Credit card fraud costs the Australian economy upwards of $600 million per year. Credit card information was the most commonly sold product on the darknet in 2010, accounting for 22 percent of sales. More specifically, fraud costs credit card schemes. The PCI DSS were developed separately over the course of the 90s by different credit card schemes (such as Visa and MasterCard) and finally amalgamated into one standard in 2004, as a means to limit fraud. The PCI DSS must be complied with by every organisation which stores or collects credit card information.
What is the PCI DSS?
The PCI DSS were developed by major credit card schemes Amex, Visa, MasterCard, Discover and JCB to limit credit card fraud. Early movers on the web often stored valuable credit card information in unsecure ways; low-hanging fruit for hackers incentivised to pilfer card details. The PCI DSS provide self-regulating guidelines for any entity which stores or collects credit card information. There are 12 standards which comprise the PCI DSS, divided into six categories.
Briefly, the categories are; building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy. The full list of 12 standards can be found here.
Why Do Organisations Comply and How is Compliance Checked?
Payment brands (Visa, MasterCard etc) enforce compliance through contracts. For example if the Commonwealth banks wants to use the MasterCard payments system for its cards, it needs to agree to MasterCard’s terms. MasterCard’s terms contain the PCI DSS so even though the PCC DSS isn’t a law, every financial institution (Westpac, Commbank etc) will be bound to them if they want to offer their clients/customers credit cards or any type of payments card.
An organisation which stores credit card information needs to set up the systems required by the PCI DSS in order to comply. There are two ways for an organisation to check compliance:
- an annual on-site security audit and a quarterly network scan; or
- completing a self assessment questionnaire.
Penalties for Breach
The PCI Security Standards Council (which administers the PCI DSS) does not administer or impose penalties. However, each payment brand has its own contractual methods of enforcing compliance.
For example, if the Commonwealth Bank is found to be non-compliant with the PCI DSS at any time, or fraud occurred and Commbank was found not to be compliant with PCI DSS at the time, then the payments system may impose a fine. If an entity which uses Commbank to take payment does not comply with the PCI DSS, then Commbank may impose a penalty pursuant to the merchant contract it would have in force with the entity.
In conclusion, the PCI DSS are a set of standards designed to give guidance on safe storage of credit card details, in order to limit credit card fraud. The PCI DSS are not law, however penalties may be imposed for their breach because they are incorporated into contracts between major financial institutions and payments schemes or entities which use a financial institution’s payment system. If you have any questions about PCI DSS, get in touch with LegalVision’s business lawyers.