PCI DSS – Card Companies Fight Back Against Rising FraudJason Siddall
Card-Not-Present credit card fraud in South Africa increased by 44.5 percent in 2017-2018, compared to the previous year. It accounted for just over 70 percent of all losses on South African-issued credit cards, making it the leading contributor to gross fraud losses in the country. In 2017 alone, total credit card fraud amounted to R436.7 million. Coupled with debit card fraud of R342.2 million, the total loss was almost R800 million. These are startling statistics, and ones which only serve to underline the critical importance of PCI DSS compliance.
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an initiative developed and managed by an independent body made up of major card brands, such as Visa, MasterCard, Discover and American Express, to combat credit card fraud. All merchants internationally have to comply with PCI DSS standards, and in South Africa, it is a PASA (Payment Association of South Africa) regulation.
What that means is this:
PASA has been appointed by both the government and the Reserve Bank to implement and regulate PCI DSS. If your business has the ability to accept online credit card payments, you have to ensure that all cardholder information is processed in a secure environment so that the data is not at risk. This is known as being PCI compliant.
PCI compliance is the industry standard for information security, and all vendors who process, store or transmit cardholder data need to validate their compliance every year. Created in 2004, the standard aims to reduce the high incidences of credit card fraud, and any businesses that are non-compliant risk losing both money and customers. After all, you wouldn’t want to purchase products from a company that makes you feel as though your credit card information is vulnerable. When you buy something online and enter your precious card details, you need reassurance that your information is completely secure. Businesses that are not PCI compliant pass your card details over unsecured communications channels that expose your information to a greater possibility of being compromised.
Becoming PCI DSS Compliant
Application for compliance can be done on the PCI DSS portal on Merchant Online, such as this one from Standard Bank. Some of the prerequisites for awarding of compliance include:
- Continuous monitoring of firewalls.
- Antivirus software must be in use and updated regularly.
- Cardholder data and any other sensitive information must be encrypted when being transmitted across public, open networks.
- Build and maintain a secure, separate Cardholder Data network.
- Make sure you store tamper-proof, centralised logging for at least five years.
- Restricted physical access to cardholder data.
- No vendor-supplied defaults for system passwords or other security parameters.
- Comprehensive monitoring and tracking of all access to cardholder data and network resources.
Once compliance has been awarded, it needs to be verified once a year. Small businesses simply need to complete an online, self-assessment questionnaire to verify their compliance, but larger organisations will need a Report on Compliance, compiled with the help of a Qualified Security Assessor.
If you’re not compliant at the time your business is involved in an incident of any kind of card compromise or fraud, you will have to undergo – at your own expense – a card brand-mandated forensic investigation. You also risk dispute resolution costs, penalties for non-compliance, additional fines, lost sales and lost customer confidence. All of which means one thing: It’s much easier, safer and less costly to make sure your business is PCI DSS compliant!
“Customer data protection is every company’s responsibility,” says business development manager Francois Engelbrecht. “Management needs to be aware of these regulations and must be able to be proactive, not just reactive when it comes to data security. Companies are in for a rough ride, with increased regulatory compliance and new legislation being introduced worldwide. The consequences for data breaches are severe, and will cripple most businesses.”
As a PCI-DSS compliant company, Huge Connect does not have the ability to access any customer card data. Cardholder data is securely transmitted from our client, across the Huge Connect network, to the acquiring bank on the data-link layer. We do not store or process any cardholder data.
Our certificate of PCI DSS compliance is available to see on our website, as is our attestation of compliance and our Directive pertaining to any correspondence containing Primary Account Numbers (PANs).
All of which means you can trust Huge Connect to transmit your information safely and securely across our network. If you’d like to find out how this can benefit your business, chat to us today.