PCI DSS is an acronym you should be familiar with if you’re a business which collects and stores credit card information. If you’re considering storing credit card information in your business (perhaps to charge late fees or cancellation fees, for example), you should understand what the PCI DSS is and how it affects your business.
What is the PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standards. The origins of the PCI DSS lie with the major credit card providers Visa, MasterCard, American Express (AMEX), Discover and JCB. These credit card giants were worried about credit card fraud and the increasing sophistication of the methods used to hack people’s payment details. What resulted were separate standards brought out by each credit card body, governing how merchants should store credit card details to ensure maximum protection. One bright spark argued for strength in numbers and suggested that the each credit card company’s standards be amalgamated into one central standard governing the safe storage of credit card details. PCI DSS came into being in 2004 for the first time.
Application of the PCI DSS
The standards aren’t contained in any piece of legislation in Australia (or elsewhere). The standards form a self-regulatory framework for financial institutions and payment merchants to follow if they choose. In practice, PCI DSS are contained in merchant contracts. What does this mean? We’ll use an example to illustrate.
Say you run a shoe store on Pitt Street. To take payment via card, you need a Point of Sale (POS) terminal. Commonwealth Bank gives you the best rates on renting POS equipment, so you go with Commonwealth Bank, signing their merchant contract (this outlines the terms on which Commonwealth will supply you with the equipment). Commonwealth Bank is called the ‘acquiring’ bank because they acquired the right to provide you with POS equipment.
If card details are stolen from your POS, say using a card skimmer, then your acquiring bank (Commonwealth Bank) might be fined if you were not PCI DSS compliant at the time of the credit card theft. The fines might be passed to you as the merchant, but usually, banks choose to absorb the fines.
The following six standards form the PCI DSS:
- Build and maintain a secure network;
- Protect cardholder data;
- Maintain a vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Maintain an information security policy.
The PCI DSS are a set of standards designed by the major credit card schemes in the early 2000s as a way of protecting them from credit card fraud and scams. The PCI DSS are not built into law in Australia – instead, they are rules designed for self-regulation.
The PCI DSS mainly apply to banks and large financial institutions, which may require that merchants who collect and store credit card information comply with the PCI DSS. If you require any assistance with complying with the PCI DSS standards, get in touch with LegalVision’s contract lawyers.