PCI Compliance: Whose responsibility is it anyway?

The Payment Card Industry Data Security Standard (PCI DSS) was originally the brainchild of the world’s five largest payment card providers VISA, MasterCard, American Express, Discover and JCB International. Today, it is a global framework that provides guidance on how to process, store and transmit information about payment cards and their owners, with the aim of reducing the incidence of card fraud and promoting best practice in information security. Achieving PCI DSS compliance increases trust between an organisation and its partners and suppliers and boosts customer confidence.

PCI DSS affects everyone in the trading food chain

Nowadays, paying for goods and services remotely is the norm and every contact centre that accepts credit and debit card payments over the telephone needs to be PCI DSS compliant. However, what many contact centres don’t realise is that PCI DSS covers the entire trading environment, meaning all third-party partners and vendors that handle card data on their behalf or supply services where card data is transmitted, must also comply before full PCI DSS compliance is achieved.

As organisations work hard to achieve and maintain ongoing PCI DSS compliance, they may choose to engage with third-party service providers (TPSPs) to achieve their objectives, for example, companies who store, process, or transmit cardholder data on their behalf or manage components of their cardholder data environment (CDE), such as routers, firewalls, databases, physical security, and/or servers.

Before selecting new TPSPs, organisations should conduct a proper due diligence and risk analysis to establish whether they have the right skills and experience necessary to achieve PCI DSS compliance. Once on board, making the time to put in place a third-party assurance programme that outlines clear policies and procedures is essential to ensuring that customer card data and systems are fully protected at all times and in a compliant manner.

Contact centres beware!

Coming back to contact centres, many use multiple vendors for their technology so it is becoming increasingly important for management to understand just who does what in the end-to-end card payment process, who needs to be PCI DSS compliant and the exact status of a vendor’s PCI DSS credentials. Referring to the VISA Merchant Agents List is a useful first step to vetting vendors and avoiding fines and lawsuits, in the event of the unthinkable happening and customer card data being stolen.

Responsibility Matrix to address the thorny issue of PCI DSS responsibility

At the end of last year, when the latest version of PCI DSS was announced, along came the “Responsibility Matrix”, a new requirement that makes an attempt to shed light on some of the greys areas surrounding PCI DSS and begins to answer the perennial question: whose responsibility is it anyway?

PCI DSS 3.1 clarifies much of the ambiguity of the previous versions. There shouldn’t be anything that affects the day-to-day running of a contact centre. However, service providers are now required to supply a “Responsibility Matrix” which defines which of the many controls are the responsibility of the merchant and which fall to the TPSP. These responsibilities need to be clearly listed as “the merchant’s responsibility”, “the service provider’s responsibility” or a “shared responsibility”. *

Remember PCI compliance is not a one-off exercise. It must be revisited every year and that takes time and resource. The best way to minimise future costs as the standard evolves is to reduce exposure to the primary risk areas such as staff and infrastructure. Invest in training and education of the PCI standard in order to have the talent in-house. Unless you have a good understanding of PCI how will you know whether the advice you receive is valid or not?

*https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf Section 5.3.1 and Appendix B: Sample PCI DSS Responsibility Matrix Page 40