Wednesday, January 6, 2010

New PCI Compliance Challenge

Posted by Mark Brousseau

Remittance operations face even greater challenges from new PCI compliance guidelines. Doug Myers, vice president of sales and business development for Creditron, explains:

A flurry of new regulations, guidelines and clarifications designed to improve credit card security has remittance operations that handle credit card payments -- in the back-office or via walk-up locations -- scrambling. With three new pieces of guidance on the docket for Payment Card Industry (PCI) compliance, and larger fines for non-compliance, these operations face external pressures to beat the deadlines, as well as internal pressures to meet requirements in a strategic and cost-effective manner.

PCI and RP
The PCI Standard is the result of a collaborative effort formed by the five major credit card companies (Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB) to develop an efficient approach to safeguarding sensitive data and for the prevention of credit card fraud, hacking and various other security concerns. Any merchant, organization or software that processes, stores or disseminates credit card data must be PCI DSS compliant or they risk hefty fines and/or losing the ability to process credit cards altogether.

Remittance processors that accept credit card payments in lieu of checks must meet the standard.

Failure to comply with PCI standards exposes an organization to two types of liability: substantial penalties, and, more importantly, "charge-back" liability for damages suffered by the card issuer as a result of a data breach. The losses sustained by card issuers includes not only the fraudulent charges made on the accounts of the victims of identity theft, but also the administrative costs associated with the issuance of new cards to customers whose personal information may have been compromised. As a result, these costs can be significant. Add in the damage to reputation associated with the loss of customer card details, and the importance of PCI compliance to remittance processors becomes clear.

Conversely, in an environment where consumers are concerned about privacy and online security, there is an opportunity for businesses to improve their security posture by meeting the PCI standard.

What You Should Do
Remittance operations put their organizations at great risk if due diligence is not practiced and steps are not taken to protect cardholder and member data. Managers must take a very active approach to operational risk management, and not assume that the PCI DSS standard doesn't apply to them.

One strategy to ensure PCI compliance for remittance operations is to work with vendors that have already deployed a PCI compliance program for their entire end-to-end suite. With this approach, the onus is on the vendor to ensure that their underlying software and processes gain and maintain PCI compliance. This won't let operations off the hook for PCI, but it is a lower cost route to compliance.

To see if your vendor has a validated PCI application, visit www.pcisecuritystandards.org.

No comments: