More and more merchants are being charged unnecessary Payment Card Industry (PCI) Data Security Standard (DSS) fees and fines. These fees can range from being charged a fixed monthly amount from £2.40 to £10. If you’re the unfortunate and you’re not PCI DSS compliant then you could end up paying an extra % on top of your transaction fee or anything up to £100 per month (believe me as I’ve seen this).
What do these fees get you the merchant? Absolutely nothing!
A well known national processing company charges businesses £4.99 per month for PCI compliance fees, but said the merchant would receive up to £50,000 in insurance should there be a PCI breach on their system. Reading the fine print, it required the merchant to complete the Self Assessment Questionnaire (SAQ) and have a successful network scan completed on their system. A network scan tests your system end to end. Let me explain.
PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. This includes your server on the internet, if applicable. Let’s say you have a business, that business could be bricks and mortar, an online business where you sell products and services, or a combination of both. From your home, you access the database where your payment processing is made, you want to find out how much money you made on a given day. Since you would be accessing the database from your home and signing in with your credentials, not only does the business or Internet server need to be scanned, so does your home IP address.
Many people think their internet address is 192.168.xxx.xxx. It is not. That is a subnet for your private network for the router you purchased. For any of us to access the internet, we must have a unique IP address.
Another myth many people believe is when they log into a website that it is secure because the password is masked with asterisks. Not true. Your password is passed without encryption, in the clear. Unless there is a secure hypertext transfer protocol (https:) AND the secure socket layer is provided by a reputable company, then your user name and password could be compromised. When you go to your bank’s website or a well know reputable provider like Amazon, you will notice a lock on your browser. Double click the lock and click View Certificate. In Amazon’s case, it uses Verisign. Verisign, Comodo and many others have strong reputations in securing websites.
As you can see, logging in from your home to another location requires security. At your business, your credit card processing software or equipment must be separate from the rest of your network. If you don’t, you stand to have your data compromised. What’s the cost of a compromise? You could receive fines of £25,000 per occurrence. You also can be charged the fees of the banks who issued the compromised consumer debit/credit cards a reissuing fee. Your company’s reputation would also be severely damaged.