Block on Trump's Asylum Ban Upheld by Supreme Court
Today, President Obama met with top credit card executives regarding protections for cardholders. Small businesses hope that customers can keep paying with plastic, but also need to consider data safety when accepting payment. In addition to the Payment Card Industry Data Security Standard (PCI DSS) applicable to all who accept credit cards, Minnesota has enacted, and more states are considering laws making retailers liable to financial institutions for data security foul-ups. Now more than ever is a good time to make sure your business is PCI DSS compliant.
The President today called for an end to credit card practices including the abuse of sudden interest rate increases and fee changes. Obama also called for an end to the barrage of fine print and confusing rules in credit card agreements. As Bloomberg reports, he said, "[w]e want clarity and transparency from here on out."
One point on which small businesses should be clear is the need for PCI DSS compliance. If potentially losing the ability to accept card payments isn't enough of a threat, states are increasingly looking to punish merchants who don't comply with good payment data management practices.
PCI DSS is a data security standard created by the Payment Card Industry Security Standards Council, which was founded by the five largest credit card companies. There are twelve requirements to be PCI DSS compliant:
The PCI Security Standards Council's website offers a wealth of information about compliance, including this document giving detail on each of the twelve rules. They offer a prioritized approach that can help businesses more effectively mitigate risks on the road to compliance.
The need for PCI DSS compliance is not new, but state laws specifically punishing merchants with loose data management are new. Minnesota enacted a law allowing financial institutions to sue merchants in certain instances where data is stolen from the merchant. In theory, this is to allow for recovery of costs incurred by the financial institution, such as card cancellation, issuance of a new card, etc. Other states, including Texas, Washington, New Jersey and Connecticut are currently considering different variants of similar legislation.
The good news is that Minnesota's law, as well that those looming in other states, basically codifies elements of the PCI standards. This means that ensuring PCI DSS compliance will likely mean safety under the state laws.