Document Actions
May 27 2008
Comment - Meeting the PCI DSS Deadline
The 30th of June PCI DSS deadline is fast approaching, Chris Barling, CEO of ecommerce, mail order and retail technology supplier, Actinic airs his views on the latest PCI deadline.
Are you ready for PCI DSS? Do you know what PCI DSS means to your business? Chris Barling, CEO of ecommerce, mail order and retail technology supplier, Actinic agreed to talk about the latest PCI deadline. Will the deadline slip, have enough businesses complied with the regulations? Barling doubts if enough have. What do you think? Send you comments to the usual address, or comment below.
Most industries don't have the power to set deadlines for their customers. In 30 years’ experience in business I have only had deadlines imposed by the government (regarding conforming with tax regulations), and the "millennium bug", which was more about the collective incompetence of the IT industry than any external imposition. The one exception is the banking industry. This industry seems to pride itself on imposing deadlines. It then effectively penalises customers who did comply by allowing others to get away with ignoring the deadline.
Conformance with the PCI DSS standard, which sets all sorts of data security rules if you handle credit or debit cards, has officially been compulsory since 2005, but is better observed in the breach than the rule. Now the 30 June 2008 deadline is upon us, and it’s worth asking whether things will be the same this time.
Security is top of the agenda
If your business accepts payment cards then the Payment Card Industry Data Security Standard (PCI DSS) applies to you. PCI DSS is the answer to all security concerns in relation to payment cards. It is a single standard supported by all major players including Visa and Mastercard. This is itself a triumph of common sense.
As security has become a hotter topic, the card industry has introduced more rigorous enforcement of the rules. Now it is chomping at the bit to get to grips with the surge in online scams.
PCI DSS – notable by its absence
The interesting question to ask is, why haven’t the banks pushed harder before? Well there’s a truth in business that you shouldn’t upset your customers, and if it can’t be avoided, then try not to upset the big ones. This is the key to understanding why PCI DSS has only been rolled out very slowly since it was officially made compulsory in 2005.
But banks are not gods and can’t afford to upset their biggest customers (although the rest of us are relatively expendable). For instance, even a bank wouldn’t have the temerity to threaten big retailers like Marks and Spencer or Amazon. However, until the card issuers had implemented the standard within the big boys, there was relatively little to gain from targeting the medium-sized and smaller guys.
Hard to implement
Now that the large companies have finished implementing PCI DSS, banks are applying pressure further down the food chain. It’s likely to mean a rapid rollout of the standards, which spells danger for small and medium-sized online merchants, retailers and mail order companies. That’s because implementing PCI DSS is no walk in the park. However, there are ways through the morass and there are some practical ways of dealing with the issue.
When it comes to PCI DSS, smaller companies have a big problem, because although the compliance checking regime varies based on size, the required standard is identical. This is bad news, because what makes sense for a big corporate with thousands of staff is crippling for smaller businesses.
There’s a 70 page document to read, and hundreds of directives to obey. To provide one small example, PCI DSS requires that there is no unsupervised access to buildings containing computers storing card information. So to be compliant, you not only need to accompany visitors at all times, you can’t even allow cleaners in for the evening.
Finding a pragmatic solution
The result of all the complexity means that only the blue chips will be able to follow the rules. For the rest of us, the only feasible answer is to outsource PCI DSS compliance. This can be achieved by not storing any payment card details on either paper or computers, but letting a third party look after them instead. The technical term is “tokenization of card data”. In other words, businesses just store a token referring to card data, not the data itself. Perhaps surprisingly, this approach is relatively easy to implement, and a number of helpful services already exist.
I must declare my bias here as my company, Actinic, has recently released a tokenization service designed to address exactly this issue. The service, which we use internally ourselves, is tightly integrated with our software and services. It allows both us and our customers to rely on the PCI DSS certification of our partner, Creditcall. Thus the conformance burden is removed.
A secure future
It’s difficult to know if the latest deadline will be met, and undoubtedly no-one embarking on PCI DSS compliance now, unless switching to an off-the-shelf service, has any chance of complying in time.
Although I hate to admit it, the principles of PCI DSS are good. Actually, it’s good that the banks have been relatively pragmatic in pushing it, but it’s important for us mere mortals to try to avoid being crushed in the rush.
Subscriptions