"Criminals are increasingly looking to exploit CNP channels such as mail order/telephone order and e-commerce. Telephone-based payments represent an area of opportunity for fraud as this method of payment exposes account data in the clear and must be given full consideration in any security strategy and PCI DSS compliance program." PCI SSC 2018

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements for protecting payment account data security. These standards were developed by the PCI Security Standards Council, an organisation founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, to facilitate industry-wide adoption of consistent data security measures on a global basis. To learn more you can visit HERE

Who needs to be PCI DSS compliant?

PCI DSS compliance is a contractual obligation, generally between a Merchant and their Acquiring Bank. It applies to ALL entities that store, process and or transmit payment card data, irrespective of the quantity of payments processed. PCI DSS also applies to Third Party Service Providers, who support entities that may have outsourced the payment handling process. Outsourcing does not release an entity from their obligation to be certified as compliant. The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO), and e-commerce.

What happens if I am not compliant?

If you do not comply with the security requirements of the card associations, you put your business and your customers at risk of payment card compromise. Data breaches are becoming more and more frequent, and the reputational damage they can cause to a business can be irreparable. You will also be liable for the cost of the required forensic investigations, fraudulent purchases and the cost of re-issuing cards. You may also lose your card acceptance privileges.

What are the penalties for breaches?

Data breaches are known by varying names. Visa refer to them as Account Data Compromise (ADC), whereas Mastercard call them Operational Reimbursement (OR) and Fraud Reimbursement (FR). Penalties vary by card schemes and by the state of compliance at the point of breach.
Visa Europe state that a 3000€ penalty would apply for each ADC, which could be followed by a PFI (PCI Forensic Investigation) for Level 1-3 merchants, or for Level 4 merchants who process more than ten thousand Visa cards. Each card then deemed at risk (PAN and CVV2 details) then carries a penalty of 18€.

Example: 30,000 card details breached.

Case Fee: 3000€
ADC Penalties:
30,000 x 18€ = 540,000€

There are hidden costs associated with an ADC event too, including the cost of a full compliance report by engaging a QSA (Qualified Security Assessor) that meets specific information security education requirements, and has taken the appropriate training from the PCI Security Standards Council, as well as the further migration and development costs to outsourced solutions.

What does 'Descoping' mean?

The PCI DSS considers any person, employee, technology or system that comes into contact with sensitive card data as 'in-scope'. To reduce the amount of applicable PCI controls that must be implemented, businesses are advised by the PCI SSC to reduce whom and what comes into contact with cardholder data, called 'Descoping'.

“If you can limit exposure of payment data in your systems, you simplify compliance and reduce the chance of being a target for criminals."

- Troy Leach. CTO PCI Standards Security Council.
Dec 2016