Payment Card Industry Data Security Standard (PCI DSS)

Why security matters

Unfortunately, payment card fraud is an increasing problem with consequences not only for the card holder but for the payment industry as a whole and, if the compromise of card holder data is traced to your business, with loss of trust for your business and consequent loss of trade.

Payment Card Industry Data Security Standard (PCI DSS)

All businesses that take payment with payment cards are required to comply with the Payment Card Industry Data Security Standard (PCI DSS).

Historically, many businesses, particularly small businesses, that have taken payments over the telephone have asked the payer to read out their card details, which are then keyed into the business' POS machine or a payment web site. In many cases, the details would be written down for later processing, creating further opportunity for thieves and fraudsters to steal the card details. Increasing concerns over credit and debit card fraud mean that these practices cannot continue and in future getting PCI DSS compliance will mean having a payment collection system that does not involve ever having knowledge of the customer's payment card details. While no definite date has been set for current practices to end, we currently expect the new rules to be in place from April 2018. In addition to the security risk of taking payments manually over the telephone, there is also the inconvenience of only being able to take payment while there is a member of staff available, and if the business is closed, there is no way to take payment at all. If a breach of card holder data is traced back to your business, that can have consequences for future trading with a loss of trust of your business and possible withdrawal of card payment facilities by your bank.

What is PCI DSS and to whom does it apply?

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard required for any company that takes credit or debit card payments and covers the taking, processing and storage (including on paper – even just a note on a scrap of paper) of customer card details. PCI DSS was created by and is managed by the Payment Card Industry Security Standards Council (PCI SCC), which comprises the major payment card providers – Visa, MasterCard, American Express, Discover and JCB. No matter the size of your business, if you take payment from debit or credit cards from customers, you need to comply with PCI DSS.

What are the consequences of not complying with PCI DSS?

If your business does not meet PCI DSS, you are open to a potential fine of £50,000 per infringement. If a breach of customer card data is reported, it can lead to a forensic examination of your compliance with PCI DSS, the costs of the investigation being borne by your business and possibly costing several thousands of pounds. The damage caused to your business could include loss of reputation, significant financial costs and possible barring from taking card payments.

How to reduce the burden of PCI DSS on your business

The easiest way to reduce the burden of compliance with PCI DSS is to pass that burden on to a specialist provider who will take payments on your behalf and who complies with the highest level of PCI DSS. Automated telephone-based systems offer a high level of security as there is no human involvement in taking the payment; the person making the payment does so through their telephone keypad. Such systems work all day every day, allowing businesses to take payment securely at any time, including out of office hours.

Further information

PCI Security Standards Council

We offer a PCI DSS level 1 compliant telephone-based automated card payment solution.

Call us on 0115 938 9685 or use our contact form.

The above information is provided in good faith but note that we are not legal experts and therefore take no legal responsibility for its accuracy and cannot be liable for any loss arising from its use.