Want to know more about PCI DSS compliance and how to achieve it?
Robert Crutchington at Encoded takes a closer look at the truth about PCI DSS in a new compilation of blogs on the subject
Although the Payment Card Industry Data Security Standard (PCI DSS) first appeared back in December 2004, the standard remains surrounded by confusion and misinformation. PCI DSS applies to every contact centre that takes card payments over the telephone, whatever the size. What’s more, PCI DSS covers the entire trading environment, including all third-party partners and vendors that handle card data, therefore all must comply before full compliance is achieved.
The booklet covers many of the questions that arise around PCI DSS compliance, the technology available to support it and suggests a few strategies to manage it along the way.
Topics discussed include:
The myths surrounding PCI DSS compliance
The PCI DSS standard is surrounded by myth and confusion for both organisations and customers, including the myth that software solutions can be PCI DSS compliant. Vendors that make this claim miss the very thing that PCI DSS is trying to achieve – to maintain a unified standard to which organisations and merchants must adhere. Only organisations can be compliant.
There is also the myth that no one ever gets fined. In fact, the buck stops with the merchant and its contact centre. Plus the cost of data breaches cannot be measured in fines alone – there is also the cost of repetitional damage to consider.
Who is responsible and who is liable for fines when things go wrong
Third-party payment service providers can demonstrate adequate levels of data security and acceptable business practices if they appear on the VISA Europe Merchant Agent List. Merchant services organisations such as Elavon are insisting that only organisations which appear on this list are used by customers. The only way to be truly sure whether a third party vendor is PCI DSS compliant is by checking the VISA list.
The VISA List has two levels of 3rd party payment processor. Level 1, the top level of compliance, only applies to organisations that store, process and/or transmit more than 300,000 Visa transactions per year. To achieve Level 1 status an Attestation of Compliance must be completed by an independent Qualified Security Assessor (QSA) along with a Report on Compliance. Organisations with call centres are seen as particularly vulnerable and should do everything in their power to work with only Level 1 vendors (such as Encoded).
Level 2 is for smaller providers with less than 300,000 Visa transactions annually and organisations are able to submit an annual self-assessment questionnaire, including the Attestation of Compliance, without reference to a QSA.
Practical tips to getting a PCI DSS programme in place
To become compliant there are 300 controls surrounding card holder data to protect consumers and merchants against security breaches. To truly understand the best practices for each of these controls requires a specialist.
However, looking at the key vulnerabilities – namely staff and the choice of third party payments supplier – can result in large reductions in both PCI DSS scope and the price of securing customers’ information.
For example, tokenisation (recurring and stored card payment solutions) means that contact centres can vastly reduce the scope of their PCI DSS audits. The process of tokenisation means that data is not stored in a database, reducing the risk of hacking and cyber theft.
By working with a PCI DSS certified payment service provider with a tokenisation solution, merchant organisations can reduce the scope of the cardholder data environment (de-scope). De-scoping is the process to reduce the number of requirements for compliance. In this way tokenisation increases security of card holder details while minimising the cost and complexity of compliance.
Choosing a trusted partner can help you achieve PCI DSS compliance
There is no one-size-fits-all PCI DSS approach, but working with a certified payments technology provider means you get the most cost effective, secure solution for your own situation.
Our blog compilation won’t provide you with every detail on achieving compliance, but it will give you a good overview on what is involved and what to do next. Or you can talk us directly to help you take the right steps to getting your PCI DSS programme underway.
Robert Crutchington is a director of Encoded.