The Payment Card Industry Data Security Standard (PCI DSS) is intended to minimise and, where possible, eliminate fraud.
It consists of more than 250 parts and applies to any business which handles, or is exposed to, payment card (account) data. This includes anything on the front or back of any card that bears a scheme’s logo, including those from American Express, Discover, JCB, MasterCard and VISA.
The impacts of non-compliance
Persistent non-compliance by merchants and service providers with acquirer relationships will result in stepped penalties and fines, which increase massively if a breach occurs. In extreme circumstances, an acquirer may remove card processing capabilities.
In addition, it has become clear that compliant organisations are becoming increasingly reluctant to engage non-compliant service providers, as this threatens their own compliance status.
The attention of the card schemes has now begun to turn to smaller merchants and service providers. The primary motivators are the risk of breach events, which are far more likely in non-compliant organisations, as well as the realisation that the fines and other penalties for a breach are far higher if an organisation is found to have been non-compliant at the time of breach.
Most organisations are likely to need significant assistance in achieving compliance in a timeframe which their acquirer or customers will accept.