P C I . L L X . C O M
So What Is This PCI Stuff About Anyway?

A View from the Trenches, Benches, and Restaurant Tables

  • PCI Violation Huh? What's that about?

        PCI stands for Payment Card Industry, and in the regulatory concept refers to a series of banking and credit card processing agreement regulations you signed off on (whether you realize it or not) when you chose to accept credit cards in your business. And Violation means that you're missing the mark on how your systems are processing credit cards, and that could cost you. Read on:

        In short, the banks, processors and industry regulators want to be sure that you comply with all the new rules about how to make it harder for credit card thieves to steal yours or anyone else's credit card to use in nefarious new ways.

        Perhaps you're coming here because Jerral or another of our risk assessment auditors recently visited your location and received as his receipt something which displayed his credit card number. No doubt he crossed out numbers, invited you to come visit this site, and left you a little note saying PCI Violation on your Point of Sale card receipt generated by your billing software. He also likely recommended that someone there learn more about PCI immediately, since you could incur some big fines for the way your software is currently configured. PS: Do not ignore this dated, timestamped record of your PCI Violation which was generated by your own point of sale system!

    (Or worse yet, maybe Jerral or another auditor came across your company who hand-writes invoices and places customer CC info on paper... very bad news). Did you know you can be liable not only for all of the PCI fines, but also for all the costs associated with Bank or Customer losses associated with any card you've written down like this, FOR THE LIFE OF THE RECORD, AS LONG AS YOU RETAIN THAT PAPER COPY...

    Many restauranteurs and retailers aren't yet aware of the risks of having the full credit card number and expiration date appear on receipts. But it's not for lack of trying to get them to learn! To be clear: Even the MERCHANT COPY of the CC receipt should mask those digits, for instance:

    Card No: * * * * * * * * * * * * 1 2 3 4
    Exp Date: * * * *

    Yep, that's true.

    Your customers who've told you about this aren't just complaining. They're trying to protect YOU and themselves because they know that until you fix this, you're putting THEIR credit card and YOUR REPUTATION at risk. If a customer has given you a note saying you have a PCI Violation, then they're also likely prudently compiling details of dates you were warned which can stand up in court. If having used a card in your establishment results in their card or their identity being compromised, then they will know. You'll be hearing about it because it's very likely going to cost you in more ways than one, and in big numbers. There will be irrefutable evidence that an auditor warned you (in many cases multiple times) yet you chose not to fix the problem.

    If your process and systems there allow for a credit card breach, you can be liable not only for what it costs to clean up their mess with you, but anything else a thief does with that card, as well as the bank's charges for cleaning up, reissuing cards used at your establishment, and other charges. On average, it costs about ~$100 - 200 per record (plus goods and services and fraudulent charges-- sometimes as much as $300 per record plus expenses). And of course, learning that systems are insecure starts with compromise of a single card. That's all it takes for a potential data thief to learn that your systems are not secure and start hammering away at trying to crack further in.

    Bear in mind that many states have laws requiring you to publicize a data breach you experience. So if cards turn out to be comrpromised as a result of your systems, then all of the customers to your establishment who've used debit or credit (or in some cases, loyalty or gift) cards there will all be at risk. So they, too, may be eligible to have their cards reissued by their banks (all at your expense) if you've been warned and yet still have done nothing.

    This can get expensive. No to scare you, but do the math with your own numbers: $300 x 50+ cards a day x 30 days = $450,000+

    Or check out the numbers from the TJ Maxx credit card fiasco. Their Their 2006 breach costs in this article were estimated to top $4.5 BILLION!

    So let's not see you become the next TJ Maxx. Better we should learn than wait to be taught. Do not delay in cleaning this up. Appearing in the news about this is not going to be useful for your business.

    Everybody including your bank is on your side on this one: They're trying to save you money and reputation. If you don't fix this and a compromise occurs, you can be fined up to $10,000 plus a recurring fine monthly until it's fixed, be required to pay a higher charge per transaction and even be threatened with losing the ability to accept cards at all. And we both know that small retailers would find that quite a chunk of change to put at risk just because a receipt is spewing forth too many digits. It may not seem so important to you, but you can bet that to a customer who has his credit card or identity compromised because of something you won't fix, it's a biggie to someone.

  • What must be done about it?

    Contact your software vendor which handles credit card transactions. In some cases, that's your Point of Sale software. In other cases, it's the vendor who sold you that little CC processing machine. Contact your credit card processing company or bank (Acquirer). They're intimately involved in how this keeps happening in the first place. They likely already know, and they may have already sent you a note about that which you either missed or ignored because you didn't understand. In many cases, your bank issued you the credit card machine in the first place, and they're more than happy to upgrade its firmware since protecting YOUR liability also protects THEIR liability. And of course, they are also always happy to sell you a brand new unit with all kinds of fancier gizmos out there.

    But the bottom line: you must remeidate your current PCI Violation, or you AND YOUR BANK can be liable for some pretty hefty fines. And you can bet that they're definitely not going to be paying any fines on your behalf. It's going to cost you.

    In short, your credit card acquirer (processor/bank) requires that:

  • You must maintain adequate controls over financial reporting data including bank account numbers, credit card numbers and all the little pieces running around in your system which refer to them
  • You must provide both your customer's and your own copy of the receipt with only masked representation of the number, showing no more than the first six (bank routing) and/or last four (customer unique) numbers. In most cases the receipt should show only the last four.
  • The expiration date must not show on the receipt
  • NONE of the "stripe data" or verification data from the card can appear anywhere in your systems, backups, or ANYWHERE in your company at all.

    Perhaps the single most important thing you understand about PCI is that it's an effort to secure the processing of all credit card data, regardless of whether or how your PROCESS, STORE or TRANSMIT the data. It all needs to be secured, and NONE of that data can leak out of your business after the transation, even on a receipt!

    Compliance with PCI is not optional. It's required (well, if you want to continue to accept credit cards... if you don't mind giving up your monthly revenues represented by credit cards and debit cards, then feel free to do so.) But you can't simultaneously ignore it and continue to process cards. You will be fined, rejected from the card system, and/or given an opportunity to pay large sums of money when one of your clients' cards is compromised if you've already been warned about it yet done nothing.

  • Where to go from here:

    Learn more about PCI from your processor, your bank, the PCI Security Standards Council or Google or other sites, and post haste:

      • Step One: Call your bank and speak with someone in the Credit Card Processing department to see how they might help, and/or:
      • Step Two: Get in touch with whoever provided you with the credit card machine which iscurrently non-compliant. Make sure someone knows that you have a machine which needs and IS REQUIRED TO BE UPGRADED. They almost certainly already know. You aren't the only one to be having this problem.
      • If you're looking for a local company to link up with as a Processor/Provider for your credit card services, there's a Salt Lake City, UT based company with offices right here in Eugene called Eliot Management Group. They provider services for Visa, MasterCard, Amex, Discover, Diners, Debit/ACH enrollment and gift card / loyalty card solutions. They can also provide processing equipment, repair, installation and more. Visit them on the web at: http://WWW.E-mg.com for more infor about providing you with some answers about processing services.
      • Step Three: Go back in your files and be sure you destroy (or at a minimum, obliterate card numbers and expiration dates from) all old copies of receipts and data you're holding and be sure you're not storing CVC digits, track data, or other verification codes in paper or digital form
      • Step Four: Make sure all your staff knows how to handle credit card, debit card and receipt data and why
      • You might also want to consider contacting your Attorney and/or CPA and/or Liability Insurance agent to begin planning for what might happen if some of your customers come forth and blame you and your processing methods for having compromised their cards

    Sorry to be the bearer of some perhaps stern tidings here.

    But there's a reason you were asked to come here to hear about your PCI Violation: You need to learn more about PCI , your responsibilities and how it all affects your business, your customers and YOU! You can start by jumping on over to Google and doing some research on Merchant Requirements for PCI... That would be a great place to start.

        Thanks for Visiting and beginning (or furthering) your PCI Education!
            — Jerral and the Audit Elves of PCI.LLX.com

    Still have questions? [an error occurred while processing this directive]

  • Want to learn
    Handwriting Analysis
    by the Numbers?

    Get the book at Amazon

    Order with PayPal

    right here, right now.


    Want to learn
    Handwriting Analysis
    by the Numbers?

    Get the book at Amazon

    Order with PayPal

    right here, right now.