PCI Compliance: Three Ways to De-scope and Save Money

Every business or merchant that accepts payment via debit and credit cards has a contractual obligation with its bank/acquirer to be PCI DSS compliant. The Payment Card Industry Data Security Standard (PCI DSS) is made up of 12 requirements designed to standardise controls surrounding card holder data and to help protect consumers and merchants against security breaches.

To become PCI compliant the 12 requirements, consisting of 258 controls, must be implemented and the cost of this to a business can range from the tens of thousands to the tens of millions of pounds. To many the costs involved can be prohibitive but there is money to be saved by undertaking a program of reducing the scope of the cardholder data environment. This is called de-scoping and reduces the number of requirements (tick-boxes) for PCI Compliance.

Here are three ways to de-scope your business:

1. Pass the responsibility to a third party

Pass the responsibility for handling card data to a third party. As the merchant account agreement is between the merchant and the acquirer, the responsibility for PCI compliance cannot be entirely removed, however the amount of time and work required demonstrating compliance can be dramatically reduced.

2. Tokenisation

Tokenisation is another way of keeping card data safe and out of scope of the PCI process. Tokenisation is the process of replacing card data with random numbers that, when used within a specific payment gateway, reference back to the actual card data without compromising its security. Tokens can be used repeatedly by merchants where payments are regularly made.

3. Work with a PCI compliant payment solutions supplier

Working with a fully Level 1 PCI compliant interactive payment solutions supplier to de-scope can remove customer card data from the process and means there is less for external a Qualified Security Assessor (QSA) whose fees are typically £1000 per day to audit. Saving time and money on compliance.

Why de-scoping saves money

Taking areas of an organisation’s business out of the scope of PCI compliance minimises the cost and complexity associated with PCI DSS standards. As mentioned before a PCI project can cost anything from £10k to several millions of pounds plus there is a requirement for quarterly network scans and an annual audit.

Remember the buck stops with the merchant to ensure PCI compliance. However, whether customer card data is handled within a contact centre, via web pages or a chip and pin terminal, PCI compliant payment company Encoded, offers solutions to ensure compliance is achieved with minimum cost and maximum security.

Encoded is a leading provider of interactive voice response and automated payment solutions. It is also Level 1 PCI DSS Compliant.

To find out more and to talk about how Encoded can help save you money and protect your payment business please call Rob Crutchington on 0845 120 9790.