Mike Bielinski, CEO at Vodat International, argues that businesses must not panic about the Payment Card Industry Data Security Standard but make the most of the opportunities to be gained from working with a partner who can ensure your data is protected at all times.
The arrival of PCI: DSS means businesses must ensure that cardholder data is securely stored, processed or transmitted by merchants and processors. The standard specifies 12 requirements for security, technology and business processes, and reflects most of the usual best practices for securing sensitive information. This can seem daunting especially for smaller merchants who probably have no existing security processes. Although some companies may have felt that they didn't take enough credit cards to be compliant. These and even larger businesses should look to work with experts who make the transition affordable and secure allowing them to concentrate on their business.
PCI: DSS was almost ignored when it first came along. Retailers found that their time and resources were taken up just to become Chip and PIN compliant. Many retailers were also led to believe that Chip and PIN technology was the final answer to resolving card present fraud problems. Consequently the deadline for becoming PCI: DSS compliant was pushed out and the retail industry viewed it as an unnecessary cost on their balance sheets. The fact is that companies are now aware that PCI: DSS compliance is required in their businesses, or they will be liable for security breaches and subject to fines or even orders to cease using cards in their trading. In any case they will be faced with the cost of getting compliance if any card data is being processed within their environment.
PCI DSS is a catalyst to re-architect card payment solutions. Nearly all current Chip and PIN solutions are an evolution of the original magnetic stripe based solutions where the application was historically installed on the POS, this approach inevitably brings the POS and its local network into the scope of PCI-DSS.
Many card payment solution vendors are responding to PCI: DSS by adding further levels of complexity to the architecture of their existing solutions that involve putting some or all of the application processing on the PED (payment entry device), leading to more powerful and hence more expensive PEDS and possibly slower processing speeds
The advent of fast, reliable and resilient secure private managed networks provides the opportunity to re-architect card payment solutions to take advantage of thin client architecture. This architecture was not feasible when many of the existing card payment solutions were designed because the networks in general use at the time did not offer the required speed, reliability and resilience.
For example, a thin client card payment solution allows cardholder data to be moved quickly from the PED to a secure location for payment processing. This ability to process centrally greatly improves the cost of supporting and adapting to the inevitable evolutionary changes in the PCI DSS standards. The issue with extending the complexity on the PED is that it also increases the very real cost of supporting change.
Options for delivering a card payment solution
In order to satisfy the PCI security standards it is clear that the best location to process and store sensitive cardholder data is a secure data centre. The issue for PCI security is how the card present payment transactions are processed, stored and transmitted from the time the card is read by the PIN entry device, to the completed transaction reaching the secure data centre.
Right now, businesses are not in a position to be able to afford expensive PCI: DSS experts and consultants, nor do they want to trapped into solutions that will cost them money whenever the standards change or even when they move to alternative Epos suppliers or they introduce new types of cards. Some retailers have seen PCI: DSS costs spiral out of control with charges up to 1,500 a day for a consultant's time and they still do not have complete compliance.
Retailers need to reduce their capital spend rather than working with consultants and suppliers where costs can become a grey area. If companies work with an organisation guaranteeing to deliver through a fixed fee agreement then they can monitor and prepare costs. This in turn will allow them to increase their own productivity and also avoid a long drawn out process in meeting compliance requirements.
Retailers should look to work with a partner that can provide retailers with added value services that exploit the benefits of secure high speed networks.
It is important that businesses are sure to choose a partner that demonstrates its capability of handling card payment transactions securely. It is essential that not only is that partner a PCI: DSS validated service provider, but that its Information Security Management System is certified as complying with ISO27001.
Ideally, retailers should look for a managed service that can do the following: handles cardholder data in a segmented part of the retailer's network; removes sensitive cardholder data from the retailer's POS and systems; provides POS solution independence; provides payment device independence and can support any card and any acquirer.
Many organisations are faced with a headache when confronted with PCI: DSS but the adoption of a managed service with a retail expert will provide a flexible solution and a roadmap for retailers wanting to remove their POS from the PCI: DSS scope. This will not only meet the requirements of PCI security standards, it provides a strong platform to accommodated future changes in the standards whilst allowing the retailer to be virtually POS and PED independent.
The harsh reality remains, that the onus is on retailers of all sizes to comply with the PCI: DSS regulations and it is retailers who face the cost of non compliance not their suppliers. Working with an expert who has gone through the compliance process themselves and on a fixed fee basis could help them reduce costs to a minimum and not jeopardise their long term business plans or customer data.