Five years of experience in the secure payments industry has taught me that accreditations matter. Retailers need to take action and apply for accreditations as they act as a mark of quality for your business, reassuring customers that they are transacting with a trusted company which provides a high quality service or product. This principle applies across many industry sectors and disciplines, from buying chicken in the supermarket and looking for the ‘Red Tractor’ logo on the packaging, to selecting an interview candidate with an industry recognised qualification.
In the payments sector, a variety of accreditations exist to reassure customers that their sensitive information is not at risk of being stolen and used fraudulently. For software and service vendors, most involve a lengthy and in-depth process which consists of assessing the security of many elements of a business such as the people, management systems, software and hardware. While few people would volunteer to subject themselves to extra scrutiny without good reason, within the payments industry, customer confidence is essential because of the sensitive credit and/or debit card information that is being handled. Any vendor who does go the extra mile to achieve accreditations shows their commitment to secure systems and customer satisfaction.
With so many highly publicised security breaches in the past 18 months involving customer card data, the additional reassurance that accreditation brings is more important than ever. Our own research has shown that 86% of people would shun a brand that had suffered a data breach, causing lasting damage to the brand’s reputation as well as hitting sales. Accreditations tell customers that they can trust you with their sensitive information, ultimately benefiting your brand by building a loyal and growing customer base.
Below are a few of the key accreditations that you should be adopting for your own organisation if you are in the payments industry – or looking out for as a customer:
PCI DSS Now established worldwide, this is the over-arching standard brought in by the card companies to guard against card fraud. Any organisation which handles customers’ credit or debit card information needs to be assessed for the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a requirement set by the Payment Card Industry Security Standards Council (PCI SSC) to help handle the ever increasing amount of card transactions and with that, the growing risk and sophistication of card fraud. The PCI DSS takes two forms depending on the amount of transactions the business handles. The first is to be assessed by an external Qualified Security Assessor (QSA). This is for organisations who handle over 6 million card transactions a year. It includes a report on compliance for the organisation which outlines the merchants’ assessment methodology and records their compliance status. For smaller organisations handling under 6 million card transactions a year, PCI DSS compliance can be achieved by completing an annual Self-Assessment Questionnaire.
For organisations who have met the PCI standards, this is a certification which ensures that not only is the payment technology secure, but also that any internal processes such as holding card or other sensitive customer information are kept safe. These processes also include the detection and appropriate reaction to security incidents as well as their prevention, providing added benefits for the retailer and the customer.
Visa Merchant Agent Being an approved Visa Merchant Agent confirms that an organisation has a secure and trusted payment system. If you are a business looking to outsource a company to handle your payments or if you are a customer and want to make sure you are dealing with a secure and trusted organisation, it is recommended that you check Visa’s official list of approved agents before dealing with them. Like the PCI DSS, the Visa Merchant Agent accreditation has two levels of validation procedures based on the amount of transactions the vendor handles a year.
Level 1 applies to organisations that store, process and/or transmit over 300,000 Visa transactions a year. To achieve Level 1 an organisation requires an Attestation of Compliance (AOC) from a QSA. This is a document which declares the retailers compliance status with PCI DSS requirements.
Level 2 applies to SMEs who handle under 300,000 Visa transactions a year and is achieved by completing an annual self-assessment survey.
PA DSS The Payment Application Data Security Standard (PA DSS) regulations aim to prevent payment applications from storing sensitive card data and also dictate that vendors’ solutions are in line with PCI DSS so adding another level of security standard to your business. Complying with PA DSS regulations is an essential part of delivering the highest level of security to customers.
ISO27001 The ISO27001 is an annually audited accreditation set by the ISO for international standards in Information Security Management. It is a time consuming and costly process; however the benefits are second to none, proving that any organisation who handles payments or sensitive information has a fully secure service. The accreditation means that firms meets regulatory compliance in all aspects of IT Governance, information handling, data protection and privacy – meaning that your company and employees will be working to recognised security ‘best practices’. With the rise of UK businesses achieving ISO27001, non-certified businesses are increasingly at a disadvantage.
Recently there has been an increase in the number of businesses volunteering for accreditations as they recognise the benefits. As more businesses choose to become accredited, those who are not may get pushed aside and beaten by more trusted competitors. That doesn’t mean to say you should apply for every accreditation going. Achieving these industry recognitions can be a long process; therefore it is important to take the time to decide which type of accreditation is right for your business and customers to ensure that you are able to achieve the high standards stated in the accreditation.