I thought I would make the first blog about a subject that strikes dread and frustration into the hearts of nearly every client I speak to …….PCI DSS Compliance or to give it it’s full title Payment Card Industry Data Standards Security Compliance.
Every retailer or business owner who accepts card payments either on-line, via the telephone or face to face has to comply with the PCI Security Standards Council’s DSS Compliance requirements. These are essentially the need to complete an annual report attesting to the secure storage and management of (card) transactions in their business. In addition they must also complete a quarterly “scan” to ensure that the security standards/processes etc to which they attested remain in place.
The following are a list of questions I sent to the PCI Security Council, who are based in USA, to seek to understand more about the seemingly arcane processes and protocols that surround DSS Compliance.
This was sent to them on 11th May 2018 receiving a response a few days later as follows:
“Thank you for sending this email. The questions below should actually be directly to your acquirer or the credit card brands directly.
Please note the PCI SSC would not be able to address these questions. If you would like I can pass these questions along to our Technical Response Team if you would like them to review the questions. Please note that these response times can be delayed due to the high volumes of questions though.”
So, what they’re saying is that PCI questions are not answered by the PCI Council but as a favour, someone in their technical response team might take a look at them and might get back to me? (incidentally, I did ask them to pass the questions to the TR Team and have heard precisely nothing back as yet).
Not to be put off, avid reader, I sent the same questions to Visa Europe and received the following reply…
“Thank you for contacting Visa.
Please follow the link below for further information. After opening the link, click ‘Visit the PCI Security Standards Council site to download the relevant documentation’, which is found under the ‘Compliance validation procedures’ section.
Thank you for writing,”
Consumer Support | Europe | www.visaeurope.com
Which basically means …”Go Away! We’re far too busy and important to answer your questions.”
I did respond to them saying they hadn’t answered my questions nor does the link do so, following which I received……..NOTHING
But fear not, I shall keep plugging away on your behalf and will not rest until someone, somewhere, sometime takes responsibility to answer what seem to me to be perfectly reasonable questions.
I have been working within the card payment industry, in UK, for the last 2 years and over this period of time I have encountered the following questions to which I have either received no clear response or, more commonly, I have received conflicting information/advice from various so called authoritative bodies.
Therefore I am writing to you in an attempt to clarify and confirm the exact position surrounding each question.
1) Are there any merchants (whether chip/pin; E-Comms or Mail/Tel. Order) that do NOT have to complete an annual PCI DSS Compliance report. If so what are the parameters/thresholds that defines them ? Also are the quarterly scans a part of this compliance?
2) Who levies the “authorisation fee” (ie a pence per transaction fee for the card payment to be approved). How can these fees be justified for “contactless” payments when by their nature there is no pin to verify?
3) Why is the monthly “PCI” fee charged to merchants ? Ie if the annual compliance (+ quarterly scans) are satisfactorily completed why are these monthly fees levied?
4) Why is the monthly PCI fee variable depending upon merchant acquirer/ISO?
5) If it is the merchant’s responsibility to ensure/confirm compliance how can anyone else but your organisation levy a fee for doing it? Also if the merchant leases that terminal from an merchant acquirer/ISO then doesn’t the latter bear some responsibility for compliance and associated payment of fee?
6) Are there any physical or virtual terminals that are not required to complete PCI Compliance (or pay monthly fees)?
Specifically I have never encountered any merchant with an iZettle terminal who has completed PCI Compliance.
7) Why are the Compliance questions so complex/arcane (becoming increasingly so dependent on the connection method employed ie from telephone line > Ethernet connection > GPRS/Mobile signal)? The vast majority of SMEs, in my experience, do not understand the questions and therefore “forced” to pay an “expert” to do this for them. You state that a QSA is qualified on your behalf to conduct the assessment but this is done “on-site”. What does on-site mean?
8) What are the legal ramifications of a merchant’s failure to complete annual PCI compliance and/or quarterly scans in the event of payment card fraudulent use?
9) If a merchant owns their own terminal to whom should they report compliance and pay associated fees? 10) What implications if any, does the impending (European Directive) for GDPR compliance impact/duplicate upon PCI Compliance?