If your online barter system allows you to view (after entry) the entire
unredacted credit card number on file for a member, then the answer is
YES!
And this only addresses one of the many liabilities that could put your exchange
at risk.
You can be fined from
$10,000 to $100,000 PER MONTH by the credit card
companies AND possibly sued by the issuing financial institution. Recent
changes to PCI place very limited liability with the barter software vendor, but
rather the merchant collecting the funds and entering\maintaining the customer
data is held
fully liable. You,
as a Barter Exchange, are that merchant! And since the Exchanges are held fully
liable, the barter software vendor doesn't bother informing you that their
system is putting your exchange at risk. Their view? They either lack the
experience in both barter and
SaaS
design and development or they see it as YOUR problem, not their's and "what
you don't know won't hurt you"!
eValues and Teletrade Intl. have
expended significant time and resources to be certified 100% compliant in order
to ensure our affiliate's safety and drastically reduce (if not eliminate) their
liability. We are also undergoing the long, arduous and very expensive
process of becoming PCI certified (Different than being certified compliant. It
basically means the credit card companies would "trust you with their
children").
A standard of care has arisen in the credit card industry: the Payment Card
Industry Data Security Standard, commonly referred to as “PCI – DSS,” and it has
a significant impact on the liability of merchants who use credit card
transactions.
As described by the Payment Card Industry Security Standards Council, PCI DSS is
a set of comprehensive requirements for enhancing payment account data security.
It was developed by the founding payment brands of the PCI Security Standards
Council, including American Express, Discover Financial Services, JCB
International, MasterCard Worldwide and Visa Inc. International, to help
facilitate the broad adoption of consistent data security measures on a global
basis. The PCI DSS includes requirements for security management,
policies, procedures, network architecture, software design and other critical
protective measures. This comprehensive standard is intended to help
organizations proactively protect customer account data.
The impact of PCI DSS is not only to achieve greater protection for customer
data, but has become a de facto standard of care which can result in
unforeseen liability for a merchant whose data is compromised.
First, a merchant that does not fully comply with PCI DSS (and compliance is
difficult and expensive) could find themselves subject to a claim of negligence,
and a plaintiff could argue that under PCI DSS,
a merchant has the obligation
to protect customer data, and failure to comply with PCI DSS would have breached
the care ordinarily required by merchants. This claim was brought by a
number of banks that sued TJX for the costs to reissue credit cards in the wake
of a massive security fraud referred to above, resulting in a $65 million
settlement with banks, apart from legal fees and other costs.
Beyond this, a number of states are proposing or have adopted statutes which
would give banks the right to reimbursement from a merchant for costs incurred
in responding to a security breach. Some of these proposals go so far as
to incorporate PCI DSS as the security standard in the bills. As a result,
states have transformed PCI DSS from a piece of evidence in a claim of
negligence to the legal standard by which negligence is measured.
Finally, as noted above, PCI DSS compliance presents a challenge to
merchants. The standard is long and detailed, and even merchants with
significant security infrastructures may be unable to comply with each and every
facet of the standards.
But as an eValues affiliate exchange, you have
much less to worry about!