But how much thought do we give these payment systems? We’re presented with a card machine and we just put our card in it or waive it wistfully next to the screen and the magic happens. We give little thought to what is happening behind the scenes. Thankfully, though, the Payment Card Industry has it all taken care of and they even protect us through Data Storage Standards. Sounds brilliant, doesn’t it? Well it is. And it isn’t.
Payment Card Industry Data Storage Standards (PCI-DSS) apply to anyone who has a card machine to take card payments from us. These 12 requirements are what every organisation who takes card payments from us MUST adhere to. The problem is, many organisations who have card machines don’t realise that they must comply. Well, that is until they report that they’ve been hacked. Then the non-compliance train hits them like, well, an energy bolt from the Interceptor.
The payment brands (Visa, Mastercard, American Express, Discover and JCB) take a dim view to anyone reporting a breach and the fines they can apply can be crippling. Many organisations don’t have a Card Data Environment (CDE) - they’ve just stuck their card-reader on the WiFi and thought nothing more of it. Many just have that BT HomeHub as their firewall and think that everything is just fine. They’ve had their external scan so they are PCI-DSS-compliant in their view. Unfortunately, that’s far from the case.