Security - Bank’s Or Merchant’s Problem? Is PCI DSS A Real Solution?
Payment Card Industry Data Security Standards Council (PCI DSS) is the fruit of joint efforts by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to raise the bar of security level in the payment card processing. Adherence to PCI principle of continuous future-proof compliance is supposed to block malicious intervention in the payment card data. Despite of the good intentions PCI DSS is paved there are debates over its practicability. How well can PCI DSS work out and what providers encourage its existence?
Essence of PCI DSS
Service providers and merchants willing to join the PCI Council need to meet specific requirements, assigned for example in Self Assessment Questionnaires (PCI DSS SAQ). Providers take the path of three phases to reach Attestation of Compliance: Access, Remediate and Report. Access refers to cardholder data identification, Remediate - to data privacy as well as storage for the shortest time period possible, and Report – to constant accountability to card brands and acquiring banks.
The Council also set up PIN Transaction Security (PTS) requirements for device vendors and manufacturers. PTS addresses the protection of all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals.
Recent slowdown in retail activity has made transaction management sphere even more fickle and vulnerable. The race for highly secure solution turns out thankless task for providers sometimes as they spend lots of money to support new technology standards witnessing frugality from fastidious consumers. PCI Council helps vendors in their frenzied efforts to reach greater security in a cost – effective manner. Payment Application – Data Security Standard (PA-DSS) checks up providers' fitness for processing, storage and transmission of cardholder data thereby establishing the level that providers should strive for.
Ranks of technology providers certified with PCI DSS grow by leaps and bounds despite the pitfalls on the way to achieving this standard. It may be explained by recent procedure amendments that PCI has taken. Sage Payment Solutions, Hypercom, WorldPay and Diebold Inc share the views of PCI. Sage registered its payment middleware application Sage Exchange version 1.0 for the niche of small merchants. The app protects credit card transactions encapsulating the data throughout the whole cycle. The product was validated by PA-QSA Trustwave till 28 Oct 2013.
Another popular payment provider Hypercom Corporation received accolade from PCI for its Windows-based payment engine SmartPayments Savannah Client. Designed as a standalone, or an easy to use integration solution, or its own device manager for pin pads, check registers, or signature capture devices this SmartPayments app operates on a host basis. Chief Security Officers served as PA-QSA for certifying this product.
WorldPay also forms PCI environment participating as a supplier of processing services. Recently announced alliance between WorldPay and Semafone in the space of Secure Voice Transactions seeks to reduce call centre fraud while increasing PCI compliance. Combined solution will simplify sharing of card data via their telephone using special keypad without verbal contact. The captured data is not stored by the provider, it’s processed securely to WorldPay which means call centre operators may feel at ease with the sensitive customer information.
Diebold Inc doesn’t rest on the front of PCI compliance as well. Their Agilis 91x XV solution validated by Solutionary, Inc. "drives the ATM and provides a consumer interface allowing a consumer to make withdrawals, deposits, check balance, and other financial transactions to include making cash advances against a consumer's credit card," says website of PCI.
The process for the purpose of process?
Opponents of the PCI standard claim that it makes life of merchants and providers even more arduous as it puts additional pressure on already complicated methods of electronic processing without complete guarantee of data security. The sophisticated certification procedures of PCI with so many parties involved raise doubts - isn’t the process itself paid more dues than its final purpose to make transactions more reliable?
Jost Stollmann can’t be accredited to the opposition of PCI as he serves chief executive at Sydney’s technology firm Tyro Payments certified with PA-DSS. In the Tyro's concept "security should be the bank’s not the merchant’s problem". Jost is of opinion that data storage is a stage of a greater concern than data transmission. Consolidated transaction traffic with fewer data depots on the way could be a reasonable option to axe the number of fraudsters and other data hunters, considers Sydney – based expert.
Jost Stollmann in the interview with Wietske Blees, regulatory analyst:
"One obvious example would be to limit the number of locations in which data is stored, and to store the data in a place where it can be adequately protected. In simple terms, that means that sensitive cardholder data should stay within the bank's secure sphere. Integrated EFTPOS, online and mobile payments must be designed in a way that quarantines financial transaction traffic. This would in turn protect sensitive cardholder data from exposure to the merchant 's POS system, computer network and other networked devices."
Tighter control and compliance standards certainly cause additional pain to technology vendors meantime serve in the interests of end users. But aren’t users the ones whose interests IT companies should work for?
Helen Deborg
Where Technology Buyers Meet Technology Sellers 
