Blog article
See all stories »

PCI Protects Us All

If you head up a business or corporation that accepts cards for providing a product or service, then you have an important role to play in cutting down on card fraud.

This is why a set of rules called the ‘PCI DSS' was created four years ago: to help business leaders safeguard their companies against fraud.

For those managing directors and chief executives who haven't heard, the acronym stands for Payment Cards Industry Data Security Standard. These industry rules, mandated by the Card Schemes, dictate the steps service providers must follow to ensure cardholders' personal information and card data is not put at risk.

Importantly, business leaders must not only make sure their company is fraud-proof, they must continually prove it through a series of regular returns, submitted to their acquirer, to allow the acquirer report to the Card Schemes.

Some may view the time spent on this by their accounts department and the resulting cost an onerous burden. But the fines for non-compliance levied by the Card Schemes such as Visa and MasterCard can be much greater. Especially if your card data is compromised or breached.

And let's not lose sight of the real reason why companies should cut down on fraud: it makes the lives of your customers a great deal easier and benefits society as a whole. You also avoid the serious effects and loss of trust a fraud breach can do to your brand.

A card payment processor like HSBC Merchant Services can lessen your burden as it can advise on whether your company should team up with a Qualified Security Assessor (QSA) who can guide you through the PCI compliance process.

Basically, your company needs to follow 12 prescriptive requirements resulting in six main outcomes. For example, one includes building and maintaining a secure technological network to protect any customers card data held on file. This network must then be monitored and tested on a regular basis to ensure a data breach hasn't occurred.

Payment and computer systems must also be monitored to make sure sensitive data, like the information on the magnetic stripe or chip on credit or debit cards, is not stored. If it is, a fraudster may be able to access this data and clone cards.

Card cloning is a huge international issue: more than 80% of data stolen in breaches of company systems is payment card data, according to the 2009 Verizon Business Data Breach Report.

Let us do our best to tackle it together.


By Darren Wilson, CEO, HSBC Merchant Services



Comments: (2)

A Finextra member
A Finextra member 18 November, 2010, 10:20Be the first to give this comment the thumbs up 0 likes

There is no hope! We are all doomed.  I can only assume that this nonsense about PCI is being driven by the Yanks who now have the last word at HSBC.  If not then we really are all doomed!

The vast majority of card fraud, nay, all of it, is based around magstripe cloning in undeveloped countries like the US.  Wouldn't it be cheaper to implement EMV in the US than to force the rest of the world to adopt a security system that leaves the so-called "sensitive data" embossed, in the clear, on the front of a plastic card.  It is reckoned that the US would see a return on the investment within 11 months.

I am sure that Darren Wilson will be able to tell us all how chip card data can be used and abused, thereby justifying the expense of the PCI-DSS.  However, EMV data is not sensitive, even the PAN!!!  If it is, then please show me.  Why are people employed in high-power payment company positions when they demonstrate that they know nothing about payment technologies.  If yer man Darren understood his industry, he wouldn't be yattering claptrap like this.

Now I know this is going to upset a lot of people, but before you all respond in his defence, just ask yourself if you are really in favour of the PCI-DSS because you are making money out of it, or because you really do think it's a good idea.  Just remember, diamond and coal may both be made out of carbon, but you don't keep coal in a safe.

Check out the Payment Monkey ...

John Dring
John Dring - Intel Network Services - Swindon 24 November, 2010, 14:43Be the first to give this comment the thumbs up 0 likes

Oh I love a good debate. Shame I was late to this one!  We encounter PCI often and it never ceases to amaze how differently the standard can be applied.  In the end, its about auditing those that handle CC data to ensure they show due diligence in the handling of that information. Even an EMV Chip and PIN card can be used in CNP fraud if the security number is recorded for example, so although I am not a fan of PCI, you need some way to audit that, even in a EMV world.