Are you PCI compliant?

Any company of any size storing, transmitting or processing credit card details must be PCI compliant to ensure the safety and security of customers’ data, according to regional experts.

Tags: OMA Emirates (www.omaemirates.com)cashU (www.cashu.com/)help AG (www.helpag.com/)
  • E-Mail
Are you PCI compliant? PCI compliance is now mandated by nearly every credit card scheme.
By  Georgina Enzer Published  April 21, 2013

Any company of any size storing, transmitting or processing credit card details must be PCI compliant to ensure the safety and security of customers’ data, according to regional experts.

The Payment Card Industry Data Security Standard, or PCI DSS is a set of requirements designed to ensure that every company that processes, transmits or stores credit card data does so in a secure environment.

The Payment Card Industry Security Standards Council, featuring five major global payment brands; American Express, MasterCard Worldwide, Visa Inc, Discover Financial Services and JCB International, was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.

The idea behind PCI compliance is to ensure that companies have improved security in cases where credit card details are stored or processed.

“We have seen a lot of cases in the world where the storage and processing of credit card details have been compromised and obviously more security is necessary and in turn, any organisation, any company, any non-profit organisation, it does not matter who, anyone who stores or processes credit card details would need to comply with PCI DSS,” explains Dr Angelika Plate, director of Strategic Security Consulting at help AG.

PCI compliance applies to almost everybody in the payment industry, whether it is a merchant doing a transaction, or a bank providing financial services. Anything to do with finance by any channel, PCI is relevant.

“As of today PCI has mandated the hardware manufacturers with a certain level of compliance depending on region,” says Niranj Sangal, Group CEO, at card payment specialists OMA Emirates LLC.

Compliance levels

There are four different levels of PCI compliance and depending on which level you are on, you have certain rights.

According to Martin Waldenstrom CEO of online payment gateway cashU, on the different levels there are different requirements depending on whether you are a processor or merchant. If you are a processor you process for hundreds and even thousands of merchants but if you are a merchant it’s just for yourself.

The different levels are defined based on services provided by different financial organisations.

“Let’s take a bank; for a bank we have 12 different standards of compliance. We look at the security, including networks – which have to have a secure firewall – and data encryption. This is all there to protect cardholder information. We restrict information to only those required to see it. Then we look at the physical, logical security of the premises where the data is stored,” explains Sangal.

There are twelve different standards that a bank must look at or that Visa or MasterCard would assess the bank on. If you look at a merchant, for example Carrefour; it is an entity that is not a bank but has all the financial obligations in terms of a card used in its setup.

“When you look at the compliance level of a bank it must adhere to all the 12 standards, but when it comes to Carrefour, there are certain features that are not applied to them because they are a merchant. But in terms of the data transmission from the location to the bank, it needs to be secure, so we look at data encryption and decryption,” states Sangal.

“If you look at Duty Free, you need not do a compliance level for them because they have their own infrastructure. The banks do not force them to go with PCI standards because they have their own standards. All their applications are secure, which means if I go to a Duty Free setup I cannot use any USB or an external hard drive to download or upload data. So they are partially compliant when it comes to credit card transactions.”

The most important thing for a card used in a retail outlet or an SMB, is the card holder name, then CVV2 – card verification value: the security code on the back of the card – and then the track-one and track-two data which is on the magnetic strip. It is not required that everybody uses a chip card; today the US is still running mag-stripe cards or contactless cards.

“Today we are required to be fully EMV-compliant [Europay, MasterCard and Visa, also known as “chip and PIN”; a chip standard is already applicable, since 2006 in the Middle East. Today in the region about 80% of providers are still implementing chip; practical acceptance is still 60%,” explains Sangal.

There are a lot of standards that people can comply with and those standards that are build for compliance always have a set of requirements, PCI DSS has around 200 different requirements and sub-requirements.

“Very often I am asked ‘is one requirement more important than another?’. Whilst maybe people feel like it is, for example when there is a requirement to make sure that credit card details like the transaction numbers, and things like that, are stored in a secretive way. That looks more important than to have a written information security policy. However, on the compliance level it it does not make a blind bit of difference. A requirement is a requirement and non-compliance with one requirement will not lead to certification, as much as non-compliance with any of the other requirements,” states Dr Plate.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code