|
What it is PCI compliance and why does it matter?
If you own an online shop, bank online or use credit
and debit cards, there is a very good chance that you
have heard the term "PCI compliant." However
you probably don't know what it means.
The term "PCI compliant" is heard more and
more these days as data breaches at merchants like TJMaxx
land hundreds of thousands of card details in the hands
of criminals. These criminals are using the data to
make purchases and withdraw money from accounts of unsuspecting
victims.
It's a huge and growing problem. More than 80% of data
stolen in breaches is payment card data, according to
the 2009 Verizon Business Data Breach Report.
Who are PCI Security Standards Council
The PCI Security Standards Council is an open global
forum, launched in 2006, that is responsible for the
development, management, education, and awareness of
the PCI Security Standards, including: the Data Security
Standard (DSS), Payment Application Data Security Standard
(PA-DSS), and Pin-Entry Device (PED) Requirements.
What is the standard exactly?
It's the PCI, which stands for Payment Card Industry,
data security standard. It's a set of 12 specific requirements
that cover six different goals. It's very prescriptive.
It says not only that you need to be secure but it tells
you how to become secure. It's more about security than
compliance. The goals are things like:
- Build and maintain a secure
network
- Protect card holder data
- Regularly monitor and
test the networks
What if I don't want to become PCI compliant?
If you decide not to become compliant then you can
still open an account with us. However please remember
that you could face substantial fines and even be barred
if you do not.
If a merchant is found to be not PCI compliant,
what are the consequences?
90% of consumers don't understand the difference between
credit card fraud and identity theft. If they hear that
their credit card has been stolen, many of them believe
their identity is at risk. If that's the case many of
your customers won't shop with you anymore because they
are afraid you are not protecting their data and someone
is going to steal their identity. That's the worst thing
that can happen. The biggest problem would be if your
customers walk away. There are reputational damages
they have to deal with, which 9 times out of 10 cannot
be measured in terms of money.
What part of the standard is mandatory and
what is voluntary?
It's all mandatory. Nothing is voluntary. The rule
is if you store, process, or transmit credit card data
you must be compliant with the PCI standards. And that's
a global rule.
How do I become compliant?
You can become compliant by using an assessor. To see
the current list of PA-QSAs recognized by the PCI Security
Standards Council, please see below. Alternatively search
online for 'PCI compliant assessors'.
Please note, the PCI Security Standards Council maintains
an in-depth program for security companies seeking to
be certified as Payment Application Qualified Security
Assessors (PA-QSAs), as well as to be re-certified as
PA-QSAs each year.
We do not take any responsibility for 3rd party websites
and / or services
How much does it cost to become compliant?
If you would like help with becoming compliant, prices
vary from company to company. However the average price
is around £150. If you would simply like to self-assess
then this is free.
Isn't this just another way of getting more
money out of businesses?
Not at all. This is for the benefit of all concerned.
80% of all online fraud occurs using stolen or missused
payment details. No matter where you go to become PCI
compliant (except for self assessment) you will have
to pay a fee.
What now?
For much more information, including an FAQ's section
please visit www.pcisecuritystandards.org |
