Pillars of PCI compliance

PASA has mandated that merchants of all sizes that process, store or transmit credit card information must comply with the Payment Card Industry security compliance by the end of 2013.

September 2, 2013

The Payments Association of South Africa (PASA) has mandated that merchants of all sizes that process, store or transmit credit card information must comply with the Payment Card Industry (PCI) security compliance by the end of 2013. Consequently, retailers have to ensure that their IT security policy, payment switching technology and auditing processes are up to date to attain the PCI certification they now require.

Vaughan Alexander, Innervation Executive for Payments says that the process of obtaining PCI Data Security Standard (DSS) certification is a complex one with multiple areas being assessed in order to become compliant.“The ultimate goal of PCI DSS compliance is to ensure the consumer is protected and to do this, companies must ensure that they are in line with international best practice standards when it comes to their processing technology and security,” Alexander says.

There are six milestones that merchants will have to reach in order to obtain PCI DSS compliance, of which milestone one and two (related to removal of authentication data and limiting data retention as well as protecting perimeter, internal, and wireless networks) must be reached by no later than 15 September 2013.

Alexander advises merchants to begin by ensuring that there is a robust security policy in place for both virtual and physical environs, and that this is executed correctly within the organisation. “There have been rigorous standards set for both IT hardware and software,” he says. “Companies will also be measured on whether or not there are effective external measures in place that prevent intrusion and in instances where customers’ information is stored, it must be done in a secure manner. Furthermore, retailers will be required to show that employee security measures, such as secure passwords, work station lockdowns and single sign on management are in place.”

Merchants also have to ensure that the process of consumers making payments, using payment cards, remain secure. “This process, referred to as payment switching, must be certified and audited by a recognised qualified security assessor (QSA) in order to be compliant with the PCI DSS standard. The level of audit required is determined by the volume and value of payments processed. Large businesses undergo full internal IT audits, whilst small businesses are able to assess their environments by themselves,” Alexander explains. “Companies such as Innervation can assist its clients by consulting on their IT Security needs and utilising PCI compliant payment switching technology, which enables clients to easily fulfil the requirements around PCI DSS compliance within their organisations.”

Although these processes may seem costly, Alexander argues that it is well-worth the initial investment. “Whilst PCI is not, in itself, a law, the standard was created by major card brands such as Visa and MasterCard, and merchants that do not comply may be subject to fines, card replacement costs as well as costly forensic audits at their acquirers’ discretion, should a breach event occur,” he goes on to say. “There are also associated benefits to consumers feeling safer when trading on, or offline using payment cards. Currently around 70 percent of transactions in South Africa are still cash based. As compliance standards are enforced, so consumer confidence in electronic payment methods will increase. This will result in more cash being taken out of the system, reducing cash related costs, which amounts to around 1 to 2 % of GDP.”

Alexander warns that there will likely be an even greater focus on security as PCI DSS compliance continues to evolve. “Chip and pin card technology is penetrating the market at a rapid rate, and PASA has already increased their requirements surrounding online retail sites and 3D secure,” he states. “We believe that there is a definite move by the regulator towards increasing the overall security around electronic payments and this will only continue with the third version of PCI DSS that is expected by 2014.”
But Alexander says that the standard should be viewed in a positive light. “At the end of the day, compliance ensures that consumers can transact safely – and that is ultimately what retailers, both large and small hope to achieve.”