What is PCI and why a payments provider need to be PCI certified

Please, please tell me a story about the Payment Card Industry Data Security Standard (PCI DSS).

Okay, you are unlikely to hear those words at bedtime, but who doesn’t love a story with good guys, bad guys and a fortune at stake?

So what is PCI DSS?

Once upon a time, four major credit-card companies created PCI DSS Certification: Visa, MasterCard, Discover and American Express.  It’s a set of standards and procedures designed to keep card transactions and cardholders’ personal information out of the hands of the bad guys.    It applies to every business whether it’s operating from a spare room at home or a corporate headquarters that touches cardholder data in any way.  There are 12 requirements to the Standard, and they are constantly being upgraded and adapted.  It’s a very complex and time-consuming process, which is why each business should make sure their payments provider is PCI DSS certified.

What if I don’t bother with PCI DSS?

Loyaltybuild is a company that reward schemes for companies across Europe, including Ireland, Norway and Sweden.  On November 13, 2013, they suffered a data breach affecting the personal data of 1.5m individuals including 376,000 individuals whose full credit card data was compromised.  Operations stopped completely for a period.  Yet, somehow, they won their original clients back by July 2014.  But at what cost?  Richard Hadfield, Managing Director, said that the firm spent “north of €500,000” on new technology and security and training staff on new PCI DSS measures.  He said, since the attack, Loyaltybuild has been “audited numerous times by third parties, we want to be best of breed”.  The company worked to become PCI compliant, took on a new payment processing company and no longer stores credit card details.   Penalties for a business that is non-PCI compliant include fines, increased transaction fees and loss of customer trust.

I’m PCI DSS Compliant, not certified- isn’t that enough?

 Most businesses don’t realize that there’s a significant difference between being PCI compliant and PCI certified. It’s relatively easy to achieve PCI compliance. All that’s required is the completion of a self-assessment questionnaire, which usually takes about a half-day and demonstrating intent to change.  PCI Certification, on the other hand, is a major undertaking, involving a full-scale audit by a qualified security assessor (QSA) and covering roughly 288 controls. These include detailed reviews of how software is developed; how engineers were trained; daily reviews of more than 200 different streams of audit events and a fully documented software development lifecycle.  It doesn’t just happen once, either.  PCI certified companies have to renew their certification annually, as well as undertake mandated quarterly scans.  To find out if your payments provider is PCI certified check http://www.visa.com/splisting/

 The latest Breach Level Index from Gemalto’s SafeNet revealed that the number of compromised data records is on the rise, increasing by 78 % to just over one billion in 2014.  Data breaches were also on the up, rising 49 % year-on-year to 1,541 incidents.   Europe accounted for 190 data breaches in 2014.  The US experienced three in every four breaches (76%).   A decision to get PCI DSS certified today shows companies are willing to ensure customers’ payment card data is kept safe and that they can have confidence that they’re protected against the pain and cost of data breaches.