PCI DSS Compliance: Whose responsibility is it anyway?
By Rob Crutchington – Director at Encoded
The Payment Card Industry Data Security Standard (PCI DSS) was originally the brainchild of the world’s five largest payment card providers VISA, MasterCard, American Express, Discover and JCB International. Today, it is a global framework that provides guidance on how to process, store and transmit information about payment cards and their owners, with the aim of reducing the incidence of card fraud and promoting best practice in information security. Achieving PCI DSS compliance increases trust between an organisation and its partners and suppliers and boosts customer confidence.
PCI DSS affects everyone in the trading food chain
Nowadays, paying for goods and services remotely is the norm and every contact centre that accepts credit and debit card payments over the telephone needs to be PCI DSS compliant. However, what many contact centres don’t realise is that PCI DSS covers the entire trading environment, meaning all third-party partners and vendors that handle card data on their behalf or supply services where card data is transmitted, must also comply before full PCI DSS compliance is achieved.
As organisations work hard to achieve and maintain ongoing PCI DSS compliance, they may choose to engage with third-party service providers (TPSPs) to achieve their objectives, for example, companies who store, process, or transmit cardholder data on their behalf or manage components of their cardholder data environment (CDE), such as routers, firewalls, databases, physical security, and/or servers.
Before selecting new TPSPs, organisations should conduct a proper due diligence and risk analysis to establish whether they have the right skills and experience necessary to achieve PCI DSS compliance. Once on board, making the time to put in place a third-party assurance programme that outlines clear policies and procedures is essential to ensuring that customer card data and systems are fully protected at all times and in a compliant manner.
Contact centres beware!
Coming back to contact centres, many use multiple vendors for their technology so it is becoming increasingly important for management to understand just who does what in the end-to-end card payment process, who needs to be PCI DSS compliant and the exact status of a vendor’s PCI DSS credentials. Referring to the VISA Merchant Agents List is a useful first step to vetting vendors and avoiding fines and lawsuits, in the event of the unthinkable happening and customer card data being stolen.
Responsibility Matrix to address the thorny issue of PCI DSS responsibility
At the end of last year, when the latest version of PCI DSS was announced, along came the “Responsibility Matrix”, a new requirement that makes an attempt to shed light on some of the greys areas surrounding PCI DSS and begins to answer the perennial question: whose responsibility is it anyway?
PCI DSS 3.1 clarifies much of the ambiguity of the previous versions. There shouldn’t be anything that affects the day-to-day running of a contact centre. However, service providers are now required to supply a “Responsibility Matrix” which defines which of the many controls are the responsibility of the merchant and which fall to the TPSP. These responsibilities need to be clearly listed as “the merchant’s responsibility”, “the service provider’s responsibility” or a “shared responsibility”.
Remember PCI compliance is not a one-off exercise. It must be revisited every year and that takes time and resource. The best way to minimise future costs as the standard evolves is to reduce exposure to the primary risk areas such as staff and infrastructure. Invest in training and education of the PCI standard in order to have the talent in-house. Unless you have a good understanding of PCI how will you know whether the advice you receive is valid or not?
The buck stops with the merchant
Most card-accepting contact centres understand the importance of protecting customer data from fraud and cybercrime. However, many might not be aware that in the event of a security breach they will be the ones fined. Costs and expenses can quickly add up with payment network fines and assessments, forensic fees associated with a compliance audit, of the merchant’s business environment, and legal fees. Not to mention the damage to reputation and lost sales. Always remember: the buck stops with the merchant.
those organisations who demonstrate full PCI compliance, therefore reducing the instances of lost data and fraudulent activities. The welcome result of this would be fewer fines, lower prices and less sleepless nights worrying about security.
To my mind it is simple – use the money raised in fines and levies to promote the relevance of PCI DSS so that customers look out for the PCI Sign when making a purchase and paying by card. This will benefit everyone, improve security and raise the profile of PCI DSS to level it deserves.
Rob Crutchington is a Director at Encoded
Encoded is a leading Payment Service Provider and pioneer of new and innovative secure payment solutions for contact centres. Encoded offers a range of card payment solutions designed to help organisations comply with PCI DSS, GDPR and the newly introduced Payment Services Directive (PSD2).
Encoded’s solutions are trusted by many of the world’s leading brands including, Samsung, Mercedes-Benz, BMW, Müller and Virgin, as well as a host of UK utility companies such as Green Star Energy, Severn Trent Water and Anglian Water.
Omni-channel solutions include, Agent Assisted Card Payments, E-Commerce payments, IVR Payments, Mobile Apps, PayByLink Mobile Payments and Virtual Terminal Payments.