IPCPR & Compliance:
How to Avoid Problems with PCI Compliance & MOTO Sales
Are you PCI Compliant? Have you visited "pcisecuritystandards.org?"
PCI compliance is required for any company that accepts credit cards. In order to reduce credit card fraud, the PCI Data Security Standards were formed by the five major card brands. Compliance includes but is not limited to: not storing card numbers, not printing full numbers, including a return policy page on your website, filling out an annual Self-Assessment Questionnaire, and completing quarterly scans from an Approved Security Vendor (ASV) to do vulnerability scans if processing over the internet through any device or system that is not a Level 1 PCI compliant gateway.
It does not matter who you are, what you sell or how many transactions you process. If you handle credit card information, you must be PCI Compliant. If you are not compliant and you experience a breach – the minimum fine is $25,000. Your credit card processing company will also fine you monthly if you have not validated your annual PCI Compliance.
Tobacco Shipping Compliance:
Retailers-have you ever shipped a box of cigars to an old customer after he called? Maybe a few ounces of pipe tobacco?
Vendors-do you accept credit cards from your retailers? Do you ship cigars and/or pipe tobacco on those credit card sales?
All mail order and/or telephone order sales (MOTO), including those orders processed by manufacturers/distributors to their retailers are subject to different rules than face-to-face swiped sales. If you used a MasterCard as the payment card, you are subject to a $10,000 fine if you are not compliant with their rules. For 10 years or so, MasterCard has required all non-face-to-face transactions of tobacco products be executed by compliant companies. Compliant companies must register their tobacco merchants under a special code with MasterCard. The specifics can be found at:
MasterCard Security Rules and Procedures
Specifically you will want to look at Section 9.4.3 of the above MasterCard Security Rules and Procedures document. Your card provider may or may not have told you. If they catch you, MasterCard will fine your provider. The initial fine is $10,000.00. Your provider will pass the fine to you and withhold your funds - and maybe more - maybe another $10,000. They can do it. Your provider may then place you on the industry black list also known as the "Match List”. This then makes it virtually impossible to get any provider to take your credit card business. Imagine not being able to accept credit cards.
Compliance to MasterCard regulations for tobacco sales include:
1) $500 annual registration fee
2) Annual review by an independent attorney-- to verify your company conforms to local, state, and national tobacco laws and current credit card industry standards for PCI compliance
You may say: "I’m small - this doesn’t affect me." If that is the case, verify that you are PCI compliant and then consider not taking MasterCard for MOTO tobacco sales. Although not taking MasterCard will ease things a bit, it is important to note that Visa has their GBPP-Global Brand Protection Program which essentially will also work to shut down any non-compliant MOTO tobacco accounts.
Do not ignore this issue as the number of fined companies is on the rise. If you have a volume of MasterCard MOTO tobacco business, then it is time to become MasterCard compliant. Many providers are not aware of this exposure – or choose to not inform their customers. You need to protect your business. These rules are part of your existing contract with your provider. Whether or not you were told, you are bound to comply. Your exposures to these fines are real. If you sell tobacco, your exposure is doubled. The IPCPR has had industry expert Paul Krassen speak on these subjects in depth at the 2013 & 2014 IPCPR conventions. If you have any specific questions you may reach out to him directly at 888.583.5553 or firstname.lastname@example.org.