Deadlines are a fact of life in any business, but not many companies have the power to impose them on their customers. Apart from the 'millennium bug' – which was more a consequence of the IT industry’s collective incompetence than a deliberately-imposed deadline – I have only ever had deadlines imposed by two agencies. One is the government (in connection with tax regulations). The other is the banking industry. Whilst seeming to pride itself in its ability to impose deadlines on others, the banking industry unfortunately has a historical tendency to undermine those deadlines itself, by allowing customers who don’t meet them to get away with it. This effectively penalises the ones who made the effort to comply.
The latest deadline to come out of the banking industry is for conformance with the PCI DSS standard. This aims to prevent a wide range of credit and debit card abuses by creating a strict framework of regulation and monitoring for companies that take card payments. It has officially been compulsory since 2005, but is more widely ignored than adopted. Now a new deadline of June 2008 has been set. The question is, will this one go the same way as the last?
The next step in credit card security
The PCI DSS applies to every business that accepts payments by credit or debit card. It answers all the main security concerns in relation to card payments. It is supported by all the major players including Visa and Mastercard – which is quite an achievement in itself. Now that chip and PIN is done and dusted, and almost universally adopted for ‘cardholder present’ transactions, the card industry is chomping at the bit to get to grips with the resulting surge in online scams. PCI DSS is its answer.
Size matters
The implementation of PCI DSS has been delayed, mainly because even the banks can’t afford to upset their biggest customers. No bank would have the gall to threaten the likes of Tesco or Asda; although if you are a small business, it’s a different story. Until the largest businesses had implemented the standard, there was relatively little to gain from the small and medium-sized ones. Now, however, the large companies have finished implementing PCI DSS, and banks are actively applying pressure further down the food chain.
Hard to comply
The roll-out of PCI DSS spells danger for small and medium sized online merchants, retailers and mail order companies, because complying with the new standard presents huge practical difficulties. For one thing, although the compliance checking regime varies with company size, the standard required is the same. There’s a 70-page document to read, and hundreds of directives to obey. To give just one example, PCI DSS requires that there is no unsupervised access to buildings containing computers storing card information. So to be compliant, you not only need to accompany visitors at all times, you can’t even allow cleaners in for the evening. This is bad news for small businesses because of the costs and complexities involved. What can be absorbed by a large enterprise with a budget of millions would be crippling for a smaller company.
If you can’t join, avoid
Due to the challenges involved, only blue chip companies will be able to comply with the new regime themselves. For most, the only solution is to outsource the processing and storing of payment card details to a third party, thus avoiding the need for compliance. This is known as “tokenization of card data”. Essentially, you store a token referring to the card data, and someone else holds the data itself. This approach is relatively easy to implement, and a number of compliant services already exist.
I must declare an interest here because my company, Actinic, has recently released a tokenization service designed to address exactly this issue. It relies on the PCI DSS certification of our partner, Creditcall. We use it internally, and it is tightly integrated with our software and services, thus removing the burden of compliance from both our customers and ourselves.
It’s only a matter of time
I hate to admit it, but the principles of PCI DSS are actually good. It’s also good that the banks have been quite pragmatic in pushing it. Whether even the latest deadline can be met is doubtful. Certainly no company embarking on PCI DSS compliance right now has any hope of succeeding unless they switch to a third party service. But there is no doubt that the banks are fully committed to both compliance and enforcement. Sooner or later, one way or another, every business that wants to accept card transactions will be forced to comply. The train is already at the platform. It’s time to get onboard.
