*******
If you take credit cards you need to have a Red Flag policy. You can get a Red Flag Policy by calling my office, ask for Eileen: 516 747 6700 ext 312. Cost is $125.00. For more on Red Flag regulations see http://www.kirschenbaumesq.com/earticle262.htm
In an effort to gain some advantage for the alarm industry I have offered PCI Professionals the opportunity to reach out to the alarm industry through this forum. So far I've heard only positive things. If you take credit cards or want to start, give them a call. [and no I don't get anything out of it]. I asked Tom Aronica to answer some of the technical questions regarding credit cards. His remarks are below together with a few other comments.
******
QUESTION:
*******
Ken,
We use SedonaOffice for our software and while at the User conference in January, they were telling us how we can’t store Credit card information anymore unless we go through the rigorous process of compliancy. Thankfully they have a good solution to this for the automatic billing process. However, over the last 5-7 years, we have scanned our customer documents and quite a few of them contain credit card numbers. I’m concerned about getting them all out of the database and if we even have to. Can you shed some light on this?
I also see this as being a big issue for companies who have the credit card payment information directly on the contract. You obviously can’t destroy the contracts to get rid of the payment information. My understanding is, we can’t even keep paper copies of the credit card information.
I’m also a bit confused on who has to go through compliancy and the best way to do it. I know I get emails offering to do our compliancy but it’s quite expensive. What do we have to do if we don’t store any of that information? A shorter compliancy process?
Donnetta Byrd
Security One, Inc.
*******
Answer:
****
Ken –
I have been receiving a lot of questions regarding the new Red Flag Rules as they pertain to credit card processing and wanted to provide the following information. As of July of this year, all entities that transmit, process or store payment card data must be compliant with PCI DSS. The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. Failure to meet them may result in fines or permanent expulsion from card acceptance programs.
Since this has become a growing concern, I have placed links for the PCI DSS Self-Assessment Questionnaire (SAQ) on our website along with instructions on how to complete it. This is quickest and easiest way to assess your compliancy status without having to pay a third-party to perform the service. Click here to download the SAQ.
Also, as an added benefit of the Special Security Industry Pricing (SSIP) Program we have designed for your subscribers, all active merchants are provided Free PCI Compliance services from ScanAlert, the world’s leading web site security certification company. A $319.00 value, this service helps you quickly and easily meet the security requirements of Visa® and MasterCard®.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
At PCI Professionals, we have designed a low-cost package specifically for alarm companies which are 100% compliant with the new security standards at a fraction of the cost. Our rates are fixed at 0.25% for the entire time you are actively processing with PCI Professionals with no long-term contracts, termination fees, hidden fees, or surcharges. Our pricing is completely transparent and designed specifically to meet the needs of your industry. We would be happy to provide additional information, compliance and fee auditing, and even a free consultation with absolutely no cost or obligation. The PCI headquarters can be reached at 800-617-9980 or simply follow this link to submit an inquiry to one of our Account Managers.
Best Regards,
Tom Aronica
PCI Professionals
************
Question:
*********
Please provide more detailed explanation of fees associated with each charge. If we charged $100.00, what fees would be incurred? And what portion of those charges goes to offset monthly account fees, if any?
********
Answer:
****
Ken –
When all is said and done, your rate depends on three factors:
1. The Banks & Interchange (the non-negotiable base rate that banks charge merchants to use their cards)
2. The Associations (the non-negotiable fees imposed by MasterCard, Visa, Amex and Discover to use their networks)
3. The Processor (PCI Professionals).
As part of the Special Security Industry Pricing (SSIP) Program we have created for Mr. Kirschenbaum, PCI Professionals will pass down #1 and #2 directly to you - no hidden fees, no surcharges; our (non-negotiable) cost is your cost.
As far as processing fees (#3) all SSIP merchants will receive the benefit of fixed pricing at 0.25% of the gross sales volume, $0.15 to authorize the communication to the networks, and a $10 account on file fee (includes statements, postage, 24/7 Customer Support and Terminal Support, Unlimited Help Desk Calls). There are no termination fees, no annual fees, no monthly minimum requirements, no transaction charges and no batch fees.
We would be happy to provide additional information, compliance and fee auditing, and even a free consultation with absolutely no cost or obligation. The PCI headquarters can be reached at 800-617-9980 or simply follow this link to submit an inquiry to one of our Account Managers.
Thomas Aronica
President, PCI Professionals
********
Another Question:
****
The question I ask is a "convenience fee" when a customer pays online with a credit card legal, or no, or something else?
Bruce Boyer
*******
Answer:
In a previous article I wrote how surcharging customers who use credit cards as a form of payment is illegal and against Visa and MasterCard regulations. While that is true and there are many rules which prohibit this, there is a very grey area as it pertains to a “convenience fee”.
In order to legally charge a “convenience fee” it needs to be approved by Visa and MasterCard. Amongst the rules and qualification guidelines are that you must be able to truly show a convenience for the customer and the fee must be charged for all types of transactions, not just credit card. Needless to say there are very few business which actually qualify in the eyes of the Associations.
********
Question:
*******
Ken,
Thanks for the newsletters. Am starting in the PERS business and had an installation yesterday. Contract was signed at that time, but our state has a requirement for new contracts that you can void them in a week. We received an activation fee and payment for one year of service. The elderly lady decided that she did not want the system, had over 40 medical alert calls to the monitoring company and forcibly removed the equipment from the power line which was screwed to the back of the monitor. When we arrived at 9:30 pm, the panel was in her living room and her phone had been re-connected.
My question is this: I know I must return all monitoring fees. Are my activation/installation fees subject to refund as well? The signed contract only listed the monitoring fees. Our invoice included, on a separate line, the installation fee but it did not say it was non-refundable. I’d like to avoid these kinds of situations in the future.
Could you give me a recommendation?
Thanks
Russ R
********
Answer:
*****
You have to return all money. All states have a cancellation period, usually 7 days for PERS. Full refund is required.
****