What card payment rules must a retailer operating in the United States follow?

MS: When a merchant uses, transmits, stores or outsources the credit card function, it is subject to a number of rules in the U.S., including the Payment Card Industry Data Security Standard (PCI DSS). These rules change every few years and the new PCI DSS version, v. 3.1, issued April, 2015, is increasingly robust and encompassing. There are fines, penalties and assessments issued by the card brands for PCI non-compliance, for example, in the event of data breach. The rules touch every entity in the credit card ecosystem, from card processors to websites to hosting services to back-end storage — any company that stores or moves credit card information must comply and a detailed allocation of responsibilities is now required. Retailers need to understand that these duties push down to everyone in their card chain, including third party vendors. A merchant is still ultimately responsible under PCI rules for its third party vendor activities, including any outsourced card functions.