Credit Card Authorizations

Greg Miller spoke at a recent web standards meeting. Funny guy, which you wouldn't expect from the Manager of PCI DSS Compliance. I guess you need a sense of humor to marry the vast accounting network at the University with the willfully misleading banking industry while abiding heaps of regulations and consumer protections.

What I Learned and I Hope I Got This Right

  • DSS = Data security Standards.
  • PCI = a counsel consisting of VISA, MC, AmEX and Discover who set policy for credit card authorizations. The counsel owns the credit card number and the associated data regardless of the issuing institution.
  • Wells Fargo Merchant Services is the University's Merchant Bank with whom we have an entitlement account.

We must be PCI compliant always always always or we can be hung out to dry. A single breech or incident, no matter how minor, must be reported by law. Law also dictates the consequences and remedies. You must hire an independent Quality Security Assessor. You must notify card holders. You must track down the 20% of card holders who may have moved. You must pay two years of credit monitoring. IOW, it adds up fast!

My Take-Aways

  • I will not touch a credit card or someone's credit card info.
  • I will use Authorize.net for online credit card transactions.
  • I will not use Pay Pal or this funky Square Up thingy.
  • I understand that EFTs are bad because transactions don't come with data indicating what UofM account the funds should be deposited into.
  • For event registrations I will use RegOnline or CCE who are entitled to their cut and may not meet every last need I have.
  • I will trust that the University responds to trends and consumer expectations but has to balance risk and regulations.