The Payment Card Industry Data Security Standard (PCI DSS) can help enterprises dramatically reduce credit card fraud and brings significant additional benefits, including (i) increased bank/consumer credibility; (ii) reduced/optimised business impact and risk; and (iii) fewer breaches/increased security awareness. Of course, there also are important challenges posed by PCI DSS compliance, including identifying the right scope, understanding the difference between compliance and security, and sustaining compliance after implementation.

A proprietary information security standard, PCI DSS is mandatory for enterprises that process, store, transmit or access cardholder information for major debit, credit, prepaid, e-purse, ATM and POS cards. The standard’s framework originated from the five global payment brand programmes (VISA, MasterCard, American Express, Discover and JCB) and was designed to increase cardholder data (CHD) controls to reduce credit card fraud. Any enterprise that falls within the scope of the standard must implement the standard and seek compliance.

Compliance is the key to securing CHD, preventing data breaches and avoiding penalties from card scheme operators or acquiring banks. Fines from acquiring banks for compliance violations can range from $5000 to $100,000 per month, and are often passed down to merchants. In some cases banks may terminate a merchant relationship or increase transaction fees. Penalties can be catastrophic for small businesses, and large businesses may face additional consequences, including class action lawsuits, reputation damage and costs associated with investigations, contacting affected customers and eradicating vulnerabilities.

Achieving PCI DSS compliance may seem like an expensive, time-consuming process, but it encourages better security practices and thereby avoidance of the massive costs associated with major breaches. So it makes sound business sense.

Jul-Sep 2016 Issue