The enforcement of the data security standards that govern the payment card industry is beginning next month and experts believe that many UK businesses could face hefty fines as a result of non-compliance.
PCI DSS is being instigated by Visa from the start of July. As a result, the electronic point of sale (EPOS) and online retail sites operated by many of the smaller enterprises in the UK could come under scrutiny and be deemed inadequate under the new rules.
Larger businesses have until the end of September to ensure compliance with PCI DSS as the process of converting outdated systems is perceived to be lengthier and more complex within organisations of significant size.
Regulators have divided businesses into multiple tiers in order to separate out those businesses dealing with the most significant volume of transactions annually from those responsible for the least. The first tier businesses are the largest, with six million or more payment card transactions channelled through them annually, while the fourth tier enterprises experience less than 20,000.
Experts believe that Visa will start issuing fines to firms that have not ensured complete compliance as soon as the rules come into effect for that particular tier.
The acquirer will be fined by the payment card firm and these fines and associated costs will be passed onto the non-compliant business, according to Barclaycard’s head of security, Neira Jones.
Smaller firms from tiers two to four are encouraged to ensure complete PCI DSS compliance, because any breach will not only result in direct fines, but may also move them up the pile to be considered alongside tier one firms and their associated charges, which could have a long lasting impact according to data security expert Mathieu Gorge.
Some believe that smaller firms are being penalised under the new system, with security advisor John Walker suggesting that the limited understanding and explanation of PCI DSS rules to lower tier UK businesses could result in fines and poor treatment for those who unwittingly break the new regulations.