No sooner has the deadline passed for retailers to comply with the latest version of the Payment Card Industry Data Security Standard (PCI DSS) then the body responsible for enforcement has announced their expansion. The PCI Security Standards Council announced in September that the PCI DSS was to assume responsibility for the PIN Entry Device Security Standards. Implementing these new standards will happen over the next few months and when fully in force will apply to devices that accept PIN entry for all PIN based transactions.
This development brings together a scheme previously administered by JCB, MasterCard International and Visa International. Whilst the standard is being introduced all devices currently approved as compliant will continue to have their approved status remain until expiry of the existing approval.
With the PED system being administered by one body there will now be a single set of standards that manufacturers can rely on with the aim of aiding faster development of the technology. It is hoped that in turn the security offered to individuals and businesses utilising the technology will be increased.
This development of the PCI DSS comes at a time when there has been considerable concern that UK businesses have fallen behind in the implementation of the standards. One of the factors claimed to contribute to the apparent delay is the lack of communication between IT security staff and finance departments. This is because IT people are required to solve the problems and do not have ready access to the reports that are compiled between the finance department and the banks. The PCI Security Standards Council has undertaken to remind firms and businesses of the benefits of compliance and of the penalties imposed for non-compliance such as heavy fines and the ultimate sanction of being refused the use of the facility to accept payment for goods by credit and debit cards.
Another factor cited as leading to a delay is the confusion amongst businesses about which category they should operate under. The PCI DSS rules affect businesses in a different way according to the number of card transactions they process per year. There are four tiers; tier 1 for over 6 million transactions; tier two for between 6 million and 150,000; tier three for between 150,000 and 20,000; and tier four for less than 20,000.