And while it is tempting to see the PCI DSS as something that only affects the biggest merchants, if you take e-commerce payments using Visa, you only need 20,000 of them a year for that issuer to require you to comply.
The data security standard has been controversial in some quarters because it merely sets a baseline for security and can encourage tick-box compliance. It can also lead to a constant sequence of technology upgrades by merchants who do want to meet the standard and have implemented a variety of IT tools to do so.
Yet the PCI is right to be concerned that compliance is still relatively low and threaten sanctions as a result. Since 2005, 80 per cent of all data security breaches by merchants involving payment card information have been among Tier 4 vendors – those with the lowest level of activity. Validation of compliance with the standard by these companies is optional under the industry-wide rules, but individual issuers can decide to require it, as Visa has done.
So the card industry is getting tougher on those who have not yet met what DSS 1.2 requires of them. Suffer a breach and you can get elevated to Tier 1 status despite having a low level of activity. The consequences of that are higher costs and even tighter requirements. The PCI can also impose some eye-watering penalties – €5 per account compromised, a €100,000 breach free and the possibility of being barred from handling Visa and Mastercard transactions altogether. That is what is likely to hurt most.
As if that were not enough, a revised standard is about to be introduced at the end of October that will tighten up some processes and assume a risk-based approach for assessing vulnerabilities. For companies already complying with the existing standard, this should not be a challenge. For merchants who have failed to get to square one, the threshold will become yet higher.
There was a time when worrying about the safety of payment card information could be seen as a merely commercial problem for issuers with a direct impact on their exposure to theft and fraud. As consumers become ever more active in buying online, however, so their worries about data being kept safe and secure increase. The Internet has made it possible to deal with smaller businesses direct and at a distance. To continue that, all merchants need to take data security seriously. Starting today.