October  2007

What is PCI?

Firstly, it is important to note that PCI is not a law: It is a private security standard that members, merchants and service providers must follow pursuant to their contracts with the credit card companies. Although PCI is not a law, it is enforceable by the credit card companies through contractual penalties or sanctions that include revocation of the company’s right to accept or process credit card transactions.

Who does it apply to?

There is a myth that “I don’t take enough credit cards to need to be compliant.” This statement has been heard many times and is a common and broad misunderstanding of the requirements. While there are various levels of credit card merchant and service providers, there is no difference in compliance requirements. The fundamental confusion is between compliance and validation. If you are a current user of EFT/400 then PCI applies to you. Basically PCI applies to all members, merchants and service providers that store, process or transmit cardholder data, whether that data is received in a point of sale, phone, e-commerce or other type of transaction.

In addition to the compliance requirements, PCI also contains ongoing validation requirements. These requirements differ somewhat from one credit card company to another,

There is a general misconception that being compliant is hard and expensive – it needn’t be. PCI is just good, basic security. A diligent company should meet most of the requirements prior to even reviewing themselves for PCI compliance.

You could, in fact, make a strong case that PCI is the direct result of poor corporate governance by organisations handling credit card data. Had those organisations made best-practice efforts to secure that data, credit card theft and fraud might have been negligible, thereby reducing the need for the credit card companies to create a set of minimum standards to help offset the risk of offering credit card services. Another myth is that you only need to protect your system form external hackers. You will benefit if you look at protecting you data internally, because if it is secure from you internal team then it is going to be secure from everyone else!

What if I don’t comply?

The PCI program includes monetary penalties and other contractual sanctions for failure to meet its requirements. Under the Visa PCI program, members can be fined up to £250,000 per incident if any merchant or service provider that is not PCI-compliant is compromised. Visa members who fail to immediately notify Visa of a suspected or known loss or theft of transaction information may be fined£50,000 per incident, plus additional fines if a PCI violation presents immediate and substantial risks to Visa and its members.

More importantly failure to meet PCI can also result in suspension or revocation of a company’s right to accept or process credit card transactions. This certainly doesn’t look good for your business.

What do I need to do next? You can speak to us to find out how we can help you.