From time to time there is a discussion about PCI Compliance and many of you accept it as status quo, thinking that it is necessary and that it will protect you from fraudulent credit cards.  I, on the other hand, have always railed against this fee claiming that it is nothing more than a scam, an excuse for credit card companies to take more of your money. In your eyes, I am just a whining grump, a doom and gloom expert.  In my eyes, you are the minions who not only are eager to ask "How far?" when being told to bend over, but, are willing to spread your cheeks wide to make it easier to stick it to you. Finally, there are other people who are starting to see it the same way that I do.

Read this:  http://www.wired.com/threatlevel/2012/01/pci-lawsuit/

Briefly, a restaurant Cisero's in Park City Utah was fined $90,000 because the CC companies determined that CC numbers were stolen from their network.  The CC companies forced Cisero's to hire ane of 6 forensics firms to investigate this claim.  They turned up no evidence of any CC information being stolen from Cisero's.  This didn't stop US Bank from taking $10,000 out of their account as a down payment on the fine. When Cisero's closed their account, US Bank sued for the remainder of the fine. Cisero's counter sued. 

1) The CC companies fined Cisero's without any proof that the compromised card info came from their network.

2) They were fined because they stored CC info in an unencrypted form which is against PCI regulations.  This is irrelevant as I will explain in a minute.

3) They had no chance of disputing the charges before they were fined. Nor were they given an explanation as to how the penalty was determined.

4) US Bank took the money out of their account without their knowledge or permission.  It turns out that your merchant services company has a contract with the CC companies making them responsible for any fraudulent charges.  However, if you read your contract with your merchant services, it will say that you are responsible for these same fraudulent charges, making them not responsible to the CC companies.  Your merchant services company has no incentive to comply with any PCI requirement because they aren't going to ultimately be responsible. You, the retail merchant, are.

Consequently, if you take a fraudulent card, or, someone steals a credit card number from your CC machine, you are ultimately libel for the amount and any and all fines or penalties.  However, that isn't then end of it. It gets way better.  For around $8 anyone can buy, on E-Bay, a little gadget called a RFID reader.  The Radio Frequency Identifier has legitimate functions but one thing it can do is read that little strip that stores your credit card information on your credit card.  So, it is possible that someone with one of these devices could sit near your booth and record people credit cards as you are swiping their card.  It won't matter that you are compliant and that you have taken any precaution to avoid taking a bad card.  And, you are open to ridiculous and unfair fines with little recourse to fight this.

To be fair, the chance of this happening to you are slim and none.  But, it's still something to be aware of.  You may even want to bring up the issue with your CC provider.  And, if any of our merchant service providers happen to read this post, I wish you would post a comment here.

You need to be a member of Art Fair Insiders to add comments!

Join Art Fair Insiders

Votes: 0
Email me when people reply –

Replies

  • Thanks for posting Barry. 

    I know, I for one, needed that educational little tutorial. Does any of this apply to the square? I have been noticing lately, that fewer peeps are using credit cards- most of my biz has been checks and cash lately, but I still need to learn more about cc processing as it pertains to my biz. 

    • From what I understand, the square doesn't store the data anywhere.  The charge goes right to your account.  Therefore, no PCI compliance is necessary. If I am wrong about the reason, someone please correct me.  And, I too have noticed more cash transactions and less charges. Having said that, on CNBC they mentioned that CC debt was increasing. So who knows?

      • You're right, Barry, Square does not store information. Anyone interested can begin reading about their security protocols here:

        https://help.squareup.com/customer/portal/articles/7763-privacy-and...

        My bank Wellschovia (Well Fargo/Wachovia) is beginning to really burn my hide because they brought me in to 'review' my accounts. Fine. The woman at my branch was delightful, insightful, and very helpful. She asked if I took credit cards and how -that's when I told her about Square. (I am a huge aficionado of Square -it's such a game changer.) She then asked if I would allow her colleague to review my account to see if their services would be a better match for credit card processing. I granted her permission because I was promised I would receive $100 stipend for this review. Let's just say that I'm less than impressed with her 'colleague' because we verbally stood toe-to-toe on the PCI issue. Here is her boilerplate response:

        "Data security and privacy issues are a top priorities at Wells Fargo Merchant Services.  Since Square’s card reader does not encrypt the customer’s credit card data and stores too much of the customers information on your phone/iPad’s operating system, Wells Fargo does not support these unencrypted card readers.  Unencrypted card readers puts your customers information at risk and poses an unnecessary security risk to your business.  Since the data resides on your phone/iPad and mobile devices are easier to steal or hack, their vulnerability is even greater.  The cost of a typical data security breach costs a small merchant of your size $25,000 - $50,000 for just a single breach!"

        Either she doesn't quite understand Square or is doing her best to instill fear in me and any other misguided customer.

        • The reader is indeed encrypted
        • The reader does not allow me to store customer information
        • Hacking is slim to none because my OS is MAC. Sure, there's always potential, but with Apple products the opportunity is rare.

        So I replied with:

        "The number one reason I agreed to signing up with SquareUp is because they in fact have strong ethics that include PCI-Compliant regulations and extended-validation SSL certifications issued by VeriSign. Additionally, my user agreement includes a strong privacy policy that doesn't allow me to store any of my customers information (credit card, email address, or phone number); they don't even have an opt-in at this point.
        If you'd like to read more about their Secure Data Encryption, you can find it here:
        At this time, I'm holding off on establishing any new accounts."

        Suddenly, my ten year account has now been flagged and is undergoing an audit. 

        ***

        So here's a bit of irony for you still on the fence or for those of you paralyzed by your bank:

        During a show (Piedmont Craftsman) in November, I had a woman attempt to buy something from me. When I whipped out my Square, she promptly informed me that her bank told her that Square simply isn't safe. "Because" she continued, "it's not secure and there have many so many reports of accounts being hacked." Then she proceeded to open her wallet with more credit cards than the eye can count and try to pick one that 'had not been hacked.' Do you know how difficult it was to keep my mouth shut when she picked one and then said, 'Oh wait, this was hacked in August, I need to toss this one. Hmm... (as she picked a second) this one is good. No wait, This was hacked first of this month. I'd better put that back. Try this one (third). This should be good. If it does't go thru, I'll give you another." (Girl Scouts honor, I didn't make this one up!)

        I'm sorry, what were you saying about Square being vulnerable? (No, I didn't)

        I swear all banks have decided to tell their customers that Square is just evil voodoo. They are scared, plain and simple.

        Regarding Customer Email via Square: At this time Square doesn't allow me to keep customer's emails so that I could forward them to my newsletter list. However, they say are creating an opt-in box at checkout that will be available soon. Yay!


        Does this info help?

        • 1) The Square is only 1 of about 10 different portable phone card readers. Chase has it's own, so how unsafe can they be.

          2) The encryption argument is invalid.  If I did me research correctly there are only 2 different encryption codes that are being used at this time. How secure is that? If you watched the video, it's the credit card that is being hacked, not the info or the account holders device. There are RFID devices that can easily crack the encryption code.  This is just another scam to pass on to the merchant because banks aren't willing to deal with the problem themselves.

          3) One of the least secure tools the banks have are ATM machines.  I was told by a banker once that they would never use an outdoor ATM machine because it's all too easy to steal someones info after they use one of these machines.  Banks would be better served to deal with these issues than to go after the smallest of their merchants.

          4) I would never bank with Wells Fargo or any of the big megabanks.  Those bank officers who are picking on you have no concept of the technology behind the devices and are making decisions based on their total ignorance. Also, they aren't making any money these days like they did in the past, so they are desperate to take your money.

          5) Don't be deluded into thinking because you have a MAC that your are safe.  The only reason why Windows OS got hacked is because they were always the big kid on the block.  Now that Apple is the 2nd largest corporation in the US, or is it the world,  look for hackers to start focusing their attention on Apple products.

  • Alison, you have a very good point!

     

  • This is another reason for not using your personal account for business.  If you have a lot of volume you might even consider two business accounts, one where your credit card receipts go, and a main one.  Any time you let credit cards go directly into your account you are giving them free rein to freeze your account if they have a reason to.

    • Online and computer security experts have been warning against that for years.

  • Thank you for posting that interesting information.  I guess it's time to look at drivers licenses along with credit cards when making a sale?  My customers in some states do that automatically (I don't remember where).

  • I always felt the PCI fee was just another way for someone to get into my wallet. The banks don't want any exposure to anything that might cost them money, and your post reinforces my opinion.

  • I saw that also.  The reason why you are seeing that ad banner is because the ad company takes key words from a post, or maybe from the tags, and pushes related advertising in that space.

     

    I forgot how to embed a video, so here is a link:

    Demonstrating a RFID stealing your CC info

     

     

This reply was deleted.