Pci Compliance – What Every Card-Accepting Merchant Should Know

By Rob Crutchington – Director of Encoded

It is fair to say that most card-accepting merchants understand the importance of protecting customer data from fraud and cybercrime. However, it might be news to many that in the event of a security breach they will be the ones fined. The buck stops with the merchant. Costs and expenses can quickly add up with payment network fines and assessments, forensic fees associated with a compliance audit of the merchant’s business environment and legal fees. Not to mention the damage to reputation and lost sales.

A recent report* based on a survey of 2,035 online consumers stated that nearly half (45%) of respondents saw contact centres in particular as the biggest security risk and the starting point for fraud. Findings also showed that many millions of consumers have been stopped from making purchases over the telephone when interacting with a call centre.

But surely the Payment Card Industry Data Security Standard (PCI DSS) takes care of all of this? When Visa®, MasterCard®, JBC®, Discover® and American Express® created a standard made up of 12 requirements designed to secure business systems that store, process or transmit card holder data it was meant to protect consumers and merchants against security breaches. However, what many organisations with call centres do not appreciate is that because PCI DSS covers the entire trading environment, all third-party partners and vendors that handle card data must also comply before full PCI compliance is achieved.

Visa Europe Merchant Agents List
So which third-party partners and vendors are fully PCI DSS compliant? Payment schemes are building lists of registered Third Party Vendors that can demonstrate adequate levels of data security and acceptable business practices. For example VISA has its Visa Europe Merchant Agents List http://www.visamerchantagentslist.com/ and merchant services organisations such as Elavon are insisting that only organisations which appear on this list are used by customers. This means any company involved in accepting transactions, interactive voice response (IVR) payments, internet payment gateways and any other service or product that is directly or indirectly involved in data transactions must register and appear on the list. Contact-centres typically use multiple vendors for their technology so it is becoming increasingly important for management to understand just who does what in the process and who needs to be PCI compliant to avoid fines and lawsuits in the event of the unthinkable happening and customer card data being stolen.

Not all PCI third-parties are created equal
The Visa Europe Merchant Agents list has two levels of organisations that provide services to merchants. These two levels have very different validation procedures. To achieve the top level of compliance, Level 1, an Attestation of Compliance (AOC) is needed and this level only applies to organisations that store, process and/or transmit more than 300,000 Visa transactions per year.

To achieve Level 1 status an Attestation of Compliance must be completed by an independent Qualified Security Assessor (QSA) along with a Report on Compliance. QSAs cost money and have very exacting standards. The high cost of going through full PCI DSS accreditation with an external QSA is leading to some vendors claiming to be compliant when in fact they have not been through the whole process and therefore do not have Level 1 status. This is putting merchants at risk.

For Level 2 registration organisations do not require an onsite security assessment by a QSA and are able to submit an annual self-assessment questionnaire including the Attestation of Compliance without reference to a QSA. Level 2 applies to smaller providers involved with less than 300,000 Visa transactions annually.

As Matthew Tyler, CEO of Blackfoot explained, “Payment schemes such as Visa and merchant service providers like Elavon are getting tough on organisations taking card payments. Many merchants don’t even realise they will be ones fined in the event of a data breach as they believe their bank or 3rd party supplier will be accountable. Some acquirers are even threatening to terminate Merchant Service Agreements if merchants fail to work with third-parties that appear on the Visa list. Organisations with call centres are seen as particularly vulnerable and should do everything in their power to work with only Level 1 vendors such as Encoded who have gone through extensive measures and inspections to achieve PCI DSS compliance.”

As recent research shows card security is important to consumers and they are becoming increasingly aware of both the technology and standards around payments. For call centres to build trust and confidence only the best technology from third-parties with Level 1 Visa clearance is good enough for customers. It can take years to rebuild a reputation after high profile data breaches such as those at Sony, Lush and the parent company of TK Maxx but it only takes a few minutes to check whether the vendor you are working with appears on the Visa Europe Merchant Agents list, has achieved full PCI DSS compliance and Level 1 status.

*Sabio and Avaya commissioned Davies Hickman Partners, an independent research consultancy, to complete a nationally representative survey (excluding NI) of 2,035 online consumers in January 2013.