Every merchant that processes card payments and retains card payment details must adopt the Payment Card Industry Data Security Standard (PCI DSS). Failure to do so can result in merchants being subject to substantial fines, higher transaction costs or ultimately the suspension of banking facilities.
A single retailer, or merchant, can process millions payment card transactions each year. If an unauthorised route is found into that merchant’s system then the potential for fraudulent use of credit and debit card details is huge.
The ultimate purpose of the Payment Card Industry Data Security Standard (PCI DSS)
is to help card issuers and banks manage their risk and exposure, by ensuring that merchants take responsibility to ensure that every individual, be it an employee or contractor, that comes in to contact directly or indirectly with payment card data takes consistent precautions against data theft and security breaches that could compromise cardholder data. PCI recognises that merchants in particular are a prime target for data thieves because they engage in activities – such as storing sensitive information – that place cardholder data at risk. However, it is in everyone’s interest – whether consumer, merchant or bank – that the standard is consistently enforced so that sensitive data is protected and the cost of fraud is minimised for all parties. Indeed many public organisations that store sensitive customer information (not necessarily specifically payment card data) will also benefit from adopting PCI DSS standards.
The Payment Card Industry Data Security Standard (abbreviated to PCI DSS or, commonly, just ‘PCI’) is a set of 12 requirements designed to secure and protect customer payment data
. The standards are the brainchild of the PCI Security Standard Council, an independent body established in 2006 by major card companies American Express, Discover Financial Services, JCB International, MasterCard and Visa. PCI is an international initiative, intended to enhance all cardholder data security whether transactions take place in a store or online. PCI is regulated by the industry through a set of standards that cascade down from the card brands via banks to the merchants. The standards are enforced by the banks (card-issuing banks are known as ‘acquiring banks’) working in conjunction with the merchants to ensure they fulfil PCI requirements. Merchants that do not comply face fines for noncompliance ranging from €5,000 to €23,000, higher transaction charges or even the threat of banking facilities being suspended altogether - typically resulting in the cessation of trading. Although each acquiring bank has previously taken its own approach to enforcement, there is increasing homogeneity and consensus on accelerating PCI.
There is no explicit regulation of PCI in the UK, although in the US there are states that have state laws in place which force components of PCI DSS. There is speculation that PCI may eventually have wider legal enforcement elsewhere and it has been noted that the UK government and regulatory authorities are generally getting more active in the area of data protection. From a PCI perspective, every touch point represents a potential data breach. At the simplest level it means all payment card slips must be destroyed. At the most complex level there are strict rules governing the technology used to manage and protect cardholder data. A PCI-compliant organisation must remove sensitive authentication data and limit data retention; protect their perimeter, internal and wireless networks; secure its applications and protect everything through ongoing monitoring and access control.
Acquiring banks are duty-bound to report regularly to card issuers about the status of merchants’ compliance with PCI. They take the view that merchants should regard the cost of PCI compliance
as an insurance policy, protecting them from the financial costs of failing to secure card data. Working toward PCI is, in any case, good practice because it can help improve the efficiency of an organisation’s processes and also allows it to operate more securely – ultimately protecting their brand and reputation.