Anyone who accepts and stores credit card numbers — and that includes small and medium enterprises — must comply with strict new security regulations by December 31 or face hefty fines if that card data is compromised in any way.

  The Payment Card Industry (PCI) security standard, created by the major credit card brands, including Visa and MasterCard, forces companies to conform to a strict set of rules or face stiff financial penalties.

The security standard was drawn up in an effort to reduce rampant credit card fraud worldwide by securing computer databases that contain credit card information.

The standard, which is already in force in the US and elsewhere, sets out the technical requirements for the secure storage, processing and transmission of cardholder data. There is an onus on banks to ensure that merchants and payment service providers know about it and comply with the controls.

Companies that aren’t compliant by the deadline and whose credit card databases are then compromised — by a hacker, for example — also risk possible exclusion from card acceptance programmes. That means they might no longer be able to accept credit cards as a means of payment for their goods and services, putting their businesses as risk.

“Everyone who handles a credit card, from the point of sale up, has to comply with the PCI data security standard,” says Riaan Versfeld, MD of information security consultancy One-Sec, which is advising SA banks on the issue.

There are about 130000 merchants in SA that accept credit cards at the point of sale. All will have to comply with the PCI standard. Larger merchants will have to undergo quarterly compliance tests to ensure that necessary security and controls are in place to safeguard credit card data.

Smaller merchants will need to complete and sign a self-assessment questionnaire in which they certify that they are compliant with the PCI standard.