PCI DSS: Is it really safe for retails?

PCI DSS: Is it really safe for retails?

So, let’s say that you just started your retail business and need to implement a security system that can protect credit card usage, debit card, gift card, or rewards program from data stolen. What do you actually need for this?

There is an international regulation, called the Payment Card Industry Data Security Standard (PCI DSS). It is an information security standard that has to be owned by companies or organizations who want to handle cardholder information. This means, all merchants who accept card payments – online or offline, e-payment and m-payment – needs to comply with this regulation.

PCI DSS ensure that cardholder’s data that is transferred is encrypted and safe. At the moment, it is on the 3.0 version and this version is used starting from January 2014 to 2016.

Although PCI DSS is believed as a protocol that can protect confidential information of the card holders, there are many doubts regarding how effective this PCI DSS protects our data. This comes from the fact that PCI DSS focused on the requirement of the back end storage and access of personal information, but there is nothing really clear regarding how this personal data is handled on the front end.

Without any clear procedure on how this information is handled by front-enders ; which usually involve centers agents, IVRS (Interactive Voice Responder System), mobile apps, and website ; means the leak may happen at this stage. It is common that call center agents ask for details of the cardholder, including CVV number, billing address, and other confidential information. Simple question that we may ask is how sure we are that the call center agent is not going to use cardholder’s personal information they gained for their own purposes or how we are sure that the staffs who have the IVRS recording are not going to use the data.

This unclear side stays as a dark side of PCI DSS that raises doubt and fear in retail industries. Although PCI DSS always strongly discourages storage of cardholder data by merchants and processors, we can see this front-end issue as a weakness that is actually caused by human.

It is important to be remembered that PCI DSS is not only the job of IT people. IT people are responsible for the implementations of the technical and operational aspect that related to the PCI system. On the other hand, compliance is not part of the IT people. This makes the whole implementation of PCI DSS as a project that involves people from different department and multi-disciplinary team. PCI DSS is a business issues and we need to be sure that we design policies and procedures that are addressed to different users (front-end to the technical system) and different card payment types.

As we can see, there will always be doubt in the safety of PCI DSS. However, PCI DSS keeps being renewed and hopefully in the future, this procedure can be improved. Even with some holes of imperfectness, PCI DSS is still believed to capable to protect the cardholder’s information data until now.