To increase controls around cardholder data and help prevent payment card fraud, the Payment Card Industry (PCI) has established a single set of Payment Card Industry Data Security Standards - PCI DSS.
Payment Card Data Divides into Two Groups:
- Customer identifiable data, such as name and address
- Sensitive authentication data, specifically the printed security code and magnetic stripe data
Any business or organisation that takes card payments over the telephone and records their calls is directly affected by Section 3.2 of PCI DSS. This states that no sensitive authentication data may be stored in any format, once a transaction has been authorised. This directive does extend to contact centres which use call recording.
The Implications of a Breach
PCI compliance is not a legal obligation, but the threat of fines for non-compliance or the high costs if breaches occur are firm drivers for organisations to invest in reviewing processes:
- Average cost per compromised record is £133
- Average cost of a breach event is £4.5 million
- Non-compliance cost is an average of 2.65 times the cost of compliance
- Also: business disruption, reduced productivity, fees, penalties, other legal and non-legal settlement costs
Find out more about how PCI DSS affects your business or organisation.