The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements for protecting payment account data security. These standards were developed by the PCI Security Standards Council, an organisation founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, to facilitate industry-wide adoption of consistent data security measures on a global basis. To learn more you can visit HERE
PCI DSS compliance is a contractual obligation, generally between a Merchant and their Acquiring Bank. It applies to ALL entities that store, process and or transmit payment card data, irrespective of the quantity of payments processed. PCI DSS also applies to Third Party Service Providers, who support entities that may have outsourced the payment handling process. Outsourcing does not release an entity from their obligation to be certified as compliant. The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO), and e-commerce.
If you do not comply with the security requirements of the card associations, you put your business and your customers at risk of payment card compromise. Data breaches are becoming more and more frequent, and the reputational damage they can cause to a business can be irreparable. You will also be liable for the cost of the required forensic investigations, fraudulent purchases and the cost of re-issuing cards. You may also lose your card acceptance privileges.
Data breaches are known by varying names.
Visa refer to them as Account Data Compromise (ADC),
whereas Mastercard call them Operational Reimbursement (OR) and Fraud Reimbursement (FR).
Penalties vary by card schemes and by the state of compliance at the point of breach.
Visa Europe state that a 3000€ penalty would apply for each ADC, which could be followed by a PFI (PCI Forensic Investigation) for Level 1-3 merchants, or for Level 4 merchants who process more than ten thousand Visa cards. Each card then deemed at risk (PAN and CVV2 details) then carries a penalty of 18€.
There are hidden costs associated with an ADC event too, including the cost of a full compliance report by engaging a QSA (Qualified Security Assessor) that meets specific information security education requirements, and has taken the appropriate training from the PCI Security Standards Council, as well as the further migration and development costs to outsourced solutions.
The PCI DSS considers any person, employee, technology or system that comes into contact with sensitive card data as 'in-scope'. To reduce the amount of applicable PCI controls that must be implemented, businesses are advised by the PCI SSC to reduce whom and what comes into contact with cardholder data, called 'Descoping'.
“If you can limit exposure of payment data in your systems, you simplify compliance and reduce the chance of being a target for criminals."
- Troy Leach. CTO PCI Standards Security Council.