PCI Compliance

Payment Card Industry Security Standards Council

ecom-PCI

Introduced in 2006 after a number of high profile fraud cases, the PCI Security Standards Council was set up to act as an open global forum "responsible for the development, management, education, and awareness of the PCI Security Standards."*1. Standards put in place to ensure that all businesses storing, transmitting or processing card data are not putting their customers at risk of data theft and fraud. The council is made up of payment brands; American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. along with other specially selected members who share equally in the council's governance.

For more infomation on what is required to meet PCI Standards check out their Frequently Asked Questions

Priority

First on the council's priority list were the larger financial institutions and retailers. For this industry, PCI DSS is very much a common factor in day to day business:

 

"For retailers, only three things in life are certain - death, taxes… and PCI"

 BT Expedite & Fresca*2.

 

With criminals finding it increasingly hard to infiltrate these systems thanks to the extensive security measures adopted, they are now looking at smaller, lesser protected organisations such as Universities and Colleges. At the University of Reading Finance, IT and Campus Card Systems are working together with other institutions to share our experiences as we strive to achieve PCI compliance. The US are very much PCI pioneers in that many of them are now compliant however it took a number of security breaches before it was taken seriously. In 2006 24,000 Notre Dame University employees were affected by a data breach which not only put their personal details at risk but caused a media storm of bad coverage which was no doubt damaging to their reputation. Prior to this, University of Connecticut and Standford University had their computer security breached leaving 82,000 people exposed to fraud. Notre Dame took this as a learning experience and began making it a priority to ensure all their systems were more robust. They have now recently become PCI Compliant.

Penalties

Although the programme is mandatory, it is not enforced by law. Instead, non-compliance penalties are carried out by the individual payment brands and how severe these are depends on the number of transactions the individual organisations processes. Here at the University of Reading we incur a fine of 0.04p per transaction across the entire organisation. Other penalties for not complying with PCI DSS can range from an increase in security auditing, to losing the ability to process card transactions altogether.

There is no doubt about it, we have a long road ahead and for it to work we all need to be aware of how it affects us. If, as a department you take payments in any way please do consider if you are storing your customers details in the safest way and if you have any concerns please get in touch with us here at ecommerce@reading.ac.uk We may be able to offer you alternative means of collecting payments such as the online store or if necessary, forward you onto IT Services.

For more information please refer to the PCI DSS Official Website

 

*1. 2006 - 2013 PCI Security Standards Council 

https://www.pcisecuritystandards.org/organization_info/index.php

*2. BT Expedite & Fresca

http://www.btexpedite.com/blog/death-taxes-pci

Do you deal with card payments?

Read our Card Handling Policy

 

Are you a department looking to take payments online?

 

Download Now

Once you have filled in the relevant form please send to the below email address along with any supporting images.

 

Contact Us

Page navigation

ONLINE STORE SHOP NOW >

 

Search Form

A-Z lists