Why PCI DSS compliance isn’t always about payments technology


by Paul Prior, Chief Product Officer

Despite the fact that the PCI DSS has been around for more than a decade now and that version 3.0 has recently been published, there remains some confusion about what makes a merchant compliant. This is particularly evident in the Level 4 space, largely resulting from a general deficit in training and awareness of the requirements in the SMB community.


It is still not unusual for us to hear statements about “secure” terminals and authenticated EMV transaction processing equating to merchant PCI DSS compliance. What I am about to write may seem obvious to those of us what have worked with the standard for a period of time but PCI DSS compliance isn’t just about the POS technology environment.


In order to illustrate the point I have pulled together a couple of interesting anecdotes from our experiences in helping merchants to understand PCI DSS.


The Terminal is just the tool

In a face to face environment the POS technology is merely the tool used to transmit (hopefully encrypted) card data to the acquirer or processor for processing. However in some cases, other business processes can lead to compliance and security issues that may not always be obvious particularly to the acquirer.


In one scenario an entrepreneurial gentleman had entered into a merchant services contract so that he could take cards at his bar. Recognising an opportunity in the burgeoning local music scene, he decided that he could add additional revenue to his business by running gigs and began to charge for these shows and sell tickets for these events.


The success of this enterprise led him to expand his business to outdoor events and concerts in other local venues.


All good you may think! What he didn’t do was inform his acquirer that as part of this business expansion he was now accepting cards as a method of booking and selling tickets or that in order to do this that he was storing all of his customer’s card data in a spreadsheet on his laptop and keying them into the terminal at his bar.


Thankfully this came to light for both acquirer and merchant when he attempted to report his PCI DSS compliance and now he has implemented a payments solution more suited to his business model.


Home grown loyalty

Another story that I regularly recount is the one about the grocery store chain owner that took it upon himself to devise his own loyalty programme, this guy had custom built a loyalty application for his regular customers – the problem this time was that he was using his customer’s Primary Account Number (PAN) as the loyalty membership ID and the primary key in his database!


No such thing as a free lunch

More recently we heard a story about a restaurant owner who had taken steps to protect himself from exposure to potential chargebacks. Quite astutely, he had instructed all of his staff that for every card presented for payment, they photocopy the card (front and back!) and store the copies in a cabinet in his office.


This he thought, would be definitive proof that both card and cardholder were present for the transaction and sufficient evidence to dispute any possible chargeback. While you have to admire his ingenuity you have also to wonder whether he realised the potential for fraud that he had introduced.


The point is, that although from an acquirer standpoint, the volume of card data in these examples is relatively low these stories do illustrate the fact that acquirers need to constantly stay on top of how and where unrecognised risk can be introduced to the payment chain even by those with the best of intentions.


Sysnet Global Solutions offer a range of white labelled solutions including level 4 compliance portals that hand holds a merchant through the compliance process and directs merchants towards the correct SAQ based on their payment processing mechanisms.


Our portal can also be used to deliver key training and awareness messages, targeted to specific merchant groups including articles, video and e-newsletter content. Furthermore, a dedicated help desk team is available to provide IM chat, email and telephone support to all portal merchants, helping them become fully engaged and feel valued by their acquirer.


To learn more about our solutions or for more information about our services, please visit www.Sysnet.air.com or email sales@sysnetgs.com


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below