CREDIT CARD SECURITY
Reduces the Complexity Limiting the scope By Martin Vella
Very often we find that companies are somewhat lost when they find out they have to comply with PCI. Compliance is by no means a trivial effort. Trevor Axiak, Director at Kyte Consultants Limited explains that experience shows us that usually all it takes is a little push in the right direction and someone to provide guidance through the process. In this interview Mr. Axiak maintains that customers know their business much better than we do, so in many cases our role is that of providing guidance more than anything else.
TEU: What is the Payment Card Industry (PCI) Data Security Standard (DSS)?
TEU: Why Comply with PCI Security Standards?
TA: PCI DSS is a standard which was formed through the collaboration of the major card brands (Visa, MasterCard, American Express, Discover and JCB). The entire PCI program is managed and administered by the PCI Security Standard council. The objective of the standard was to ensure that all those entities, which in some way or another process or store credit card data, achieve a minimum level of security for protecting credit card data. The scope of PCI compliance is wide and includes every entity that could possibly come in contact with credit card data during the entire lifecycle of a transaction, from when the customer enters his card details, right up until the transaction is processed and stored on some entity’s servers. In other words, if any part of your business process, be it sales, accounting or some other function, handles full credit card data, you fall within the scope of PCI DSS and have to comply with it.
if any part of your business process, be it sales, accounting or some other function, handles full credit card data, you fall within the scope of PCI DSS and have to comply with it
10 |
www.maltaeconomicupdate.com
TA: Since the PCI standard is backed by the card brands, it is mandatory for all entities that fall within scope of PCI to achieve compliance. Entities who do not comply could potentially be exposing the credit card data they process to significant security risks and could face large financial penalties, especially if the entity suffers a security breach. Worse still, entities who do not comply could end up being forbidden from accepting online payments completely, resulting in significant financial losses. Although the PCI Standard contains a number of requirements that can seem daunting, it is important to understand that most requirements are consistent to industry best practices. In other words, companies that have information security
at heart should already have many of the requirements in place. PCI adds the extra dimension of credit card security. TEU: What are the PCI compliance deadlines, what are the PCI compliance ‘levels’ and how are they determined? TA: A distinction has to be made between PCI compliance and validation. All companies that fall within the scope of PCI, need to achieve compliance to the PCI DSS standard. There is only one PCI standard and the requirements do not discriminate by size or industry. Validating your compliance is a different story. This relates to your obligation to report your compliance status on an annual basis. Reporting is made to the acquiring bank or to the card brands directly. The type of validation you are obliged to follow depends on whether you are a merchant, or service provider and on your classification level. It is the acquiring bank’s responsibility to classify entities based on risk as well as nature and volume of credit card processing. As an example, a merchant