As credit card and PIN data security breaches continue to get press
coverage, the reach of Payment Card Industry (PCI) Data Security
Standard compliance is expanding quickly.
The card associations are investing millions in improved credit card
data security. Of course, they’re also intent on protecting that
investment with increasingly strict guidelines for handling sensitive
card data. When you stop to think of all that is at stake–for credit
card holders, merchants, resellers, developers, processors, merchant
banks and card associations–today’s PCI standard is likely just the
beginning of compliance requirements that will become stricter for
years to come.
In addition to adhering to the 12 PCI standards for the secure
handling of sensitive credit card data, a requirement for all in the
payment processing chain, there is also now the Payment Application
Best Practices (PABP) validation of the point-of-sale system. Another
component of Visa’s Cardholder Information Security Program (CISP),
PABP is now voluntary.
However, Visa is expected to make PABP audits mandatory sometime this
year. POS developers will have one year to comply.
A PABP audit, which must be done by an independent, Visa-qualified,
security assessor, can cost $15,000-$25,000.
For the smaller POS developer, this may prove an impossible barrier.
On the other hand, the developers whose applications become PABP
validated and listed on Visa’s Website, will gain
a huge competitive advantage in a limited market.
The POS developer who wants to stay in business must first be able to
afford the audit and then be able to pass it. Those who partner with
developer and reseller channel-centric integrated payment processors
will find they can get assistance with both.
Integrated payment processors that are committed to helping their
partners achieve PCI compliance start by lending technological
expertise at the time of integration. Additionally, they can evaluate
a developer’s payment application, identify gaps, and provide
assistance in solving those problems before the audit is requested.
This service alone can save the developer thousands of dollars by
preparing him for a speedy and efficient audit process.
Merchants, too, will experience heightened security measures from the
card associations this year.
American Express recently lowered the transaction volumes that
designate Level 1, 2 and 3 merchants. Level 1 merchants are required
to get an annual PCI audit and quarterly network scans. Merchants
formerly were designated Level 1 if they processed six million or
more transactions per year. That level is now set at 2.5 million
transactions for American Express. Visa and MasterCard are expected
to follow suit.
American Express’s Level 2 merchants, with new transaction volumes
between 50,000 and 2.5 million per year, are now required to get
quarterly network scans and may have to start doing annual self
assessments. American Express is contacting merchants directly who
are now required to have scans or audits by October 31,2006.
This signals that the card associations are clearly no longer focused
only on processors and large merchants. POS developers as well as
smaller and mid-size merchants are now under scrutiny.
Merchants of all sizes and venues are looking to their payment
processors and POS system vendors to help them with PCI compliance.
POS developers who take a forward position in seeking PABP validation
before it becomes mandatory will be prepared to meet increasing
merchant demand for validated POS systems.
For additional information about PABP, PCI or to review security
breach stories in the news, visit www.mercurypay.com/PCI.asp. 
|
