Five things you should know about PCI DSS but are too afrain to ask
By Rob Crutchington – Director of Encoded
The Payment Card Industry Data Security Standard (PCI DSS) remains surrounded by confusion and misinformation. For example many call centres do not appreciate that PCI DSS covers the entire trading environment including all third-party partners and vendors that handle card data and all must comply before full PCI compliance is achieved.
Here are five lesser known, but important PCI facts:
Responsibility – in December 2014 when the next version of the standard comes into force all suppliers of payment services must include a full list of all 258 controls in contracts clearly showing who is responsible for each control. In the event of lost data and a subsequent audit identifying where the breach in security occurred, the contract will form the basis of accountability. Potentially this is the first step towards holding suppliers accountable for lost data, which historically has always been with the responsibility of the merchant or client.
VISA will never fine a merchant – VISA cannot fine a merchant for card data loss because its contract is not with the merchant but the Acquirer (the merchant’s bank). It is the acquiring bank’s responsibility to make sure its merchants are compliant and as such it is the bank that will issue fines, increase charges for non-compliance and impose compulsory PCI programme costs. VISA will, however, fine the Acquirer if its merchants are non-compliant.
There is no such thing as a PCI DSS compliant solution – products are often incorrectly marketed as PCI DSS compliant. To advertise this claim is to miss the very point that PCI DSS is trying to achieve ie to maintain a unified security standard to which merchants must adhere. Only companies and other legal entities can be PCI DSS compliant, not products or software.
Misinformation is perpetuated by procurement and marketing departments – the belief that solutions can be PCI compliant is often the result of procurement and marketing people who do not really understand the premise of PCI compliance and ask solution providers in tenders whether the solution is PCI compliant? This is an incorrect question but many suppliers are happy to go along with this misconception in order to win business. So the PCI DSS cycle of confusion continues.
Only select suppliers that appear on the VISA Merchant Agent List website – not all payment solution providers are created equal. To be certain whether a third-party vendor is compliant it is important to check the VISA Merchant Agent List which has two levels of organisation with very different validation procedures. Level 1, the top level requires an Attestation of Compliance (AOC) from a Qualified Security Assessor (QSA) and applies to organisations that store, process and/or transmit more than 300,000 VISA transactions per year. Level 2, applies to smaller providers with less than 300,000 transactions and can be achieved by completing an annual self-assessment questionnaire.
Encoded is a leading provider of interactive voice response and automated payment solutions. It is also Level 1 PCI DSS Compliant.
To find out more and to talk about how Encoded can help save you money and protect your payment business please call Rob Crutchington on 0845 120 9790 or email email@example.com
It can take years to rebuild a reputation after a security breach, but it only takes a few minutes to check whether the vendor you are working with appears on the Visa Europe Merchant Agents list has achieved full PCI DSS compliance and Level 1 status.
Rob Crutchington on 0845 120 9790