You’ve Got to Know

There is a commercial for an insurance company making the rounds currently. One of the characters in the commercial makes the statement that playing poker with Kenny Rogers gets old pretty quickly. The commercial then cuts to a scene with four or five guys sitting around a table playing cards. One of the guys is Kenny Rogers and he’s singing, “You’ve got to know when to hold them. . .”

Sometimes that’s the way we feel when we bring up these PCI certification issues. I can almost see the eyes rolling and the voices sounding. “Yeah, yeah you told us already. Move on.”

Did you know that you are not only responsible for your compliance to industry standards so that you can show that you were PCI compliant should you ever get hacked, but you must also be sure that any third party provider is also PCI compliant. If they are not compliant, you are not compliant. This means that you are liable to fines and penalties even though it wasn’t your fault. Bummer, huh?

Recently, a generic MEMO was posted by the Retail Solutions Providers Association. Here, in part is what it contains.

Credit card information security is the responsibility of the merchant who accepts the credit card as payment for goods or services rendered and each entity that merchant utilizes in the payment process. In the event credit card information is compromised, the person who has their information taken only knows that they are a victim. Whether or not the actual theft happened at a third party service provider or at the primary merchant’s location is irrelevant. In the end, credit card information was stolen and the patron’s trust was violated. To help protect the sanctity of credit card processing, the PCI Security Council has specific requirements pertaining to the use of third party service providers.

It is critical to understand the security measures that have been put in place to protect the sensitive data of your customers. It is imperative to obtain information about how every one of your service providers is managing that data. Communication between you and your service providers is critical. There are several ways to obtain the necessary data, but ultimately, your service provider will need to be willing to participate and cooperate, or your compliance efforts may be significantly hampered.