The Importance Of Being Pci Compliant And The Risks Of Pci Non-compliance

By Author: Roger Milne
Total Articles: 11
Comment this article

PCI Security Standards Council, a global forum handles the Payment Card Industry Data Security Standard. These standards were developed to tackle increasing number of card payment fraud cases and to keep merchants as well as buyers protected. It is important for the merchants to be fully-compliant with their standards. Even if they sub-contract payment processing to third parties, they are still responsible to comply. Even software developers and service providers involved in any activity that touches card transactions must be fully-compliant with the standards. The standards enhance card data security and reduce fraud through stringent compliance measures. The version currently in use is 3.2, launched in April 2016.

The scope of PCI DSS

PCI DSS applies to a merchant engaged in card transactions and it also applies when he has sub-contracted this service to a part of the organisation or to a third party service provider. In this case, both the merchant and the third party service provider must be PCI compliant. It applies to everyone involved in the chain including technologies and people, and it covers electronic ...
... data and paper records in addition to record phone conversations that include cardholder data. Defining cardholder data environment of the organisation is the next consideration. This includes documentation of data flow and defining applications involved in storing cardholder data followed by documentation of firewalls, switches, access points and other devices in the network. If an organisation outsources its payment solution then the managed service providers need to comply, especially with network encryption endpoints. Applications used to process or transmit or store cardholder data are also covered.

Becoming compliant with PCI standards

In order to be compliant, an organisation is audited. Audit depends on the card brand that may be MasterCard, American Express or Visa, termed as payment brands, which in turn must obtain compliance from acquiring banks and merchants down the line as well as the service providers to such merchants. Normally, a PCI QSA organisation handles the audit and issues a report on compliance. As an alternative, an officer of the organisation may submit a self-assessment questionnaire to Visa, MasterCard, Discover and American Express. In order to comply, the merchant and his service provider must meet minimum requirements such as:

• Protection of cardholder data

• A secure IT network

• A vulnerability management programme

• Monitoring and testing of networks

• A strong information security policy in place

• A secure access control process.

Once the process is initiated it may take a number of weeks depending on various factors.

Becoming PCI compliant is one thing; the organisation is also required to carry out testing on a regular basis to ensure protection against penetration.

The process is complicated and daunting for the uninitiated. It is best left to specialists in PCI consultancy to ensure compliance. A typical consultancy would start with scope and gap analysis in order to come up with what is required to be done. This is followed by implementation as well as training to staff. The same consultant will usually carry out compliance audits and reports on compliance. This is followed by support to ensure a merchant is compliant at all times because the fines for non-compliance are hefty.

PCI Non-Compliance

A merchant must ensure full compliance because PCI non-compliance results in fines and heavy charges by banks and credit card companies. Non-compliant merchants must pay a fine and are given a timeline for compliance failing which fines are increased and can impose an unbearable burden. Paying for compliance and ensuring continued compliance works out cheaper. Even if a merchant is deemed compliant there may be a breach in cardholder data security. If this happens, the merchant faces fine for each card data that is compromised. The merchant account may be suspended by the card company. Further, he may face litigation by customers and suffer loss of reputation and loss of trust that will affect future sales.

A merchant usually acquires equipment from a supplier and the same supplier may be able to assist with the compliance procedures, either directly or through an associate in order to give the best service.

Independent Merchant Services is a Bolton-based company specialising in supplying equipment, such as chip and pin terminals and assistance in payment audits and online payment system installation. One area of service they specialise in is bespoke audits for merchants to ensure PCI compliance. In operation since 2011, the company offers the best advice on payment models and tie up with banks as well as supplies of equipments in a comprehensive, single-point solution.