All,

I am trying to help my business become compliant (small merchant), and have no idea how much this is going to cost. I am guessing I will need some new hardware and consultant time. Has anyone gone through this? If so, how much did it cost? I hope it isn't too difficult!

Thanks,

Mike

I wish I had a better answer for you, but it really depends on the size and complexity of your company. If you have only one office and one connection to the Internet it may be simple, but if you have 10-50+ retail locations then it would be more complex.

I would start by reviewing the Self-Assessment Questionaire on the PCI SSC website and trying to get a ballpark figure of how much work you will need to do.

We are here to help, but as with many things "it depends". You could have only to install a firewall and write some policies or you could have to do much more work.

In either regard, I would contact your processor/acquirer/ISO/gateway (whoever you send your transactions to) and ask them for guidance. Also, ask them what they expect from you to "validate" you are compliant.

Thanks so much! I only have one location, what do you think the ballpark cost would be? I was hoping not more than a few thousand, I just really have no idea at all and the other merchants I have spoken with haven't even bothered to try to comply yet!

If you have one location and use an integrated point of sale system, then your highest risk lies in your (1) Internet connectivity and remote access, and (2) the type/version of your POS.

If you are estimating a few thousand dollars I would say that is right, assuming you have no internal IT staff. If you have an IT person already and a firewall, then I can imagine your compliance costs would be very low and less than you expect.

The key point you need to take into account is if your POS system stores track data or unencrypted credit card data. Check out the list of validated payment applications (http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html) and see if yours is on there.

Also, stay up to date on the Visa alerts and bulletins (http://usa.visa.com/merchants/risk_management/cisp_alerts.html).