Target dates for compliance with the PCI DSS itself have all long since passed. Many organisations - particularly those that fall below the top tier of payment card transaction volumes - are not yet compliant. There are perhaps three reasons for this. The first is that PCI DSS has no legal status: it is not a law and does not have the force of law. Enforcement can only be carried out by contractual means, in a competitive payment card market place. The second is that enforcement is driven by the card payment brands, through the banks that have the commercial relationships with the merchants that are supposed to comply. Enforcement is inconsistent at best and non-existent at worst. The third is that PCI DSS is extremely prescriptive, and takes a determined one-size-fits-all approach to information security requirements.Compliance is therefore seen as both expensive and bureaucratic. It is not surprising, therefore, that merchants try and avoid compliance with this standard.
This is a short-sighted and high risk stance to adopt - rather like assuming that your business has no exposure to acts of nature or IT failure and doesn't, therefore, require a business or IT service continuity plan. All businesses that accept payment cards are prey for hackers and criminal gangs that seek to steal payment card and individual identity details. Many attacks are highly automated, seeking out website and payment card system vulnerabilities remotely, using increasingly sophisticated tools and techniques. When a vulnerability is discovered, an attack can start - without management or staff of the target company having any awareness of what is going on.When the attack is exposed - perhaps through a victim disputing fraudulent credit card charges - the target company will be exposed to a harsh and expensive set of repercussions. These will range from customer desertion and brand damage to significant penalties and operating requirements imposed by their acquiring bank, which will include a future level of monitoring at a level normal only for the very largest of merchants. "PCI DSS" is designed to ensure that merchants are effectively protecting cardholder data.
It recognises that not all merchants may have the technical understanding to identify for themselves the necessary steps and short-circuits to avoid danger. All merchants, and their service providers, should therefore ensure that they comply with PCI DSS, and that they stay compliant. Apart from anything else, if every merchant co-operates in the fight against the theft of cardholder data, we might make it easier in the long run for all our payment card customers.
- ISBN10 6613024813
- ISBN13 9786613024817
- Publish Date 16 February 2011 (first published 1 January 2008)
- Publish Status Active
- Out of Print 29 May 2012
- Publish Country US
- Imprint Itgp
- Format eBook
- Pages 45
- Language English