Anyone who accepts credit or debit card payments must be aware of their obligations under the Payment Card Industry security standard, advises Mark Child, a partner at Kingston Smith Consulting LLP.
THE PROBLEM
I run an independent hotel on the Norfolk coast. The majority of my customers use a credit or debit card to pay the advance deposit and to settle their bill. What does the latest Payment Card Industry security standard mean for me?
THE LAW
The Payment Card Industry (PCI) - a joint operation covering all major card brands including Visa, MasterCard and American Express - has devised a security standard to protect cardholder data. It lays down minimum requirements for processing, storing and transmitting card account information. For example, a record of the "security code" - the last three digits on the back of a card - cannot be kept after it has been used to authorise a transaction.
Areas covered by the standard include the need to have an appropriate security policy, adequate protection of IT software and infrastructure against unauthorised access, anti-virus measures and regular monitoring and testing of IT systems.
Access to card account information must be restricted to a need-to-know basis and that access must be tracked. Any cardholder data sent to anyone else, including by e‑mail, must be made unreadable to prevent unauthorised individuals intercepting and reading it.
These requirements apply to all organisations accepting payment cards, irrespective of their size or the number of transactions.
Compliance with the standard must be validated on a regular basis and most businesses will also be required to report the state of their compliance to their acquiring bank - the bank which handles their card transactions. The reporting requirements can be complex and vary according to the number of transactions processed annually.
EXPERT ADVICE
The first thing to do is to familiarise yourself with the requirements of the standard which can be downloaded, together with supporting documentation, for free from www.pcisecuritystandards.org/security_standards/pci_dss.shtml. You then need to decide which parts apply to your own situation. For example, if you don't record cardholder details on any IT system - including e‑mail - you can ignore certain parts of the standard which relate to computer applications and infrastructure.
You should ask your bank to confirm the reporting they need to see. Finally, you need to arrange to validate your compliance with the standard, and provide reports where necessary in the PCI's standard format. It may be necessary to hire the services of a qualified security assessor firm to oversee your compliance, including testing the security of your computer systems. In any case, you would be wise to seek the advice of an accredited firm, which will be able to give you cost-effective guidance on the most appropriate measures you need to take to achieve compliance with the standard.
The PCI rules are complex and for some companies the outsourcing of card transaction processing to a specialist PCI-compliant third party may be the only practical solution.
CHECK LIST
- Download and familiarise yourself with the PCI data security standard.
- Review security arrangements regularly and strengthen them where necessary.
- Agree PCI reporting requirements with the bank handling your card transactions.
- Provide regular reports where required to do so.
BEWARE!
Failure to comply with the standard is likely to result in you being held responsible for reimbursing any resultant losses owing to fraud. In addition, you may be subject to more severe sanctions ranging from fines to being prohibited from accepting any payments by card.
CONTACT
Mark Child, partner, Kingston Smith Consulting LLP
020 7566 3731