PCI-DSS compliance - getting it right is tough.
If you're a business, you'll probably have a bank account.
If you have a bank account, you'll probably have heard about PCI-DSS.
If you've heard about PCI-DSS you'll probably be aware that if you take cards in any way that you need to be 'compliant'.
With cash becoming less popular and cheques becoming totally obsolete in 2018, if you don't take cards, you're probably going to in due course. After all, they make transactions smooth and easy for customers and provide better protection than cash, or cheques.
So what is PCI-DSS? It stands for Payment Card Industry - Data Security Standard. Who are the Payment Card Industry Security Standards Council (to give them their full title)? It's a body that includes pretty much all of the large credit and debit card processors:
- American Express
- Discovery Financial Services,
- Mastercard Worldwide
- Visa International
The standard will be mentioned in your terms and conditions for taking card payments. By using the card facilities provided you have assented to abide by this standard when taking cards. Normally this means you need to be PCI-DSS compliant. If you haven't subjected your payment processing facilities, both on and off line to these tests, now is probably a good time to sort this out. Why now? The build-up to Christmas hasn't quite started and we're all back from our summer holidays - now really is a good time!
But what if you don't? Small print and terms and conditions don't come back and bite people that often, do they? Actually this is quite a serious condition to have ascented to. Unless you're PCI-DSS compliant, the conditions normally state that the card provider can enforce fines and penalties if your facilities are used fraudulently. Is this just posturing by the banks and card processors? No, Netguides have customers who have been subjected to substantial fines before they came to use our solutions.
Not only have these businesses been fined by their bank (who really can just take the money from your account) but if their systems have been compromised they have been moved from being a Level 4 merchant, who only needs to complete an annual self-assessment questionnaire and be tested annually, to being a Level 1 merchant. This means an annual on-site audit and quarterly testing of their systems. The costs of the audits are something that the merchant has to bear, too.
It might seem a little odd that these fines and quite onerous conditions are being bought to bear on businesses by what is to all intents and purposes, a quango. Unfortunately there was no real other practical and effective way for these processors to enshrine something that would work across country borders, to limit the risk they are exposed to by fraud.
So how do you get compliant? Carefully is probably the best way to put it. We've heard of people getting calls from consultants employed by banks to help guide people through compliance. From the stories being relayed to us about this, it sounds very much like these firms are guiding people through answering the questions on the self-assessment questionnaire correctly, to appear compliant. Is this safe? Make your own judgement.
We've also had these consultants tell our customers that their online systems just need to be compliant, they don't need to be certified. This seems a very dubious differentiator, especially as the standard regularly changes and evolves. In addition to this, new security vulnerabilities are discovered for pretty much ALL online systems on a regular basis. Being compliant one month, is no guarantee of being compliant the next.
Netguides have many customers who take card payments. Whether it's using encrypted emails, holding details in secure online portals, or integrating directly with payment services providers (PSPs) such as Sagepay and PayPoint.
Each of these systems will need to be at the very least checked, if not tested. Because of the complexity of the standard, different banks are interpreting it in different ways. One bank may demand that our systems are certified, whereas another may just want a reassurance that we are compliant (in which case we need to use an automated tester). There are over 220 sub-requirements, which provides a huge scope for different interpretations.
The complexity of this whole situation has led the Chief Information Offier of the US National Retail Federation to describe it as "little more than a money-making racket for credit-card companies". The British Retail Consortium has also appeal to the card industry regarding the fines being levied.
While we understand business objections to the standard, as an IT company we also empathise with the need to ensure systems used to process such sensitive data are well-built and properly protected.
Netguides systems, such as our Gema Business systems, including our Gema Shop, Gema Hotel and GemaPark systems have been built robustly and generally take very little to pass the PCI-DSS testing procedures. If you are considering an online business system and have any questions about how you ensure you are compliant, don't hesitate to give us a call on 01983 282420.