It's crucial that businesses keep on top of compliance, particularly with a range of updates being made to PCI DSS requirements. Tim Allitt, Head of Sales & Marketing, SecureTrading takes you through what your organisation needs to consider
Many organisations have taken significant steps to achieve PCI compliance and believe their current infrastructures would pass assessments. Now that the PCI Security Council has released version 2.0 of the PCI Data Security Standard and Payment Application Standard it is vital that retailers understand what this means for their day-to-day business.
The Payment Card Industry Security Standards Council (PCI SSC) recently updated its compliance guidance. Many retailers were hoping the update would give a clear way forward in terms of their PCI DSS compliance.
The guidance covered two areas. Firstly, the guidance concludes that EMV (Europay, MasterCard and VISA (EMV) or more commonly referred to as chip and pin) does not address PCI DSS and therefore the two need to coexist. The SSC are supporting EMV but it is still not insisting that EMV become the global standard. This means UK merchants are put at risk every time they want to accept payment on cards which are not EMV smartcards, and UK card holders are put at risk because their stolen data can be used on cloned cards outside of the UK where swipe is still the default standard.
Secondly, with regard to Point To Point Encryption (P2PE), the SSC states that the technology is at an 'immature' stage. The reality is however, that there are solutions in the market today which fit the P2PE definition and which are PCI DSS certified.
The responsibility of managing data is one issue that won't disappear for retailers and they may want to consider outsourcing the management of payments to a third party. Cost is a big concern to a retailer and if a business outsources to a secure, outsourced managed service from a Level 1 PCI DSS certified payment solution provider they will be able to have a fixed cost for this managed service. If they choose to outsource these costs they could potentially spiral out of control. According to a survey by Cisco, 67 per cent of IT decision makers think that their spending on PCI compliance will increase in the next year.
Therefore it makes sense for a business to select a suitable payment processor for a retailer's needs and outsource its PCI requirements. Not only will this make integration easy and provide excellent technical support, it will also offer the merchant the ability to offer all the payment methods a customer might have in their wallet or purse and thereby enable businesses to process payments swiftly and securely. The best payment processors will have a range of products to suit start-ups, SMEs and large corporate organisations.
The harsh reality remains, that the onus is on retailers of all sizes to comply with the PCI DSS regulations and it is retailers who face the cost of non-compliance (in terms of heavy fines and withdrawal of card acceptance services) not their suppliers. Payment service providers can help you with your online business, but you should also ensure that your offline procedures are compliant. Your acquiring bank will be able to help you ensure your offline compliance, while SecureTrading can advise on online requirements.
Working with an expert who has gone through the compliance process themselves and on a fixed fee basis could help them reduce costs to a minimum and not jeopardise their long term business plans or customer data.