Red Clay Renovations, like all businesses, is subject to regulatory requirements or better known as regulatory compliance. Regulatory Compliance is defined as “an organization’s adherence to laws, regulations, guidelines and specifications relevant to its business processes” (Rouse, M., 2018). Examples of regulatory compliance are the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act of 1996 (HIPPA), the Sarbanes-Oxley Act of 2002, and even the European Union’s General Data Protection Regulation of 2016 (GPDR) which any business operating within the EU must follow (Gasior, M., 2019). Regulatory compliance laws must be followed which can be difficult as they can constantly change depending on what is taking place in a particular area. RCR must also comply with these laws, especially the PCI DSS. PCI DSS was established by the Payment Card Industry Security Standards Council (PCI SSC). The council was founded by and consists of the five major credit card companies, American Express, Discover Financial Services, JCB International, Mastercard, and Visa. PCI DSS outlines requirements for businesses who process card payment transactions, as well as those companies who develop and design card processing equipment and software, which are encompassed within four categories, “PCI Data Security, PCI Pin Transaction Security Requirements, Payment Application-Data Security Standard, and Point-to-Point Encryption” (PCI SSC, 2019).
RCR falls under PCI DSS laws and regulations because they perform credit checks and more importantly, process credit card payments for their services. In order to qualify or become compliant, RCR must identify any of the following that may apply:
- “Card readers
- Point of sale systems
- Store networks & wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts” (PCI SSC, 2019).
This is critical to the qualification process to ensure that all card readers and point of sale systems are also PCI certified or come from PCI certified companies. RCR will also need to identify payment information destruction methods (electronic and paper) and keep a listing of all employees who process payments or perform credit checks for the company. This is an area which should be taken very seriously by RCR as any breach and subsequent loss of this information could have a detrimental impact on the business including loss of customers or diminished customer faith in the company, a drop in potential customers and possible sales, legal proceedings against the company, loss of the ability to process credit card payments (PCI SSC, 2019). The one possibility which can easily drive a small to mid-sized business into the ground are the fines and penalties levied by banks or card companies which can be anywhere from $5000 to $100,000 per month depending on the seriousness of the incident and the results of an investigation (Lynch, K., 2019).
A policy developed by RCR regarding credit card processing and performing credit checks would greatly benefit the company and its employees. A policy for credit card processing and performing credit checks should include:
- Procedures for processing payments or performing credit checks.
- A listing of all equipment used for processing including Point of Sale machines, networks, routers, and access points, anything used to store sensitive information, and anything used for disposition of sensitive information.
- A listing of employees authorized to process credit card payments and perform credit checks.
- Procedures outlining the steps to take should any fraudulent activity or breach be suspected or occurring.
A separate policy should be drafted outlining training for payment processing, the performance of credit checks, and how to identify fraudulent activity or breaches as well as the steps to take once identified. As with any area of a business, training is key to success. Having a policy establishing the training which is required and nominating individuals who will be specialists in each area, develop the comprehensive training programs, and provide the training or advice will be key to the success of RCR going into the future.