Several credit card payment processors have stepped up initiatives to force small businesses to comply with security standards.
This outreach includes a requirement that companies complete a credit card data security self-assessment questionnaire (SAQ) or face a monthly fee.
But as many in the pool and spa industry recently have discovered, the forms are rigorous, time-consuming and confusing.
“It had questions that were so ridiculous an average person couldn’t answer them,” said Adam Jones, sales manager of Backyard Oasis in Livingston, Texas. “I imagine it would be over the heads of most small-business owners. It was very technical and intimidating.”
The SAQ was created by the Payment Card Industry Security Standards Council, a group launched in 2006 that is responsible for the development, management, education and awareness of the PCI Security Standards. It is made up of the five leading credit card brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa.
There are five versions of the SAQ to meet various business scenarios. For example, a company that processes credit card transactions using a pin pad terminal is required to fill out a different form than a merchant who uses a point-of-sale system that electronically stores encrypted credit card numbers for its clients. A business operator will be directed to fill out a particular survey based on a few preliminary questions.
In 2008, PCI SCC established 12 standards to inhibit credit card fraud. They range from common-sense measures, such as not writing down a credit card number and storing it in an unsecured area, to more stringent rules regarding networks and firewalls, said David Mannella, executive director of product development at Sterling Payment Technologies in Tampa, Fla.
In fact, having a secure network and a personalized firewall password is perhaps the weakest area for most businesses, according to Mannella, who said it is common for companies to use a default password for firewalls, which makes it easy for hackers to bypass.
Kelly Reed experienced this firsthand when she attempted to answer the complex questions of the 35-page SAQ-D form after receiving a letter regarding compliance in July.
Within minutes, it became clear to the operations manager of Contemporary Watercrafters in Gaithersburg, Md., that she would need assistance to address issue’s regarding her company’s network.
“I knew our software was PCI-compliant, so I figured I needed to jump online, answer a few questions and be on my way, but when it asked if I in any way store credit card information electronically and I answered ‘yes,’ I was forced to fill out SAQ-D, which had a bunch of components that I did not understand,” she said.
Reed, who considers herself fairly well educated in technology, now is in the process of working with an IT expert to fill out the form and determine what adjustments need to be made to her network.
“I thought my network was safe, and apparently there is much more to it and we’re still trying to figure that out,” she added.
Though merchants are contractually obligated to secure credit card data, businesses often change operations in such a way that affects compliance. This is common in the pool and spa industry, where more and more firms are switching to POS systems, as well as utilizing handheld smart devices to process payments. The SAQs are designed to evaluate these scenarios so the business operators maintain secure transactions.
That was the case for Jones, who received the letter in the spring after switching to a new acquiring bank. After a failed attempt at answering the questionnaire on his own, he also sought an IT expert with experience in credit card security. Today his business is compliant, but it wasn’t an easy transition.
“It was a bit of a nightmare,” he recalled. “It cost us some money, and there was a lot of back and forth between the IT company and our [software company], but it feels good now that we are done.”
If a company is breached, it is responsible for large fines that could be detrimental to a business, said Mannella, who recommends having a third-party security vendor scan a system and verify compliance on a quarterly basis.
“The fines are substantial, and a company can be put out of business,” he said. “Although there is no safe harbor, make your best attempt to become PCI-compliant and follow best practices because if you ignore this, it will be harder to defend yourself [in court].”