Payments technology expert Rob Crutchington argues that a lack of consumer awareness about card security measures is harming consumer confidence
If you were to ask shoppers in the street to name an online payment protection process the chances are they would know about Verified by Visa, 3D Secure, Mastercard SecureCode or even Safekey from American Express but most would draw a blank at the mention of payment card industry (PCI) regulations.
But Rob Crutchington, director of telephone and interactive voice recognition (IVR) payment technology provider Encoded
, asks why this consumer ignorance exists and why it doesn’t come as a surprise?
The Payment Card Industry Data Security Standard
(PCI DSS) was created by Visa, MasterCard, JBC, Discover and American Express and is made up of 12 requirements designed to secure business systems that store, process or transmit card holder data and is meant to protect consumers and merchants against security breaches.
But, Crutchington questioned: "Beyond the payment industry including merchants, suppliers, acquirers, Visa and Mastercard, what does it really mean to people and why aren’t consumers aware of its importance?"
Customers need confidence
He said that, for customers to transact with an organisation either via a contact centre or online they need to be confident that their payment cards will not be compromised, their personal details are secure and their identities cannot be stolen. "By complying with PCI DSS, merchants and service providers meet their obligations to the payment system and build a culture of security that benefits everyone," he added. "However, not enough is being done to advertise this fact."
In the event of a loss of data or cards being used fraudulently, fines are passed down the chain from Visa and MasterCard at the top to the merchant/retailer at the bottom. The consumer does not suffer financially as measures are in place and assurances given to prevent this happening.
Crutchington continued: "The fact remains that something has gone wrong and individuals will be inconvenienced and could suffer from emotional stress at the thought of their details being stolen and used fraudulently. In time this could lead to a reduction in customer confidence in both the method of payment and a reduction in confidence of the retailer who caused the problem.
"Surely, all those involved in the card payment industry, including merchant acquirers have a duty of care to improve public awareness. This in turn would benefit consumers as card processing, security and compliance, fraud, fines and penalties are all part of the ‘retail cost structure’ which can lead to increased prices."
He commented that some merchant acquirer companies have started to levy a surcharge on suppliers and merchant organisations that are not PCI compliant to encourage them to go through the full process of compliance. "This can be an expensive exercise because, to achieve the top level of compliance, Level 1, an Attestation of Compliance (AOC) is needed, which must be completed by an independent Qualified Security Assessor (QSA) along with a Report on Compliance," he explained. "QSAs cost money and have very exacting standards. But do the benefits outweigh the costs and time involved?"
Matthew Tyler, QSA and chief executive at UK web hosting company Blackfoot
believes so. “Only greater public awareness will prove the real value of PCI DSS and lead to reduced fines and improved security," he commented. "People will ultimately choose to transact with those organisations they have confidence in and they know are PCI compliant.”
Greater public awareness
To achieve this greater awareness some of the money paid in fines and surcharges should be used to promote the advantages of dealing with PCI compliant operations, according to Crutchington. "Once card holders have a greater knowledge and know what questions to ask of their merchants and the payment system as a whole, the benefits will become apparent."
His argument follows that, if the public had a clearer understanding of the importance of PCI DSS, people would only purchase from those organisations that demonstrate full PCI compliance, therefore reducing the instances of lost data and fraudulent activities. The welcome result of this would be fewer fines, lower prices and less sleepless nights worrying about security.
"To my mind it is simple – use the money raised in fines and levies to promote the relevance of PCI DSS so that customers look out for the PCI sign when making a purchase and paying by card. This will benefit everyone, improve security and raise the profile of PCI DSS to level it deserves," he concluded.