If your business handles credit card payments, you need to be concerned about the rules and regulations of safeguarding the sensitive cardholder data. I was reminded of this the other day when a charge for $9.95 showed up on my debit card from a website I've never visited. Since 2007 any business that accepts credit card payment--this probably means you--has been subject to the Payment Card Industry Data Security Standards (PCI DSS). If you're a huge business that processes a million or more credit card transactions per year, you have to hire an outside professional to audit your processes. If you're smaller than that, you can do it yourself by means of the Self-Assessment Questionnaire, or SAQ. The SAQ comes in four flavors, depending upon...
...how you take credit card payments.
If you just have a website that sells things and sends people to PayPal for payment, you get the easy version (A). If you take credit card payments over the Internet on your site, you have to do the longest version (D). What's the difference? Version A has about a dozen controls you have to have in place, Version D has around 225. Why do you need to fill this out and keep it on file? Because if you're ever investigated by your merchant bank for improperly handling credit card information, you could be subject to $50,000 penalty. If you have the SAQ filled out and ready to show the investigator, you're declared a 'safe harbor' and aren't penalized.
A little work now can head off a lot of grief in the future. We'll be contacting all our clients who do any online selling, even via PayPal in the near future to make sure you're covered.