PCI compliance: time to demand security?
Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that every company that processes, stores or transmits debit, credit, or pre-paid card information maintains a secure environment
Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that every company that processes, stores or transmits debit, credit, or pre-paid card information maintains a secure environment. Any company that takes payment using cards branded with American Express, Discover, JCB, MasterCard, and Visa International should be PCI DSS compliant.
It is also a must-have for any size of company, whether it is an SMB, or a company with thousands of employees.
PCI applies to all organisations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. If any customer of that organisation ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. This standard is designed to give peace of mind to customers and business partners alike, that the company has done its utmost to ensure that its customers will not have their credit card details stolen, so why do very few companies in the UAE comply with PCI DSS?
Well, at the moment there is no legislation to force companies to ensure the security of credit card data that passes through their web portals.
In the US, for example, the payment brands (Visa, Mastercard, American Express, Discover, JCB) may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations.
Not only this, but no security standards are currently enforced in the region, meaning that all these e-commerce sites that are popping up in the UAE and GCC, and all those Middle East-based enterprises that you entrust to keep your credit card information safely are not doing their utmost to protect your data.
A sobering thought. How many of us shop online? How many of us pay our bills online?
Utilising a web portal is the most convenient way to pay your bills, and we all know how much easier it is to grab something we see in an online store as a gift for a birthday, Eid present etc, rather than spending hours trawling through shops looking for the perfect gift. But is the ease of using online portals about to bite us?
There have been very few reported major credit card detail thefts through hacking in the UAE, but, looking at the lack of security laws in general and around PCI DSS implementation specifically, it seems like it may just be a matter of time before some cyber-criminal runs off with thousands of customers’ credit card details.
For those of us who do shop online frequently, the good news is that third party payment channels such as Paypal are PCI compliant, but merely using a third-party company does not exclude a company from PCI compliance. Although it may cut down on their risk exposure and consequently reduce the effort to validate compliance.
However, it does not mean they can ignore PCI. So, next time you log on and spot a nice pair of shoes, or want to pay your bills, it might be a good idea to check whether the service provider has any form of security in place, and maybe it is time we, the customers, start demanding that these Middle East-based sites implement PCI DSS for our own protection.