What it is PCI compliance and why does it matter?
If you own an online shop, bank online or use credit and debit cards, there is a very good
chance that you have heard the term "PCI compliant." However you probably don't know what
it means.
The term "PCI compliant" is heard more and more these days as data breaches at merchants such as a
large American retail copmany TJMaxx land hundreds of thousands of card details in the hands of criminals.
Thesecriminals are using the data to make purchases and withdraw money from accounts of
unsuspecting victims.
It's a huge and growing problem. More than 80% of data stolen in breaches is payment card
data, according to the '2009 Verizon Business Data Breach Report'.
Who are PCI Security Standards Council
The PCI Security Standards Council is an open global forum, launched in 2006, that is
responsible for the development, management, education, and awareness of the PCI Security
Standards, including: the Data Security Standard (DSS), Payment Application Data Security
Standard (PA-DSS), and Pin-Entry Device (PED) Requirements.
What is the standard exactly?
It's the PCI, which stands for Payment Card Industry, data security standard. It's a set of 12
specific requirements that cover six different goals. It's very prescriptive. It says not only that
you need to be secure but it tells you how to become secure. It's more about security than
compliance. The goals are things like:
• Build and maintain a secure network
• Protect card holder data
• Regularly monitor and test the networks
What if I don't want to become PCI compliant?
If you decide not to become compliant then you can still open an account with us. However...
If you are not compliant to the Payment Card Industry Data Security Standards (PCI DSS)
you will be responsible for any losses through fraud, and may also face considerable fines.
Your customers will suffer if their card details are compromised. Your business reputation will
suffer as a result.
Taking responsibility for PCI compliance forms part of your merchant Terms & Conditions
.
If a merchant is found to be not PCI compliant, what are the consequences?
90% of consumers don't understand the difference between credit card fraud and identity
theft. If they hear that their credit card has been stolen, many of them believe their identity is
at risk. If that's the case many of your customers won't shop with you anymore because they
are afraid you are not protecting their data and someone is going to steal their identity. That's
the worst thing that can happen. The biggest problem would be if your customers walk away.
There are reputational damages they have to deal with, which 9 times out of 10 cannot be
measured in terms of money.
What part of the standard is mandatory and what is voluntary?
It's all mandatory. Nothing is voluntary. The rule is if you store, process, or transmit credit
card data you must be compliant with the PCI standards. And that's a global rule.
How do I become compliant?
You can become compliant by using an assessor.
Isn't this just another way of getting more money out of businesses?
Not at all. This is for the benefit of all concerned. 80% of all online fraud occurs using stolen
or missused payment details.