PCI DSS: comply or die

Most of us aren’t keen on calling attention to instances when we miss our deadlines. In the case of banks and the Payment Card Industry Data Security Standard (PCI DSS), it’s hard for them to hide the sorry tale. The first deadline for compliance by merchants was set for June 2005, but there was very little movement. And when the banks seemed to merely shrug and didn’t apply any punishment, the position of those merchants that hadn’t complied seemed to be vindicated.

The next deadline was June 2007. That too was widely ignored, and still there was no concerted industry action. Now that the June 2008 deadline is upon us, it’s worth asking if things will be the same this time around.

If your business accepts card payments, then you are already required to comply with the PCI DSS. It is a collaborative standard agreed by the major players including American Express, Visa and MasterCard, and all of them support it. It addresses all the security concerns that relate to payment-card data.

Although compliance has been a requirement since June 2005, banks have been very slow to enforce it, and the reason is fairly simple. There’s a principle in business that you shouldn’t upset your customers – especially not the big ones – and the major banks have some very big customers indeed. Not even a bank would have the gall to threaten a big player like Tesco, but until the big customers implemented PCI DSS, there was relatively little to gain by putting pressure on the midsize and small ones. Now that the big boys are compliant, banks are applying pressure further down the food chain.

Meanwhile, chip and PIN has become widely adopted in the high street, and it has been effective in reducing credit-card fraud there. This has led to a surge in online fraud, and banks are chomping at the bit to get to grips with it—which is likely to mean a rapid rollout of PCI DSS.

This represents a big threat to small and midsize online merchants, retailers and catalogue companies, because implementing PCI DSS is no walk in the park. Although how companies check for compliance varies according to company size, the required standard is identical. Reaching that standard is difficult enough for a corporation with thousands of employees. For smaller businesses, it’s crippling.

To begin with, there is a 70-page document to read, and hundreds of directives to follow. For example, one requirement is that there should be no unsupervised access to buildings containing computers that store card information. That means guests, and even night-time cleaners, have to be accompanied.

Because of the complexity, the reality is that only the blue-chip companies will be able to achieve compliance in-house. For the rest, outsourcing is the feasible solution. This means handing over the processing of card transactions and storage of card details to a third party. The banks call this “tokenization of card data”. In other words, businesses just store a token referring to the card data, not the data themselves. In contrast to full compliance, this approach is relatively easy to implement, and a number of helpful services already exist.

It is hard to tell at this stage whether the latest PCI DSS deadline will be met, or what sanctions banks will apply to companies that fall short. What is certain is that companies just embarking now on the road to PCI DSS compliance have any chance of complying in time, unless they switch to a third-party service.

The principles of PCI DSS are good. And it’s fortunate that until now, the banks have been relatively pragmatic in applying it. But circumstances have changed, and in the near future the heat is going to be turned up. Now is the time to get with the programme and ensure that your business has the means to comply. Ultimately it’s comply or die.

Chris Barling is CEO of multichannel technology supplier Actinic.