PCI COMPLIANCE – WHY YOUR CUSTOMERS SHOULD KNOW ABOUT PCI DSS

By Rob Crutchington – Director of Encoded

If you were to ask shoppers in the street to name an online payment protection process the chances are they would know about Verified by Visa, 3D Secure, Mastercard SecureCode or even Safekey from American Express but most would draw a blank at the mention of PCI DSS.  Why is this and why doesn’t it come as a surprise?

Rob Crutchington

The Payment Card Industry Data Security Standard (PCI DSS) was created by Visa®, MasterCard®, JBC®, Discover® and American Express® and is made up of 12 requirements designed to secure business systems that store, process or transmit card holder data and is meant to protect consumers and merchants against security breaches. However, beyond the payment industry including merchants, suppliers, acquirers, VISA and Mastercard what does it really mean to people and why aren’t consumers aware of its importance?

Customers need confidence
For customers to transact with an organisation either via a contact centre or online they need to be confident that their payment cards will not be compromised, their personal details are secure and their identities cannot be stolen.  By complying with PCI DSS, merchants and service providers meet their obligations to the payment system and build a culture of security that benefits everyone.  However, not enough is being done to advertise this fact.

Who pays the fine?
In the event of a loss of data or cards being used fraudulently, fines are passed down the chain from VISA and MasterCard at the top to the merchant/retailer at the bottom.  The consumer doesn’t suffer financially as measures are in place and assurances given to prevent this happening.  The fact remains that something has gone wrong and individuals will be inconvenienced and could suffer from emotional stress at the thought of their details being stolen and used fraudulently.  In time this could lead to a reduction in customer confidence in both the method of payment and a reduction in confidence of the retailer who caused the problem.  Surely, all those involved in the card payment industry including merchant acquirers have a duty of care to improve public awareness.  This in turn would benefit consumers as card processing, security and compliance, fraud, fines and penalties are all part of the ‘retail cost structure’ which can lead to increased prices.

Some merchant acquirer companies have started to levy a surcharge on suppliers and merchant organisations that are not PCI compliant to encourage them to go through the full process of compliance.  This can be an expensive exercise because to achieve the top level of compliance, Level 1, an Attestation of Compliance (AOC) is needed which must be completed by an independent Qualified Security Assessor (QSA) along with a Report on Compliance.  QSAs cost money and have very exacting standards.  But do the benefits outweigh the costs and time involved?

Matthew Tyler, CEO and QSA at Blackfoot believes so, “Only greater public awareness will prove the real value of PCI DSS and lead to reduced fines and improved security.  People will ultimately choose to transact with those organisations they have confidence in and they know are PCI compliant.”

Greater Public Awareness
To achieve this greater awareness some of the money paid in fines and surcharges should be used to promote the advantages of dealing with PCI compliant operations.  Once card holders have a greater knowledge and know what questions to ask of their merchants and the payment system as a whole, the benefits will become apparent.
If the public had a clearer understanding of the importance of PCI DSS people would only purchase from those organisations who demonstrate full PCI compliance, therefore reducing the instances of lost data and fraudulent activities.  The welcome result of this would be fewer fines, lower prices and less sleepless nights worrying about security.

To my mind it is simple – use the money raised in fines and levies to promote the relevance of PCI DSS so that customers look out for the PCI Sign when making a purchase and paying by card.  This will benefit everyone, improve security and raise the profile of PCI DSS to level it deserves.

By Rob Crutchington – Director of Encoded

If you were to ask shoppers in the street to name an online payment protection process the chances are they would know about Verified by Visa, 3D Secure, Mastercard SecureCode or even Safekey from American Express but most would draw a blank at the mention of PCI DSS.  Why is this and why doesn’t it come as a surprise?

Rob Crutchington

The Payment Card Industry Data Security Standard (PCI DSS) was created by Visa®, MasterCard®, JBC®, Discover® and American Express® and is made up of 12 requirements designed to secure business systems that store, process or transmit card holder data and is meant to protect consumers and merchants against security breaches. However, beyond the payment industry including merchants, suppliers, acquirers, VISA and Mastercard what does it really mean to people and why aren’t consumers aware of its importance?

Customers need confidence
For customers to transact with an organisation either via a contact centre or online they need to be confident that their payment cards will not be compromised, their personal details are secure and their identities cannot be stolen.  By complying with PCI DSS, merchants and service providers meet their obligations to the payment system and build a culture of security that benefits everyone.  However, not enough is being done to advertise this fact.

Who pays the fine?
In the event of a loss of data or cards being used fraudulently, fines are passed down the chain from VISA and MasterCard at the top to the merchant/retailer at the bottom.  The consumer doesn’t suffer financially as measures are in place and assurances given to prevent this happening.  The fact remains that something has gone wrong and individuals will be inconvenienced and could suffer from emotional stress at the thought of their details being stolen and used fraudulently.  In time this could lead to a reduction in customer confidence in both the method of payment and a reduction in confidence of the retailer who caused the problem.  Surely, all those involved in the card payment industry including merchant acquirers have a duty of care to improve public awareness.  This in turn would benefit consumers as card processing, security and compliance, fraud, fines and penalties are all part of the ‘retail cost structure’ which can lead to increased prices.

Some merchant acquirer companies have started to levy a surcharge on suppliers and merchant organisations that are not PCI compliant to encourage them to go through the full process of compliance.  This can be an expensive exercise because to achieve the top level of compliance, Level 1, an Attestation of Compliance (AOC) is needed which must be completed by an independent Qualified Security Assessor (QSA) along with a Report on Compliance.  QSAs cost money and have very exacting standards.  But do the benefits outweigh the costs and time involved?

Matthew Tyler, CEO and QSA at Blackfoot believes so, “Only greater public awareness will prove the real value of PCI DSS and lead to reduced fines and improved security.  People will ultimately choose to transact with those organisations they have confidence in and they know are PCI compliant.”

Greater Public Awareness
To achieve this greater awareness some of the money paid in fines and surcharges should be used to promote the advantages of dealing with PCI compliant operations.  Once card holders have a greater knowledge and know what questions to ask of their merchants and the payment system as a whole, the benefits will become apparent.
If the public had a clearer understanding of the importance of PCI DSS people would only purchase from those organisations who demonstrate full PCI compliance, therefore reducing the instances of lost data and fraudulent activities.  The welcome result of this would be fewer fines, lower prices and less sleepless nights worrying about security.

To my mind it is simple – use the money raised in fines and levies to promote the relevance of PCI DSS so that customers look out for the PCI Sign when making a purchase and paying by card.  This will benefit everyone, improve security and raise the profile of PCI DSS to level it deserves.