Almost a decade on from its original launch in 2006, the Payment Card Industry Data Security Standard (PCI DSS) continues to generate heated debate regarding its precise application and interpretation. Many of the issues stem from the wealth of misinformation out there about the standard, perpetuated by individuals and groups who do not properly understand the principles behind it or why it was originally created. At the centre of this is a number of PCI DSS myths that have no grounding in fact yet continue to arise time and time again. Below are five of the most common of these myths, which this article hopes to dispel once and for all.
1) If your business is non-PCI compliant, the card brands will fine you
This is incorrect. Whilst the global card brands such as MasterCard, VISA and American Express are the driving force behind PCI DSS, their relationship is with the acquiring banks (Barclays, HSBC etc), not the merchants themselves. As such, the card brands cannot directly fine the merchants for any breach where the merchant is found to be non-PCI DSS compliant.
However, that’s not to say merchants can’t be fined. Acquiring banks can levy fines in cases where merchants are the subject of a security breach and upon investigation are found to be non-compliant. Fines for a small merchant typically total around £15,000, which is payable on top of any forensic investigation and remediation costs (that can significantly increase the financial penalty).
2) PCI DSS compliance trumps FCA regulations
One of the most common myths encountered amongst regulated UK industries is that PCI DSS compliance is more important than compliance with the Financial Conduct Authority (FCA) regulations. It’s not hard to see where the confusion creeps in; the two sets of regulations create a compliance paradox, where the ‘correct’ answer is not immediately clear.
This is because under the current rules, it is a violation of the PCI DSS requirement for any merchant to store any sensitive payment authentication data after authorisation, even if encrypted. However, the FCA regulations demand that financial institutes keep sufficient detail of all their transactions, often for many years after the transaction took place. This is particularly vexing when considering phone payment recordings, where the two regulations appear to directly conflict with one another.
In truth, FCA trumps PCI DSS every time, however it is possible to be compliant with both regulations simultaneously. By deploying secure telephone payment platforms, in customer contact centres, merchants governed by FCA can maintain accurate transaction records whilst ensuring no sensitive payment data is captured as part of those calls. At the point of a payment, customers are re-routed through the platform, keying in their payment information via the telephone keypad where it is processed directly with the bank. If the information never enters the call centre, PCI compliance is achieved, while the merchant has the complete call recording required to meet FCA requirements.
3) Qualified Security Assessors and security advisors are the same
One of the more concerning myths out there is the notion that security advisors can do the same job as Qualified Security Assessors (QSAs). This is extremely innacurate. Whilst unscrupulous security advisors may try to convince merchants otherwise, only qualified QSAs are able to carry out an official PCI DSS audits. The full list of officially recognised PCI DSS QSAs can be found on the PCI standards website. All merchants should ensure the individual/company conducting their PCI assessment is on this list before engaging their services. Failure to do so could leave the merchant with expensive bills for consultancy services, but no closer to being officially recognised as PCI compliant.
4) Once an auditor is satisfied you are PCI compliant, you are officially ‘PCI certified’
Many merchants and service providers like to promote themselves as ‘PCI DSS certified’ in marketing materials to entice new customers. However, this is false advertising. There is no such thing as being ‘PCI DSS certified’ and customers should be wary of any merchant/service provider stating they are.
PCI DSS compliance is a continuous process, not a snapshot in time. Too many merchants make the mistake of thinking that once they have passed the QSA audit, they can tick the box and not worry about PCI compliance again until the next annual review. More often than not, this mentality leads to merchants falling out of compliance shortly after certification has been achieved.
5) Outsourcing PCI compliance to a service provider makes it their problem
Many merchants choose to outsource PCI compliance to specialist third party providers, which can be a good strategy, particularly when they lack the necessary infrastructure and resources to attempt it in house. However, some make the mistake of assuming that all of the associated liability is transferred along with it. Whilst the assistance of a specialist third party can greatly reduce the burden of PCI compliance on a merchant, it does not remove it entirely. Furthermore, the reputational damage attached to any major data breach will always fall on the merchant itself, irrespective of which party was actually to blame.
Recent changes to the PCI DSS regulations mean Merchants must now ensure third parties sign an enforceable agreement acknowledging the responsibility they have to the security of the payment data under their control. However, merchants choosing this route must not lose sight of where the blame will lie in the eyes of their customers, irrespective of where the buck stops from a legal perspective.
The path to PCI compliance may not always be straightforward but it is a critical aspect of any effective data security strategy. The wealth of misinformation out there doesn’t help but it also shouldn’t be used as an excuse. With a little effort, merchants can quickly sort the fact from the fiction, giving them a clear path to achieving compliance and keeping their customer data safe.
By Matthew Bryars, CEO of Aeriandi