A major PCI-related deadline came and went on the 1st of October that many PCI/PA DSS compliant people may not have even felt fly past, in fact most merchants were not even aware of the details, even though they’ve been given an entire year to get up to speed.
It is known as “Phase III” of the PA DSS compliance mandates, and it is the first major push to get Level 3 and 4 merchants to wake up to the importance of PCI. Like other PCI related mandates, the drive to be compliant is being driven by Visa, through the all of the card acquirers.
This new push requires that card acquirers not board (ie, sign up) any new merchants that are not EITHER PCI compliant OR running PA DSS compliant payment applications. This is designed to stop merchants from switching from “tough” to “easy” acquirers, among other objectives.
What does this mean to appication developers and merchants? Well, merchants have either two options (as stated above) and that is to either be PCI-DSS compliant or be running an application that is certified to be PA-DSS.
Complying with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping payment card data secure. The size of your business will determine the specific compliance requirements that must be met, however all levels require the same basic set of requirements (that is, make sure that data will not escape the corporate network unless it is specifically required to. Make sure that employees are trusted and log everything).
From the world’s largest corporations to small Internet stores, everyone is required to comply. Fines are even issued to organisations that do not comply! There is a whole list of things that are being added to the requirements to pass the PCI DSS compliency, including ensuring that access is restricted by secure PIN Entry Devices (PEDs). PCI hell is only going to get bigger in the coming years! What this space.