Some charities avoid PCI compliance because they perceive it as time consuming and expensive, however in reality, becoming PCI compliant can be very easy. Charities need to demonstrate their compliance by being certified by an independent Quality Security Assessor (QSA). This certification needs renewing annually.
Chip and pin has been the standard fraud reduction driver in face-to-face environments, however there are also key risk mitigating technologies that have helped in the ecommerce sector. While face-to-face and e-commerce fraud rates have dropped significantly thanks to these risk prevention methods, the number of solutions that can fight telephone payment fraud remains limited, meaning it’s incredibly important to make every effort to maintain the security of payment data given over the phone.
PCI compliance is the single most important thing that small businesses and other organisations can do to help keep payment card transactions- including those made over the phone – secure and help prevent data theft.
The Payment Card Industry Data Security Standard (PCI DSS) was established to help process card payments more securely and reduce rates of business fraud. PCI compliance works by following a set of requirements for the storage, transmission and processing of cardholder data. To set it up, you can opt for the assistance of a PCI SSC-Qualified Security Assessor (QSA), pick a payment provider that does the work for you, or go through the application steps by yourself.
The Financial Conduct Authority in the UK as well as other regulatory bodies across Europe require some organisations to record and store telephone conversations in a range of situations. The PCI DSS, however, stipulates that the CVV2 (Credit Card Validation Value, a.k.a. the three-digit security code) cannot be kept post-authorisation, and full Personal Account Numbers (PANs) cannot be kept without further protection measures. This means there’s an apparent risk that organisations who take payment card details over the phone may be recording the full cardholder details, and therefore be breaching the mandatory requirements of the PCI DSS.
The PCI Security Standards Council monitors compliance. They ask for all major card types (like Visa and Mastercard), payment service providers, banks, and any other organisations that process card payments to prove they’re PCI compliant – and if you’re non-compliant, you could be charged a monthly fee.
If you take card payments, you can’t get away from PCI DSS. Ultimately the regulations you have to meet keep both you and your patrons safe from data theft, so staying compliant is imperative for all organisations that process card details.