Crn21 1200 300.jpeg

What you should know about PCI

Non-PCI DSS-compliant providers can put resellers at risk, says Robert Crutchington

More customers want business partners to comply with the Payment Card Industry Data Security Standard (PCI DSS) these days, in an understandable attempt to protect against data losses and breaches.

So it is becoming important for those operating in the channel to fully understand what is involved and where the buck stops.

When Visa, MasterCard, JBC, Discover and American Express created the standard, they decided on 12 criteria for business systems that store, process or transmit card holder data.

Many organisations do not realise that all third-party partners and vendors that handle card data must also comply.

Payment schemes are building lists of registered third-party vendors that have demonstrated certain levels of data security and acceptable business practices. For example, Visa's Europe Merchant Agents List and merchant services organisations such as Elavon want customers only to use the listed organisations.

This means any company involved in accepting transactions, interactive voice response (IVR) payments, internet payment gateways and any other service or product that is directly or indirectly involved in data transactions.

End-user sales organisations must understand who does what in the process and who needs to comply - or risk fines and lawsuits in the event of customer card data loss.

Visa lists two levels of organisations that provide services to merchants, with very different validation procedures. For the top Level 1, an Attestation of Compliance (AOC) is needed. This level only applies to organisations that store, process or transmit more than 300,000 Visa transactions per year.

This AOC and a compliance report must be completed by an independent Qualified Security Assessor (QSA). These people cost money and have exacting standards. And perhaps because of this cost, some vendors are claiming to be PCI DSS-compliant when they have not completed the process.

This is putting merchants and the channel at risk.

For Level 2 registration, organisations do not need to have their security assessed on site by a QSA. They can complete a questionnaire for self assessment, including the aforementioned AOC, without involving a QSA.

Level 2 applies to smaller providers, with fewer than 300,000 Visa transactions a year.

Payment schemes such as Visa and merchant service providers like Elavon are getting tough on organisations taking card payments.

Many end-user organisations do not even realise they could be fined in the event of a data breach. They often believe their bank or third-party supplier is primarily liable.

Organisations with call centres are particularly vulnerable and should do everything in their power to work only with Level 1-compliant partners.

Robert Crutchington is director of Encoded