Jacobs Media Group is honoured to be the recipient of the 2020 Queen's Award for Enterprise.

Credit and debit card payments

02 December 2009
Credit and debit card payments

Anyone who accepts credit or debit card payments must be aware of their obligations under the Payment Card Industry security standard, advises Mark Child, a partner at Kingston Smith Consulting LLP.

THE PROBLEM

I run an independent hotel on the Norfolk coast. The majority of my customers use a credit or debit card to pay the advance deposit and to settle their bill. What does the latest Payment Card Industry security standard mean for me?


THE LAW

The Payment Card Industry (PCI) - a joint operation covering all major card brands including Visa, MasterCard and American Express - has devised a security standard to protect cardholder data. It lays down minimum requirements for processing, storing and transmitting card account information. For example, a record of the "security code" - the last three digits on the back of a card - cannot be kept after it has been used to authorise a transaction.

Areas covered by the standard include the need to have an appropriate security policy, adequate protection of IT software and infrastructure against unauthorised access, anti-virus measures and regular monitoring and testing of IT systems.

These requirements apply to all organisations accepting payment cards, irrespective of their size or the number of transactions.

Compliance with the standard must be validated on a regular basis and most businesses will also be required to report the state of their compliance to their acquiring bank - the bank which handles their card transactions. The reporting requirements can be complex and vary according to the number of transactions processed annually.

EXPERT ADVICE

The first thing to do is to familiarise yourself with the requirements of the standard which can be downloaded, together with supporting documentation, for free from www.pcisecuritystandards.org/security_standards/pci_dss.shtml. You then need to decide which parts apply to your own situation. For example, if you don't record cardholder details on any IT system - including eâ€'mail - you can ignore certain parts of the standard which relate to computer applications and infrastructure.

You should ask your bank to confirm the reporting they need to see. Finally, you need to arrange to validate your compliance with the standard, and provide reports where necessary in the PCI's standard format. It may be necessary to hire the services of a qualified security assessor firm to oversee your compliance, including testing the security of your computer systems. In any case, you would be wise to seek the advice of an accredited firm, which will be able to give you cost-effective guidance on the most appropriate measures you need to take to achieve compliance with the standard.

The PCI rules are complex and for some companies the outsourcing of card transaction processing to a specialist PCI-compliant third party may be the only practical solution.

CHECK LIST

  • Download and familiarise yourself with the PCI data security standard.
  • Review security arrangements regularly and strengthen them where necessary.
  • Agree PCI reporting requirements with the bank handling your card transactions.
  • Provide regular reports where required to do so.

BEWARE!

Failure to comply with the standard is likely to result in you being held responsible for reimbursing any resultant losses owing to fraud. In addition, you may be subject to more severe sanctions ranging from fines to being prohibited from accepting any payments by card.

CONTACT

Mark Child, partner, Kingston Smith Consulting LLP
020 7566 3731

The Caterer Breakfast Briefing Email

Start the working day with The Caterer’s free breakfast briefing email

Sign Up and manage your preferences below

Check mark icon
Thank you

You have successfully signed up for the Caterer Breakfast Briefing Email and will hear from us soon!

Jacobs Media Group is honoured to be the recipient of the 2020 Queen's Award for Enterprise.

The highest official awards for UK businesses since being established by royal warrant in 1965. Read more.

close

Ad Blocker detected

We have noticed you are using an adblocker and – although we support freedom of choice – we would like to ask you to enable ads on our site. They are an important revenue source which supports free access of our website's content, especially during the COVID-19 crisis.

trade tracker pixel tracking