All firms that handle card data must comply with PCI DSS. While many choose to take an independent route, is it the best way? Ross Macmillan, head of research and intelligence at allpay, reports on a new, market-tested framework option that –crucially – is open to all
Freedom-of-information requests sent to local authorities last year by the Card Processing Advisory Service (CPRAS) revealed that more than 65% are not fully Payment Card Industry Data Security Standard (PCI DSS)-compliant.
As a result, many local authorities are paying significantly higher rates with merchant acquirers because of the risk.
Any organisation that processes, stores or transmits credit card information must adhere to the PCI DSS. These standards are designed to maintain a secure payments environment.
By becoming PCI DSS-compliant organisations, such as local authorities and central government, can preserve customer trust, ensure compliance, reduce costs and more importantly, risk.
The UK Cards Association stipulates that, should a business lose card data and not be PCI DSS-compliant, it faces non-compliance fines and the operational costs associated with replacing accounts, as well as liability for any fraud losses.
Many organisations seek compliance independently, but there is an easier, cheaper and market-tested option available via a recently OJEU procured framework that offers services from suppliers who are already PCI DSS compliant.
A new payment services framework (PSF) led by Shropshire Council and managed by the CPRAS launched this year following a rigorous procurement exercise to appoint suppliers who were measured against hundreds of criteria in a competitive due diligence process lasting several months.
As a payments supplier awarded to the framework, allpay is leading by example, providing a suite of secure and compliant debit and credit card payment solutions to cater for every need.
Security is a priority for organisations, and joining the framework is a proven, time and cost-effective decision that protects both an organisation and the bill payer, enabling payment transactions to take place legitimately and safely.
Accessible to local authorities and the wider public sector, including Central Government, the four-year framework completely de-scopes organisations from PCI DSS compliance, preserving the trust of the bill payer and removing the risk and cost of maintaining compliance internally.
For any council that is not PCI DSS compliant, the framework provides a range of services allowing them to achieve compliance with minimal overheads.
For those that are already compliant, the framework service package dramatically cuts the burden of maintaining compliance with market leading transaction rates.
In either case, the framework is achieving 30% cost savings for organisations and eliminating the time and cost of a full public procurement, which can cost up to £20,000.
In contrast, becoming PCI DSS-compliant independently – and achieving ongoing compliance – can often be an onerous and complex process, incurring high costs and using valuable staff time that could be invested more effectively elsewhere. In fact, if organisations are not outsourcing compliance to a third party, it’s quite common for them to employee up to two full-time equivalents to manage the ongoing compliance duties.
By joining the framework, organisations have a clear route to achieving PCI DSS-compliance that saves time and money by providing ready-sourced, market tested solutions at competitive prices.
Calling off the framework and outsourcing compliance to trusted payment suppliers also enables organisations to stay on top of continually changing PCI DSS-compliance legislation. Therefore, organisations can focus their attention on customer satisfaction, while the process of securing and maintaining compliance is dealt with externally by a payments specialist.
The findings by the CPRAS are concerning and with so many local authorities still not meeting compliance standards, it’s essential to raise awareness of the benefits of subscribing to a framework like the PSF. Not only for the financial savings, but to preserve the trust of customers and minimise ongoing risk.