Five things you should know about PCI DSS

Opinion by Robert Crutchington

There's no such thing as a PCI DSS compliant solution, and companies, meaning merchants, remain responsible for lost data says Robert Crutchington.

According to the UK Cards Association whose members collectively issue more than 55 million credit cards and 95 million debit cards,[i] card spending continues to climb despite the overall decline in retail spending. In September 2014 alone, the number of purchases increased by 5.8 million, topping just over 1 billion for the second consecutive month.  Statistics like these highlight a growing trend that increasingly throws the spotlight on security both in terms of protecting confidential client data as well as an organisation's corporate reputation.

The Payment Card Industry Data Security Standard (PCI DSS) was created in 2007 to tackle these challenges head on, yet it remains surrounded by myth and confusion.   Here are the top five things you should know about PCI DSS:

1)      Who is responsible for loss of card data?

Payment schemes such as VISA and merchant service providers like Elavon are getting tough on organisations taking card payments. Many merchants don't realise they will be the ones fined in the event of a data breach as they believe their bank or 3rd party supplier will be liable. 

However, the first step towards holding suppliers themselves accountable for lost data is covered in the latest version of PCI DSS effective from the end of 2014, demanding that evidence of accountability for each of the 258 controls in the standard be written into all business contracts.

2)      The buck stops with the merchant but VISA will never enforce a fine

The buck stops with the merchant and, in the event of a security breach, they are the ones who will be fined.  But by whom?  Card companies such as VISA cannot fine a merchant because VISA does not have the contractual relationship with the merchant but with the acquirer (the bank or financial institution that processes card payments on behalf of merchants).  It is the acquiring bank's responsibility to make sure its merchants are compliant and it is the bank that issues fines, increases charges for non-compliance and imposes compulsory PCI programme costs.

3)      There is no such thing as a PCI DSS compliant solution

Many solution providers make the mistake of marketing their products as PCI DSS Compliant.  There is no such thing.  To advertise this claim is to miss the very thing that PCI DSS is trying to achieve, which is to maintain a unified security standard to which merchants have to adhere to.  Only companies and legal entities can be PCI DSS compliant not software. 

What the right technology can do is help merchants to achieve compliance and minimise risk by automating business processes that tangibly reduce costs, save money and resolve their PCI headache.

4)      How to save money and remain compliant using Tokenisation

One of the most significant advances within the payments industry is the Tokenisation of card payments.  Tokenisation is the process of creating a meaningless number that references back to genuine card details.  It allows organisations to retain card details in a secure way and minimises the risk of data loss.  At the same time, it offers merchants a series of benefits that significantly boost their value proposition.  Suddenly merchants can offer payment schedules for services such as automatically clearing off variable balances at the end of each month and even enable consumers to tokenise their own card details online or via an Interactive Voice Response (IVR) system in the contact centre.  

5)      The importance of the VISA merchant agent list

How can merchants decide who to entrust their clients' card data with?  By referring to the VISA Merchant Agent List (, merchants can be confident that the companies operating in their trading environment demonstrate the highest levels of data security and acceptable business practices.  But more than this, by signing up to VISA's list payment service, providers are agreeing to VISA's terms and conditions which grant full unrestricted access to audit their systems should a breach be identified as originating from within their network.  This installs trust that a listed service providers customers' card data is protected and further protects merchants from blame if the worst happens and a breach occurs.

VISA and Elavon even insist that only organisations which appear on this list are used by customers.  This means any company involved in accepting transactions, IVR payments, internet payment gateways and any other service or product that is directly or indirectly involved in data transactions must register and appear on the list. 

Contributed by Robert Crutchington, director, Encoded 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events