During the age of online purchases and subscription-based services, many small businesses are inclined to keep customer cardholder information stored. Before this information is stored, small business owners need to understand the compliance that comes along with it. Whether it be for a monthly refresh of your favorite groceries or an annual gym membership, small business owners should think twice before retaining customer’s cardholder data.
The Payment Card Industry Data Security Standards (“PCI DSS”) are a set of requirements for handling credit cardholder information. Developed and maintained by the PCI Security Standards Council (“PCI SSC”), founded by five of the largest card brands (American Express, Discover, JCB International, Mastercard, and Visa Inc.) the standards set out to be a collaborative effort to protect the integrity of the payments system and maintain security for cardholders.
PCI DSS applies to any entity — large or small — that stores, processes, or transmits cardholder data. For the purposes of the PCI DSS, a “merchant” is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC as payment for goods and/or services.
Cardholder information should never be stored unless it is necessary for the business. Before a merchant retains credit card data, the merchant must be PCI DSS compliant. To be compliant, a merchant must meet twelve operational and technical requirements, including the storage must be approved by the purchaser, be encrypted, firewalls are utilized, and testing is done over the merchant’s network to ensure security. A merchant is able to retain the cardholder name, primary account number (16 digit number) and the expiration date if compliant. It is strictly against PCI DSS regulation for a merchant to store the card verification value/code (CVV/CVC) or information embedded in the magnetic strip.
As payment processing is an intricate web between the cardholder, merchant, financial institutions, and processing providers, many small merchants contract with a PCI-compliant payment processing company. This alleviates the need to keep apprised of the latest versions of PCI DSS and other compliance requirements. Merchants don’t have to lose the look and feel of their website while working with a payment provider’s hosted payment page. This can result in a PCI-compliant website that appears transparent to the consumer. Merchants should ensure that their contracts with PCI-compliant processing systems put all PCI compliance on the processor.
PCI DSS is a standard and not a law. This means PCI compliance is enforced through contracts between merchants, financial institutions, and payment brands. In the event of a breach, payment brands may fine a bank anywhere from $5,000 to $100,000 per month for violations. If the merchant was PCI compliant, they may find themselves shielded from a portion of the liability. Otherwise, the banks trickle down the fine to the merchant or terminate the relationship. Penalties are not publicized, but present real risks to business operations. If you are a small business facing the decision of whether or not to store cardholder information, we are here to help you resolve the matter.
This blog post is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. This blog does not provide legal advice. This blog does not create an attorney-client relationship between you and Smith + Malek, PLLC. If you want to create an attorney-client relationship and have specific questions regarding the application of the law to your own circumstances, you should contact our office.