PCI Compliance
Who or what is the PCI?
The Payment Cards Industry (PCI) is an alliance of major card issuers (Discover, JCB, American Express, Visa and Mastercard), which created the Data Security Standard (currently on version 2, dated March 2011) to help organisations capture, process and store payment card details securely.
The Standard is made up of seven requirements, which cover secure networks, protecting data, access control measures, information security, and monitoring and testing. You can find the full standard here.
In March 2011 the PCI Council issued a new guideline on Telephone-based Payments. You can find the Guideline here.
But the main message is that cardholder data must be protected and authentication data (post-authorisation) should not be stored anywhere on the company’s systems.
Compliance is enforced by regular audits either carried out by a professional Qualified Security Assessor (QSA) or internal compliance personnel. Non-compliance can be a costly oversight, as fines can be imposed by the card schemes (through the acquirers) – but even more alarming is the potential punishment of merchant service arrangements being withdrawn, denying the ability to accept card payments.
Deloitte estimates that the cost of non-compliance to the average company could run into millions of Euros: “Take a quite modest compromise of 10,000 cards at a merchant, you could expect to have compromise fees of 5 euros per card; investigation costs of about 30,000 euros; an average fraud of 1,000 euros per card, card replacement costs of 20 euros per card; and 30 euros per card in chargeback fees. That comes to around 11 million euros,” says Lisa White, PCI DSS expert, Deloitte.
The Ponemon Institute has also published findings on how much it costs to be compliant with PCI DSS and how much non-compliance could cost an organisation (makes for some scary reading). Download it here.
Because contact centres often take payments over the phone, they come within the scope of PCI DSS, and have obligations when it comes to customer data. With Semafone, you can de-scope your call centre from PCI DSS compliance.
See a video of industry expert Mike Havard talking about PCI compliance here.
