PCI

Published by : Anne T. Coley, Compliance and Audit Group

I received a letter today from Bank of America Merchant Services informing me that my company MUST be PCI DSS compliant. HMMMM….If you accept credit cards you have probably received a similar letter from your Merchant Provider. If so, I wonder if you understand your letter any better than I understand mine. They also sent me a replacement Merchant Agreement which “clarifies your responsibility to comply with the PCI DSS; related Card Organization compliance requirements; and your liability for failure to comply”. Okay, that last part got my attention. I am the office manager of an information assurance company, but I am not a security expert myself. The letter directed me to several websites for more information on PCI compliance. Okay, I understand that PCI stands for Payment Card Industry and DSS stands for Data Security Standard. In order to find out what our responsibilities/liabilities are, I must first ascertain what merchant level our company falls under - so far, so good. So now I find out that we must complete a yearly Self-Assessment Questionnaire (SAQ) and a Quarterly Network Scan – I’m going to need help. Thank goodness I have in-house experts to handle this issue.