PCI DSS: A Global Mandate
I had a different, and rather longer, post prepared for this evening on data retention policies and their impact to the merchant processing payments. However, in the final cleanup phase, I decided to peruse today’s press releases as a distractionary device.
I happened upon something that changed my blog post for today.
This has, in my opinion, addressed on the largest complaints I have read recently about PCI compliance. The “US centric” approach to compliance has led many larger merchants and “service providers” (as defined by Visa) to state that PCI compliance is merely a set of guidelines rather than a mandated, and important, issue that requires appropriate attention.
To quote from the release directly:
"Compliance with PCI DSS is vital to ensuring the integrity of the global payments system," said Eduardo Perez, head of global data security, Visa Inc. "Aligning compliance programs across the Visa regions is the latest step in our commitment to safeguarding cardholder data."
The information about compliance requirements for each level of merchant can be found at the link above. However, it is worth noting that the mandates for compliance follow a different timeline than the mandates issued previously. In fact, we have just recently passed the October 1, 2008 requirement that all level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS compliant applications.
A list of the compliance guidelines is available on the Visa website here. However, if you have questions about the impact of compliance mandates the blog post linked by Dave Herrald will provide an excellent overview.
Perhaps the best summary of the announcement is in the release itself:
"Standardizing compliance requirements better addresses the security risks in our truly global marketplace and is critical to ensuring the future growth of electronic payments worldwide," Perez concluded.
There is an assumption by customers that measures are in place to protect their data. This mandate makes large strides towards ensuring that assumption is valid.
What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below. . .
November 11, 2008