Why is PCI Compliance So Important?
Considering debit card payments have overtaken cash as the primary form of payment, can you afford to ignore PCI Compliance? Almost every consumer business, charity and club now receive a large percentage of payments by card.
All organisations that take card payments, whether over the phone, online, or in-store, are required to comply with a data security standard issued by the payment card industry body, the security standards council.
But what exactly does this mean? Who is the organisation that sets this standard? How hard is it to comply with? What are the consequences if my organisation doesn’t?
Fair questions, considering most companies see taking payment as just another admin process, and any complexities here are confined to the ‘I’ll look into this later’ pile as we allow more pressing issues to occupy our time.
Hopefully, this article will untangle the complexities of the PCI DSS, or Payment Card Industry Data Security Standard, leaving you comfortable that your payment security and compliance are dealt with and those other, more pressing issues, can be whole-heartedly addressed.
What Does PCI Compliance Stand For?
The Payment Card Industry (PCI) Security Standards Council (SSC) was founded in 2006 by the card brands Mastercard, Visa, American Express, JCB and Discover to combat card fraud. To this end, they produce and manage the ongoing evolution of, the Data Security Standard (DSS).
The Data Security Standard
The Payment Card Industry (PCI) Security Standards Council (SSC) was founded in 2006 by the card brands Mastercard, Visa, American Express, JCB and Discover to combat card fraud. To this end they produce, and manage the ongoing evolution of, the Data Security Standard (DSS).
The DSS is a set of rules that all Merchants, that is, all organisations that take card payments, must adhere to. The PCI rules exist to safeguard information and relate to all systems that store, process, or transmit payment card data.
The DSS is constantly reviewed and changes as technology changes, attempting to ensure that sensitive card information is protected.
Simple enough? If you take card payments, you must comply with the Data Security Standard.
Well, simple it certainly isn’t. That’s because there are over 1,800 official pages of the PCI DSS, 300 of which are just to help you understand which form to use. And no, it’s certainly not as entertaining as reading a John Grisham novel!
Nevertheless, considering they apply to every organisation worldwide taking card payments, and taking into account the consequences of non-compliance, it is worth a few minutes of investigation.
For starters, not complying with the standard result in fees from your gateway, or acquirer, or both. In fact, most businesses that do not prove compliance annually are unwittingly paying these today. Just check your next statement. Fees are typically between £20 to £50 per month and are often labeled something non-descript like ‘Service fee’ or ‘PCI compliance fee’.
The real issues come when you suffer a breach, and these are on the increase.
“It’s okay, I trust my staff handling card information.” Sure. Every organisation does. But there are two problems here. One is that 75% of breaches are hacks, not humans recording card information. The other problem is that 25% are humans, and reports show that staff are being incentivised and coerced into providing payment card information in greater numbers.
Should A Breach Occur
If you are not compliant with the DSS you can expect to pay:
- Audit fees
- The cost of reissuing new payment cards
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements and judgments
- Fines and penalties
- Diminished sales
- Termination of ability to accept payment cards
- Going out of business
Yes … that last one no joke. In fact, 62% of small to medium sized business that suffer a breach close doors within six months, typically due to the costs of the audit, the fines and the inability to take card payments moving forward.
How Hard is Being Compliant?
This is where the news starts to lighten a bit. Compliance can actually be fairly easy, like most things in life, it depends on how hard you want to make it.
There are 4 levels of compliance. Each relates to the volume of card payment transactions you take and how you take them. Level 1 means you take a lot of payments, more than 6 million annually across all channels. While level 4 means you only take a few, less than 20,000 e-commerce transactions annually or less than 1 million transactions over any other channel.
If you take card payments over any method other than e-commerce, such as over the phone, you need to have an Approved Scanning Vendor. This is called an ASV, they conduct a quarterly scan of everything ‘in scope’. This also applies to any Merchant processing more than 1 million e-commerce transactions.
The trick with compliance is to move as much as possible on to the shoulders of those who supply your payment facilities. This is also known as ‘reducing scope’.
By far the easiest way to comply is to reduce the amount of your infrastructure that is ‘in scope’ of the Data Security Standard. Anybody or any piece of IT equipment that stores, transmits or processes card information is in scope.
Remove your staff and IT kit from scope, then you don’t need to scan it quarterly and the DSS doesn’t apply to it. When removed from scope, for most businesses compliance becomes a question of signing the Attestation of Compliance form. After completing an annual Self-Assessment Questionnaire this is then sent to your acquirer. Ensuring that things don’t creep back into scope during the year.
For online payments, using your gateway’s virtual terminal will reduce your scope. Redirect visitors to the gateway’s payment page rather than allow the customer to type in their card details into a form on your website.
For phone payments, deploying DTMF technology, which PayGuard® offers, ensures customers use their telephone keypad to type their card details. This is opposed to reading them out and revealing their details. If your business takes card payments over the phone, it is near impossible to comply with the DSS if the customer has to read out their card details.
I Don’t Record Calls, So I Am Already Compliant
Sorry, that’s a myth. It was born in 2011 when the PCI SCC issued guidance on telephone payments. Stressing that under no circumstances could Sensitive Authentication Data (SAD), such as the Security code or CVV code, be stored. This led to a heroic effort by many companies receiving payment over the phone to prevent the recording of this information when it was read out by the customer (known as the ‘Pause and Resume’ method).
While it is still a standard that SAD cannot be recorded, the Data Security Standard goes way beyond the call recording, as was made clear in the latest guidance, version 3 issued in November 2018, and that the phone system itself, along with the computer, any connected equipment and of course the agent listening to the card information, are all in scope.
Using DTMF technology which has only recently affordable for smaller businesses. This removes your people and your systems from scope. Thereby eliminating the need (and cost) of quarterly scans, making PCI compliance for your phone payments a synch.
Let’s be honest, few people want to get into this in detail. If you are responsible for data security, payments, or compliance in an organisation, there are many other things to occupy your time.
It is worth remembering that adhering to the DSS has benefits beyond that of avoiding the consequences of non-compliance.
Protecting staff has to be high among them, along with protecting company directors. Due to the specificity of the DSS, many who are looking to comply with the Data Protection Act (DPA) and [groan] the GDPR, have sought out the DSS for answers because the GDPR is so non-specific.
And of course, with GDPR compliance, comes that relief for the Director as they can prove they have not neglected to safeguard sensitive customer data. Therefore avoiding the punishing personal liability of £500,000 the DPA places on them.
Cost reduction is another benefit. No more quarterly scans if you push systems out of scope, as well as the removal of the non-compliance fees charged each month and the ability to negotiate cheaper rates with your acquirer as you pose a lower fraud risk.
Lastly, there is peace of mind about securing your customer’s information and therefore your reputation.
While the subject of PCI compliance is a bit of a mine file and the Data Security Standard is complex. It does ensure your adherence needn’t be something that is beyond your energy or affordability. This is only true if you put the right strategy in place, and lean on the technology available today.