For more information contact us on:

T:0118 948 2588
E:enquiries@ackltd.co.uk

------------------------------------

PCI DSS

The ACK solution >More

The ACK solution diagram >More

PCI background >More

Frequently asked questions >More

Information resource >More

Glossary of terms used within PCI >More

Why acronyms cost retailers money >More

PABP

Information resource on Payment Application Best Practice >More

PCI Background Information

Consumers have enjoyed using credit and debit cards for many years. Whether the cards are used for purchasing food, petrol, holidays, meals at restaurants, plastic cards are part of our society.

Regrettably, plastic card fraud is rife and although the introduction of chip and PIN has drastically reduced cardholder present fraud, cardholder not present (eCommerce and mail order) continues to rise.

Large scale fraud is being perpetrated by sophisticated thieves who have been able to extract credit and debit card information from unsecured databases, ‘skimming’ cards (although chip and PIN has reduced this as the cardholder should not let their card out of their sight) and several other means.

In the USA there have been some major compromises of card databases; one high profile case involved 40,000,000 card details falling into the hands of criminals - the consequential loss to the card operating companies is immense and not just in fraudulent transactions: there is significant administration and logistic costs associated with cancelling and issuing new cards, plus the extra burden on customer service departments to deal with innocent cardholders who have become victims of fraud.

As a consequence of these compromises, four major credit card companies - American Express, JCB, MasterCard and Visa - decided to create a set of security regulations to help prevent theft of consumers' data. The Payment Card Industry Data Security Standards (PCIDSS) were created by MasterCard and agreed to in 2004 by the other credit card companies. The objective of PCIDSS compliance is designed to protect the card companies, merchants and consumers from suffering financial and data loss because of unprotected network systems.

PCIDSS was originally targeted at eCommerce companies but now covers every organisation accepting and processing credit card payments. It should be pointed out that the current standards are still orientated towards eCommerce organisations and payment service providers, as a result, there are anomalies with the customer present market which the current standard does not address. A good example of this is the APACS standards which fall short of the PCIDSS requirement to ensure card data is stored and transported across a network in encrypted format - APACS compliant systems (which includes all the acquiring banks in the UK) can only accept card in unencrypted, or clear, format.

Therefore, in a basic High Street retail site the ACK transaction logs may be encrypted throughout the day, but when that file is converted to an APACS 29 or 50 format ready for submission to the acquirer, it must be sent unencrypted - and is clearly vulnerable to compromise. The expectation is that the PCIDSS will be the subject of regular review to either accept the compromise or impose stricter regulation on APACS Standards.

Any business that accepts credit cards needs to be aware of the PCI Data Security Standards and must consider implementing them to ensure they are not the source of any compromise and in doing so, brings peace of mind to the merchant and its customers. All companies, irrespective of size, benefit because they can assure their customers of the safety of their network and avoid security breaches which cost them loss of business, income and reputation.

• Home
• About Us
• Customers
• PCI DSS
• Products
• Partners
• Support
• Contact Us
• Terms & Conditions
• Customer Area

© ACK Ltd 2010, no details may be reproduced without permission from ACK Ltd. Design by digitworks