to approve the account, these can also be discussed with the processor and from time to time negotiated lowered. The final point for merchants to remember is to research the payment processor. Make sure you are working with a trustworthy company that will pay consistently. We hope that this post has helped clarify what a high risk merchant account is and what a merchant should know before processing payments.