Card payments are not just something that e-commerce websites and banks have to be concerned about. No matter what kind of business users have, if they accept or process any kind of credit or debit card payment online or offline; or even just collect, transmit and store credit card transaction information, you need to meet and adhere to specific payment card security standards.
Called the Payment Credit Card Industry (PCI) data security standards (DSS), these are network security and business practice guidelines that were initially developed by major credit card companies Visa, MasterCard, American Express and Discover Card and are now maintained by the PCI Standards Security Council.
The main reason for the creation of the PCI DSS is to see to it that your customers’ payment card data is protected from fraud.
Credit card fraud is a major component of cybercrime and a problem that affects businesses and consumers around the world. A recent news article by Yahoo! states that the European Union (EU), which reportedly is the world’s largest market for payment card transactions, has been lucrative to organised crime groups who derived more than €1,5-billion ($1,9-billion) from payment fraud in the region.
Despite the continuous and very real threat of fraud, research reveals that electronic payments, including credit and debit card usage, contributed $1,1-trillion to the global economy from 2003 to 2008.
“Here in South Africa, credit card penetration is estimated to be only at 0.2%, but debit card usage is on the rise,” says Jayson O’Reilly, director of Sales and Innovation at security solutions provider DRS.
“The 2011 Global Payment Tracking Survey, which was conducted by Visa from 2010 to 2011, showed that debit cards accounted for 42% of the South African card market. Since credit card penetration is so low in the country, South African retailers are making it easier for users to make purchases with their debit cards.”
While statistics released by the South African Bank Risk Information Centre (Sabric) show that credit and debit card fraud in South Africa has seen a decline – with credit card fraud dropping by 32% between January and September last year, compared to the same period in 2011 – fraud involving South African cards being used overseas has increased by 10%.
Debit card fraud also decreased by 7%, but the losses are still significant, amounting to R204-million, while credit card fraud tallied up to R300,6-million.
“Complying with the PCI DSS is therefore still very necessary,” O’Reilly says. “Apart from the financial losses you or your customers can suffer as a result of credit card fraud, it could cause long-lasting damage to your reputation and could irrevocably damage consumer trust in your company.”
While PCI DSS compliance does not guarantee data safety from hackers, thieves or fraudsters, it definitely protects everyone along the payment chain, including card-issuers, card holders, processors and payment service providers, limiting risk and minimising the potential losses that could be suffered as a result of fraud, theft or security breaches.
“Non-compliance results in financial loss too, since non-PCI compliant merchants can face fines of between US$5 000 to US$500 000 based on the level of non-compliance,” O’Reilly cautions.
“There are twelve requirements in the standard that have to be followed, and compliance is an ongoing process, in which businesses will continually have to assess and reassess their operations and make sure that it adheres to the PCI DSS for security management, procedures, network architecture, and policies in order to keep consumers’ payment card data safe throughout every step of every transaction.”
O’Reilly says PCI compliance can be overwhelming and complicated process.
“At DRS, we offer clients a solution that relieves much of the burden from their shoulders. We help users to optimise their security posture while proving PCI compliance through a layered security model that mitigates vulnerabilities and reduces the likelihood of data loss or theft.”