E-File Magic 1099 Software – Blog

For any organization that hasn’t heard of PCI compliance, it’s time to get aware. A lack of understanding could cost you your business, literally.

PCI compliance specifications and guidelines outline a well crafted suite of recommendations and requirements for operating your infrastructure around the card holder environment. Even if PCI wasn’t a requirement, implementing these technologies and guidelines would form a good basis for safe enterprise computing for any company.

Merchant911.org shares some notes on recent mandates by Visa and crew:

It doesn’t get any simpler than this, dear reader. By October 2010 any merchant that is not PCI compliant will be de-certified and must stop accepting cards.

I told you it was coming and now, according to an article in ecommerceguide.com it’s here. Starting next month there will be a year-long effort by processors to de-certify (essentially close down) any Level 4 merchants that are not PCI compliant. Level 4 Merchants are defined as those with fewer than 20,000 Visa transactions, and fewer than 1,000,000 total transactions per year. Most small vendors will fall into this category.

This will have far-reaching effects on a significant portion of on-line business as we know it. Any on-line store that processes cards on their own site will feel a major impact. For example, if you have an online store with on-site processing that is hosted in an inexpensive shared or “virtual” hosting environment you will not be able to pass PCI standards.

And I would remind you that ALL merchants who accept credit cards must be PCI compliant. It doesn’t matter if you do business on-line, by phone or mail, or in person. The steps you need to take towards compliance are different but if you accept credit cards you must be compliant. I’ll say that again. If you accept credit cards you must be PCI compliant. And you will be compliant by October of 2010 or you will no longer be able to accept credit cards as a form of payment. It’s not an option.

I can’t make it any plainer than that. As a merchant, it’s PCI compliance or die. As a merchant advocate I have mixed feelings on this. I’d venture to say that most Merchant911.org members know how to protect themselves from fraudulent transactions but that doesn’t mean that they shouldn’t protect their customers and other merchants from being victims. On the other hand, the concept of a huge volume of paperwork and quarterly scans at $99 a year is going to put a significant number of small merchants out of business. That’s sad.

Source: http://www.merchant911.org/blog/index.php/2009/09/02/pci-compliance-do-it-or-cease-doing-business/
More information on PCI compliance can be found at: https://www.pcisecuritystandards.org/

Accountingweb has a great posting on some recent updates to the FACTA act, that you should be aware of:

Business owners take heed. A November 1 update to FACTA (the Fair and Accurate Credit Transactions Act of 2003) requires businesses to implement a written policy that monitors the business for “Red Flag” warning signs for identity theft. The policy must also specify how the business will respond to the crime if discovered.
The Red Flag rules have been on the books for years, and lawyers, health care practices, and small business owners have been fighting the changes to the law. In fact, the new deadline is only the latest deadline for the rule that was first introduced in April 2008. The initial deadline was set for November 1st, 2008 and subsequently moved to April 1st, 2009 and then finally November 1st, 2009.

The Red Flag Rule covers “financial institutions” and “creditors.” It is this second group that almost every business falls into. Any business that doesn’t collect payment in full at time of service is considered a “creditor.” This includes doctors, lawyers, accountants, designers, phone companies, or anyone else who offers payment terms.

“Most businesses understand that they need to protect information through security and paper shredding programs,” says Steven Hastert, president of Shred Nations, an expert in identity protection issues. “But even though this new law has been posted for more than a year, few businesses are aware of the scope of these changes.”

The American Bar Association (ABA) and American Medical Association (AMA) have been vocal critics about being covered by the rule. They have a last ditch effort with H.R 3763 to prevent being covered. The bill has passed the House on October 26th and is headed for the Senate. This proposed legislation exempts businesses under 20 employees from the changes.

The Red Flag Rule requires businesses to install four components:

1)   Reasonable policies and procedures must be in place to identify suspicious patterns or practices in day-to-day operations. This activity indicates possible identity theft.

2)   The program should also detect identified red flags for the business. For example, obvious fake identification.

3)   The program should have procedures to take when a red flag is identified.

4)   There must also be having a system in place to re-evaluate the program as threats change.

These new requirements are just part of a good information security program. Hastert reminds businesses to remember the basic steps they need to take. These include locking file cabinets, not giving information over the phone and shredding everything with personal information on it.