PCI compliance: where does your company fit?
Any company of any size storing, transmitting or processing credit card details must be PCI compliant to ensure the safety and security of customers’ data, according to regional experts
The Payment Card Industry Data Security Standard, or PCI DSS is a set of requirements designed to ensure that every company that processes, transmits or stores credit card data does so in a secure environment.
The Payment Card Industry Security Standards Council, featuring five major global payment brands - American Express, MasterCard Worldwide, Visa Inc, Discover Financial Services and JCB International - was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.
The idea behind PCI compliance is to ensure that companies have improved security in cases where credit card details are stored or processed.
“We have seen a lot of cases in the world where the storage and processing of credit card details have been compromised and obviously more security is necessary and in turn, any organisation, any company, any non-profit organisation, it does not matter who, anyone who stores or processes credit card details would need to comply with PCI DSS,” explains Dr Angelika Plate, director of Strategic Security Consulting at help AG.
PCI compliance applies to almost everybody in the payment industry, whether it is a merchant doing a transaction, or a bank providing financial services. Anything to do with finance by any channel, PCI is relevant.
“As of today PCI has mandated the hardware manufacturers with a certain level of compliance depending on region,” says Niranj Sangal, Group CEO, at card payment specialists OMA Emirates LLC.
There are four different levels of PCI compliance and depending on which level you are on, you have certain rights.
According to Martin Waldenstrom CEO of online payment gateway cashU, on the different levels there are different requirements depending on whether you are a processor or merchant. If you are a processor you process for hundreds and even thousands of merchants but if you are a merchant it’s just for yourself.
The different levels are defined based on services provided by different financial organisations.
“Let’s take a bank; for a bank we have 12 different standards of compliance. We look at the security, including networks – which have to have a secure firewall – and data encryption. This is all there to protect cardholder information. We restrict information to only those required to see it. Then we look at the physical, logical security of the premises where the data is stored,” explains Sangal.