Despite increasingly heightened security by merchants and service providers, credit and debit card fraud is still on the rise. Perpetrators are using even more sophisticated methods of infiltration to access sensitive payment card information. The financial cost of fraud to any sized corporation can be huge and the price of preventing it is vast.
Any company which stores, processes or transmits payment card data bearing the logo of the five major payment companies has to comply with the Payment Card Industry Data Security Standards (PCI DSS). These five companies include American Express, Discover, JCB, MasterCard and Visa. These standards were devised in 2004 to provide a common set of industry tools for the storage of payment card data in order to prevent, detect, and react to security incidents.
As well as merchants or banking institutions, compliance is required by any third party who accepts or processes payment cards. This includes call centres who receive cardholder data which they are unable to delete. If merchants use payment gateways to process transactions on their behalf, compliance is not required but they must ensure contractual obligation from the third party that they comply with PCI DSS and are responsible for the security of cardholder data.
Fines for non-compliance or security breaches can be huge, reaching $500,000. High profile cases involving huge corporations have hit the headlines. Some card brands have threatened huge fines against larger merchants of up to $25,000 per month until compliance is obtained. In severe cases, they have even threatened to remove the ability to process credit card payments, which could be economically fatal for any merchant.
While Visa reports that the majority of security breaches occur in small enterprises, any company that stores, processes, or transmits card information has to comply with a strict set of guidelines. Although intended to create a global standard which protects both consumers and corporations alike, these guidelines can be time consuming, costly, and complex to implement. Corporations that require PCI DSS compliance are prevented from storing sensitive credit card information, including security codes, track data from the magnetic strip, and PIN numbers. Information which can be stored includes credit card numbers, expiration dates and customer details, but the method of storage needs to meet certain requirements.
How to obtain PCI DSS compliance
The recommended first step to obtaining compliance is to hire the services of a Quality Security Assessor, who can advise on steps needed to reach compliance as well as completing the official assessments required. Smaller companies that process less than 80,000 transactions per year are permitted to complete a self-assessment questionnaire.
Compliance covers 6 areas of security:
1. Construction and maintenance of a secure network – including installation of a firewall to protect cardholder data
2. Protection of cardholder data – including encryption during data transmission
3. Vulnerability management – with regular updates of anti-virus software
4. Access control – to prevent and restrict access to sensitive data
5. Regular monitoring and testing of networks
6. Maintenance of an information security policy
The latest updated guidelines for PCI DSS are due for release in October 2008.
The benefits of PCI DSS compliance
Protection from PCI related fines if compliant at the time of breach
Increased customer confidence in data protection
Advice on how to remediate any data security risks
Advice on how to prevent service providers from putting your business at risk from data security
Increased protection from fraudsters
Protection from unwanted negative media attention
With this said, there is no question as to why PCI DSS compliance is as important as it is. It both protects the consumer and the merchant, making transactions considerably safer than they would be otherwise.