Onus for Being PCI Compliant Rests With Retailer

Printer-friendly versionPrinter-friendly version

To those bookstore owners who do not fully comprehend the extent of their liability under the Payment Card Industry (PCI) Data Security Standard, be warned that what you don't knowcan hurt you – and can be very costly.

Recently, a small, Midwestern bookstore was hacked by an overseas organization that stole the store's credit card information, including track numbers on the back of the cards. In the end, the card issuer determined that the store was not PCI compliant and required the bookstore owner to hire a third-party vendor to conduct a forensic audit to see why the breach occurred. The third-party audit cost $16,000, and the bookstore owner also faces the prospect of paying a fine. All told, an expensive mistake.

These days, data breaches are not just happening to large chain stores that do thousands of credit card transactions a day. The nefarious outfits that hack remote computers to steal card information have become more sophisticated and now target stores of all sizes, even small, mid-western bookstores.

With that in mind, it is imperative that bookstore owners ensure that their stores are PCI compliant and that they are fully aware of the extent of their liability. Knowing the level of compliance is crucial, and not just to prevent a data breach and costly fine, but also to avoid unnecessarily paying outside vendors for costly software and services that may be unnecessary to qualify as PCI compliant.

Booksellers are encouraged to discuss PCI compliance with their POS vendor to make sure that they are doing everything the vendor requires to be compliant. In addition, booksellers should become familiar with Visa USA's Cardholder Information Security Program, which has information on the requirements for PCI compliance.

Bookselling This Week also reported on data security in previous issues: