Payment card industry compliance deadlines to hit UK business

Small firms may see themselves penalised when PCI-DSS comes in next month

PCI July and September deadlines casts cloud over retailers and e-tailers

Payment Card Industry (PCI) compliance deadlines due at the beginning of July could mean a rise in credit card processing costs for small firms who don't comply.

The 1 July deadline, from payments firm Visa, will primarily affect smaller businesses using electronic point of sale (EPOS) and e-commerce systems.

A later 30 September deadline mandate, also from Visa, will affect mainly Tier 1 businesses who need to be fully PCI data security standards (DSS) compliant by that date.

The second Visa mandate means card acquirers like Barclaycard have to provide an 'Attestation of Compliance Form' for their Level 1 merchants, demonstrating that each merchant is PCI DSS compliant by September 30, 2010.

PCI compliance tiering

There are different layers of PCI DSS compliance required depending how many transactions per year a merchant processes.

Level one merchants must process over six million transactions per year, while level four merchants are those processing fewer than 20,000 transactions per year.

Level two and three merchants will process between one million and six million, and 20,000 to one million transactions respectively.

ENISA security expert Mathieu Gorge said: "this means that from 1 October Visa may start fining acquirers who cannot provide attestation forms confirming that all their Level 1 merchants have validated compliance."

Head of Payment Security at Barclaycard Neira Jones confirmed that if the card scheme vendor levies fines on the acquirer, the acquirer will pass on these fines (and associated fraud losses) to the merchant.

Gorge, who is also managing director of Dublin-based security consultancy firm VigiTrust, explained that the situation is more worrying for level two, three and four merchants however.

"[A card transactions security breach] will see these smaller companies automatically moved to level one, which means additional policies and procedures resulting in higher costs," he said.

This “upgrade” to level 1 could cripple smaller merchants if they are not compliant.

Barclaycard's Jones advises EPOS users to confirm that their systems software doesn't store authorisation data after authorisation.

He also advises e-commerce merchants to use compliant payment service providers, or move towards compliant web hosting services.

Information Systems Audit and Control Association (ISACA) Security Advisory Group member John Walker argued that lower level merchants had been badly treated.

"I've worked with many people [in this category] and when I mention PCI to them, I'm greeted with a blank stare. There's a lot of mis-communication, or no communication with these people," said Walker.

Asked about dealing directly with card acquirers, Walker said, "the acquirers are very helpful – but make sure you're talking to the right acquirer! Go and ask them some questions – they're not going to be as cold as you may think."

Walker's advice to smaller firms having to deal with PCI deadlines is, first, not to "engage a consultant and say, 'come and tell me what I need to do'."

"That would definitely be a bad approach. Get onto the PCI site and make sure you're in the right category – forget what they've been told – check it for themselves," added Walker.

Walker said the chances are that these smaller firms could sort out any compliance problems without going to a consultant.

However, if all else failed, Walker advised, as a final resort, bringing in somebody, and asking them for some measured consultancy to give them some insight on what they need to do. "But don't try and fix the problem with a blank cheque approach," warned Walker.

What is PCI DSS?

PCI DSS is a worldwide set of security requirements to protect card payment data stored electronically, and was originally developed by the founders of the PCI Security Standards Council (PCI SSC).

These include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.