It only takes one dealing with PCI-DSS.(Payment Card Industry Data Security Standard)

[ILLUSTRATION OMITTED]

With the advent of email and the Internet, the world of personal finance has taken a turn for the dramatic; whereas in prior eras, following the depression and the establishment of the Federal Deposit Insurance Corporation (FDIC), your money was yours, was kept in a bank and was safe from anything short of robbery coupled with governmental collapse. Now banks and their customers are beset on all sides by both active and passive security threats. Whether in the form of adolescent hackers, email scammers or merely a company's lax approach to IT security, the risks facing consumers and companies today are considerably greater than what they were even a decade ago, and a level of suspicion, as well as a judicious approach to spending, has become a necessity for sound financial management and planning.

But despite the increase in threats, the speed with which both consumer and B2B business is conducted shows no sign of slowing. Consumers continue to rely on credit cards and business vendors, despite the sometimes considerable, albeit manageable, interchange fees, continue to move toward accepting credit cards as a means of quick, assured payment. This being the case, the world of business and finance has had to come to terms with the seedy world of fraud, hacking and identity theft and find a way to better protect customer data and identifiable information.

The primary source of the data used and abused in breaches and hacks is from credit cards, which, as online transactions have increased, has become a bit easier to attain. Just a few years ago, as threats increased in frequency, notoriety and sophistication, regulations and measures were discussed and pored over in board rooms as much as living rooms, culminating in an agreement between all card brands to instate a set of standards to protect cardholder information. The result, established on September 7, 2006, was the Payment Card Industry Data Security Standard (PCI-DSS), a set of 12 standards that applies to all organizations, systems, networks and applications that process, store or transmit a cardholder number. This move, made with the blessing of Capitol Hill, requires companies that accept credit cards to never store any cardholder data beyond the name, number, expiration date and service code. Nothing has to be signed on the part of the merchant; if a company agrees to accept payment cards, it's implied that they will comply with these rules.

Compliance

Twelve more standards atop the already considerable compliance requirements levied on businesses seems like an overwhelming prospect for companies merely looking to accept other payment cards as a means to reduce days sales outstanding (DSO) and increase payment cycles, but PCI-DSS compliance shouldn't deter merchants from making the switch to credit card acceptance. "Nothing here is so major that we can't overcome it," said Robert Day, vice president of commercial interchange at Fifth Third Processing Solutions. "It's a very serious matter and you do need to be alarmed, but at the end of the day, it's pretty simple stuff." In a recent NACM-sponsored teleconference, Day outlined what's expected of card-accepting merchants and iterated the seriousness of compliance, but still reassured his audience that all compliance requires is a carefully considered approach that's appropriate for the accepting company in question.

Credit professionals and companies should understand the 12 PCI-DSS standards and base a compliance plan around those basic tenets. They are: