Tuesday, December 01, 2020 /01:50PM / byOluwapelumi C.Omoniyi of AELEX /Header ImageCredit: AELEX 

The Curtain-Raiser

Inthis age of the Internet of Things, paying for goods and services is frequentlydone with the use of payment cards. Whether you are swiping, inserting orplacing your card on a scanner, payment cards have transformed the way wetransact business. Vendors or merchants who accept payment cards usually enterinto contracts with payment processors and banks for the processing of paymentsthrough their channels. One of the key conditions in these contracts is thatthe vendor/merchant must be compliant with the Payment Card Industry DataSecurity Standards ("PCI DSS").

Thequestion that logically follows is what is the PCI DSS? In this article weexplain what the PCI DSS is, the requirements that must be met to comply withthe standards and the consequences of breaching the PCI DSS.

What is the PCI DSS?

ThePCI DSS are the operational and technical requirements for organisationsaccepting or processing payment transactions, and for software developers andmanufacturers of applications and devices used in those transactions[1].It is a unified set of security requirements aimed at keeping cardholder datasecure from data breaches and financial fraud[2].

ThePCI DSS are set by the Payment Card Industry Security Standards Council ("PCISSC"), founded by American Express, Discover, JCB International, MasterCard andVisa Inc. and they assist merchants and financial institutions achieve thefollowing:

 

a.     understand andimplement standards for security policies;

b.     understandtechnologies and ongoing processes that protect their payment systems frombreaches and theft of cardholder data; and

c.      understand and implement standards forcreating secure payment solutions[3].

Who does it apply to?

ThePCI DSS is applicable to every entity that processes or accepts payment cards.It also applies to entities that store, transmit or process cardholder data orauthentication data such as Know Your Customer Data for cardholders[4].There is no exception to its application as even merchants who process smallvolumes of transactions are expected to comply with the standards.

Therehave been arguments that since the PCI DSS is not a legal obligation or legalrequirement, compliance should be optional. However, as stated earlier in thisarticle, vendors are required to comply with all their contractual obligations,including fulfilling any obligations related to PCI DSS. Furthermore, complyingwith the PCI DSS signals that the entity has exercised reasonable care inperforming its functions and can be used as a strong defence should allegationsof data breaches be levied against the organisation.

InNigeria, the Central Bank of Nigeria ("CBN") makes compliance with the PCI DSSmandatory. The Guidelines on Operations of ElectronicPayment Channels in Nigeria stipulates that all industry stakeholders whoprocess and/or store cardholder information shall ensure that theirapplications and processing systems comply with the minimum requirements andstandards, the minimum standard being PCI DSS certification[5].

PCI DSS Requirements

ThePCI DSS is divided into 6 goals and an entity must achieve each goal to be PCIDSS compliant. In order to realize the goals, 12 requirements must be met.

[6]

ThePCI SSC does not enforce compliance with the goals and requirements ascompliance is usually done through contracts with payment processors and banksas earlier stated in this article. However, the PCI SSC recommends a three-stepprocess for compliance[7],and even has accredited assessors who can assess if an entity is compliant withthe standards.

Wherean entity cannot afford to hire an assessor, the PCI SSC has self-assessmentforms and procedures for organisations and companies that want to implement thestandards.

ThePCI SSC recommends that entities should not treat compliance as an annualevent; rather they should monitor compliance continuously to maximise thesecurity of the cardholder data the entity possesses[8].In Nigeria, non-compliance with the PCI DSS will attract appropriate sanctionsfrom the CBN.[9]Therefore in order to avoid such penalties, merchants and entities shouldensure they are compliant with the standards.

Consequences of Breaching the PCI DSS

Thoughsome countries are considering legalising the standards, (Nigeria's CBN hasalready made compliance mandatory), there are also some consequences that pushentities into obeying the requirements of the standards and they include thefollowing:

Fines: Major paymentprocessors or Card Schemes like MasterCard or Visa have a schedule of finesthat are meted out to entities that are non-compliant with the PCI DSS. Somecontracts that the Payment Card Brands have with entities that process cardholder data even specify that a fine can be imposed where it seems that abreach is likely to occur. Also, non-compliance or a breach of the standards inNigeria will attract fines from CBN. 

 Costs: where a databreach occurs, the contract the entity entered into with a Payment Card Brandor Bank, may stipulate that the company or organisation must carry out an auditto investigate whether or not it is PCI DSS compliant. Investigative costs arequite expensive and small merchants may suffer a huge amount of loss due to theinvestigative costs. Also, entities can incur hardening and demonstration costsafter a data breach as the contracts or agreements will most likely impose anobligation on them to report, engage and show how they have rectified the databreach.

Conclusion

Allentities that handle cardholder data should be aware of the PCI DSS and striveto be compliant with the standards. Compliance with the standards outweighs theconsequences of breaching them and entities should try to limit their liabilityfor data breaches as much as possible by strongly considering being obedient tothe PCI DSS and use acquiescence with the standards as a measure of howresponsible they are with all card holder data they store or process.

Footnote

1.     https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security. Accessed 11 November2020.

2.    https://www.lexology.com/library/detail.aspx?g=6c3deb36-5832-4e2c-80a0-c25f97d39a9a. Accessed 11 November2020. 

3.     https://www.pcisecuritystandards.org/pci_security/. Accessed 11 November2020.

4.     https://www.lexology.com/library/detail.aspx?g=94f604cc-acac-4d26-ac74-b9e329db1067. Accessed 11 November2020.

5.    Paragraph3.2

6.     https://www.pcisecuritystandards.org/merchants/process. Accessed 12 November2020. For a more detailed version of the goals and the requirements of the PCIDSS see the current version of the Standards here.

7.      https://www.pcisecuritystandards.org/pci_security/how. Accessed 12 November2020.

8.     https://www.pcisecuritystandards.org/pci_security/how. Accessed 12 November2020.

9.    Paragraph4.10 of the Guidelines on Operations of Electronic Payment Channels in Nigeria.

RelatedNews

1.      ZoomingIn: Voice Over Internet Protocol and the Corollary Regulatory Regime in Nigeria

2.     Wealth Generation: Ecobank Advocates Collaboration Between EconomicStakeholders

3.     Visa Adds New Partner Toolkit and Fintech Enabler Certification to FastTrack Program

4.     State of Fintech Q3'20 Report: Investment and Sector Trends to Watch

5.     Nigeria Fintech Event Organized with the Expertise of the EconomistIntelligence Unit

6.     FintechNGR Holds 3rd AGM, Inaugurates New GovCo

7.     Ecobank Advocates More Collaboration between Fintech, Banks, and Telcos

8.     Nigeria Fintech Week Begins; Engaging the New Unicorns

9.     NSE, FinTech Association of Nigeria to Highlight Capital RaisingOpportunities for FinTech Sector

10.  Nigeria Fintech Week 2020 Moved to November 2nd, 2020

11.   The Rise of Digital During and After COVID

12.  EFInA Releases FinTech Landscape and Impact Assessment Study 2020 Report