Any time a customer makes a payment using a credit or debit card over the phone, online or in person Payment Card Industry Data Security Standard (PCI DSS) compliance comes into play. The PCI DSS was established by the Payment Card Industry Security Standards Council (PCI SSC) and does not originate from any governmental body. It is a set of 12 requirements for securing payment transactions and protecting cardholders against the misuse of their payment card data. Non-compliance with the requirements can mean significant fines and the loss of the privilege of accepting payment cards.
In this post we will examine PCI DSS, what makes it so critical, and the consequences of non-compliance.
Who Must Comply with the PCI DSS?
The PCI DSS applies to any entity that stores, processes, or transmits cardholder data. Even though the PCI SSC defines multiple levels of merchants and service providers, the requirements remain the same for all merchants and service providers, across any industry sector.
Most security-minded experts agree that merchants who do not comply with PCI DSS are bordering on negligence – as most of the requirements can be addressed with security best practice procedures.
For example, the PCI DSS requires merchants to:
● “Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks”
● “Deploy anti-virus software on all systems commonly affected by malicious software”
● “Limit access to system components and cardholder data to only those individuals whose job requires such access”
How PCI DSS Is Demonstrated and Checked
The PCI SSC does not penalize merchants directly, in fact it is the five payment card brands—Visa, MasterCard, American Express, JCB International and Discover—that hand down fines for not adhering to PCI compliance standards. It is the acquiring bank that is responsible for checking the ongoing PCI DSS compliance of merchants it services. The merchant and the acquiring bank can both be fined by the payment card brands. Banks are responsible for enforcing ongoing PCI DSS compliance, therefore they decide how to verify a merchant’s compliance and how to penalize non-compliance.
Merchants must demonstrate PCI DSS compliance to their acquiring bank in one of two main ways (determined by their acquiring bank):
● By autonomously working through a self-assessment questionnaire, also called SAQ. There are several SAQs available. To establish the merchant must determine its level, which corresponds to the total annual volume of payment card transactions the business takes, and how those transactions are conducted (in-person or online)
● By undergoing a full Report on Compliance (ROC) by a certified third-party security expert known as a Qualified Security Assessor (essentially an audit by a third party)
There are specific reporting requirements dependent on the merchant level. An onsite assessment by a Qualified Security Assessor (QSA) is required for level 1 merchants and self-assessment via the Self-Assessment Questionnaires (SAQ) is required for merchant levels 2-4.
There are pros and cons to both reporting procedures. The biggest drawback to self-reporting is that it leaves room for critical error. This even includes the misinterpretation of the rules or purchasing technology that does not solve specific compliance challenges. On the other hand, audits may take up more resources and be costlier, but, they also provide more certainty that compliance is being achieved.
After a Data Breach: Fines and Penalties
In the event of a data breach, the card brands will investigate a merchant’s level of PCI DSS compliance further. They’ll first ask the acquiring bank to provide records of how they were tracking PCI DSS compliance. Once they’ve assessed the bank’s PCI DSS compliance enforcement and establish whether the merchant was in compliance during the time of the breach, they’ll distribute fines and penalties. Those fines can range from $5,000 to $100,000 per month – depending on the size of the merchant’s business and the degree of noncompliance – and any fines the bank incurs can be passed to the merchant via high transaction fees or service charges. There could also be additional fines for repeat violations, depending on the merchant’s acquiring bank. These fines can be reassessed monthly – rising over time – until the merchant is in full compliance. If the merchant still doesn’t comply, its ability to take credit cards may eventually be revoked.
It should be noted that the cost and time associated with recovering from a data breach is far greater than the cost of becoming PCI DSS compliant and maintaining compliance. According to the 2018 Cost of a Data Breach Study by Ponemon, the cost of a data breach which results in less than 100,000 records lost is $3.86M – a 6.4 percent increase from 2017. The cost of a ‘mega-breach’ (1M – 50M records lost) is between $40 – $350M.
The Importance of PCI DSS Compliance & How it Can Be Simplified
As the number of digital transactions grows every day, so does the amount of fraud. The risk of merchants suffering a data breach has never been greater, and the consequences can be far reaching, resulting in monetary penalties and often, irreparable damage to brand reputation. While compliance with the PCI DSS does not ensure protection against a data breach, taking the steps outlined in the standard can greatly help to reduce the risk of one. Not to mention that noncompliance can result in fines imposed by the major credit card providers.
The PCI DSS compliance guidelines provide a framework to limit the risk of financial losses from fraud and other criminal activities. But as we always reiterate, it is the responsibility of any entity processing payment card information to meet these compliance standards, at a minimum, and to also develop their own systems and protocols to ensure payment card security, privacy and other steps to mitigate risk and fraud.
In the contact centre, ensuring compliance with data security regulations is even more essential, as it serves as a central hub through which a large number of customer interactions and payments pass. Ensuring compliance and customer data security can be a daunting task, but reducing compliance scope (decreasing the amount of systems and infrastructure that comes in contact with cardholder data) with dual-tone multi-frequency (DTMF) masking technology can be an effective way to reduce the amount of applicable PCI DSS controls that must be implemented. The most effective way to protect customer data, comply with the PCI DSS and minimize the ongoing cost of securing your infrastructure is to prevent sensitive payment information from entering your call centre environment in the first place.
For more information on how Semafone can remove sensitive data from your business infrastructure and dramatically reducing PCI DSS compliance costs and risks associated with fraud, take a look at our Cardprotect product page.
For more information on PCI DSS, visit: https://www.pcisecuritystandards.org/