Business solutions
Membership packages
Money-back guarantee
New at the Forum
Why should I join?
Surviving the downturn
Our members
Testimonials
Work for the Forum
News and media
Research
Events
Working with the Forum
Log in


Problems logging in?

Comply with credit card security standard or pay the price of fraud, warns business lobby group
  9 October 2008    
Bookmark and Share
 
 
   
  Email article : Print article : More articles like this

The FPB is warning that small firms handling or storing credit card information must comply with the Payment Card Industry Data Security Standard (PCI DSS), or face a fine, paying the full cost of an intrusive audit and having their ability to process credit card payments withdrawn completely in the event of fraud. According to the latest figures from the Association for Payment Clearing Services (APACS), payment card fraud is increasing. Financial losses went up by 14% to £301.7 million in the first six months of 2008.
 

The PCI DSS, which is updated annually, was developed in 2005 by the leading credit card companies as a guideline to help organisations processing card payments prevent credit card fraud and other security threats. Any company processing, storing or transmitting payment card data must comply with the Standard or face paying out – but some of the FPB's members are completely unaware of the requirement.

"With instances of credit card fraud on the rise, it is important that businesses put in place water-tight security procedures to minimise the risk of being caught up in the net," said the FPB's Director of Finance, Nick Palin. "The FPB's members who have contacted us about the PCI DSS believe it has not been adequately publicised. However, the consequences of not complying could be costly."

In September, FPB member Stuart Hamilton, of tool company Hamilton Beverstock Ltd, was shocked to receive a letter from Barclaycard telling him he had to comply with the PCI DSS – by the previous June.

"The banks have got together to develop this standard. If I did that with my competitors, it would be called a cartel," said Mr Hamilton. "They are saying that if we don't comply and a fraud occurs, and the trail leads back to our system along the line, the cost will be passed back to us, in addition to a large fine. Further, they reserve the right to audit all of our credit charge slips and pass the cost of that back to us as well."

He added: "Like me, many retailers I've spoken to had no idea about this. It's baffling – I don't store any credit card details on a computer system so need to be physically secure, but they don't say in the Standard exactly what that level of that security is. We don't know if we're covered or not, and I'm annoyed that we would have to bring in a consultant sent by the bank to find out what kind of locks we need.

"It is worse for small internet companies using PayPal, or something similar, for example. They have to ensure that the third party they are using is compliant, and if not could end up paying massive costs. There is no burden of proof required – it seems these credit card companies can do what they want."

A spokesperson for APACS urged business-owners to contact their banks directly for more information about complying with the Standard.

"To comply with the Standard, a business needs to file PCI DSS compliance reports with its acquirer, which will then provide evidence of compliance to each of the card schemes, such as Visa and MasterCard," she said. "Possible sanctions for not complying could include financial penalties, withdrawal of card processing equipment, and, potentially, liability for any fraud losses resulting from a proven compromise of data."

She added: "Any business thinking about accepting card payments will clearly want to make sure they are best protecting their business from liability for card fraud losses, and the situation will vary depending on whether they are considering online or face-to-face transactions – as the latter benefit from chip and PIN protection. An acquiring bank should be happy to discuss your options."

However, according to Brian Murphy, of Buckinghamshire-based electricity company Pulsar Developments, even firms which follow the security procedures stipulated by payment card providers receive no guarantee of payment in the event of fraud – even if a chip and pin system is used.

"Recently, I wanted to install a facility to take credit card payments. I asked the provider  if they would guarantee that I would be paid in the event of a fraud, providing I had carried out all the security checks required," said Mr Murphy "After about three days, the answer that came back was ‘no'. These lenders are selling a system that they are not prepared to stand by."

He added: "It also applies to debit cards. As far as I am aware, none of them provide a guarantee of payment yet reserve the right to pass back the charges, at their discretion, if fraud takes place. That is not my problem, but a problem with their system. Unfortunately, they won't volunteer any of this information easily to their business customers."

Information on the specific requirements of the Data Security Standard is available from www.pcisecuritystandards.org.


Related articles