The first PCI DSS deadline has been widely discussed by both merchants and payment card industry specialists but what does this really mean, will Visa and Mastercard soon be knocking at your door?
The 30 September deadline only affects level one merchants – so a business which takes more than 6 million total Visa or MasterCard transactions a year, including eCommerce merchants. The requirements for PCI DSS compliance do at first appear to be daunting. If the merchant attempts to go through this process unassisted then it can take a huge amount of time and resource to achieve compliance - the documentation runs to over 70 pages alone. It should also be noted that once a merchant has absorbed the requirements, compliance is not simply a case of ticking boxes. Fraudsters will continue to find vulnerabilities, so merchants should view their business security as an ongoing process, and payment security should be viewed as a best practice solution for the entire business rather than one department alone, which helps to safe guard an organisation’s reputation and avoids severe fines.
The most effective way for merchants to become PCI DSS compliant is to outsource the entire process to a secure payment specialist. Companies like this have already adopted PCI DSS and as a result their customers reduce the scope of compliance drastically. When there are updates or changes to the requirements – take for example the fact that v2.0 is imminently being finalised – the merchant will also automatically be safeguarded. It should also be noted that differences between v2.0 and the current requirements will be minimal; further to this PCI has just changed the lifecycle of the update process, meaning that after v2.0 has been launched the next update will not happen for three years (however minor changes or new security risks may be addressed in the interim).
It should also be noted that the PCI DSS standards were not set up to cause a problem for merchants but to enhance the payment account data security. Ninety per cent of merchants already have a compliance date agreed with their acquirer. Merchants should remember that Visa and Mastercard don’t fine the merchants directly, they fine the acquirer and they have the ability to pass this on to the merchant, so the ominous shadows of card schemes and the PCI Security Standards Council will not be on merchant’s doorsteps just yet!
© 2014 The Logic Group Holdings Ltd. Registered in England. Registered No 02283418