#creditcards

Every day there are thousands of credit card transactions that occur around the world. But have you ever wondered how the transactional process works for transferring credit card funds? I have. I have always been fascinated about the mechanics of how our credit cards transact and talk to each other. So, off I went in search of further understanding of the geometrics of the payment card industry (PCI) and understanding the importance of this.

In all honesty, compliance does not excite us at all, although it definitely plays an important role in our security world. I interviewed Jay Hira, who has an extensive background working with PCI and security compliance, to find out why.

What is a merchant?

The technical term: a merchant is any business that maintains a merchant account that enables them to accept credit or debit cards as payment from customers (cardholders) for goods or services that they provide. I like to think of it as you are David Jones (the merchant) selling clothes and shoes to consumers who buy them on their Amex cards.

How does the transactional flow work?

Imagine you are a consumer and you present your MasterCard issued by ANZ to the merchant (David Jones) at the CBA point of sale (POS) to buy a new pair of shoes. After you tap your credit card on the terminal, your credit card details are sent to the acquiring bank, in this case ANZ. The acquiring bank, or processor, forwards the credit card details to the credit card network. The credit card network acts as a conduit between the two. The credit card network requests payment authorisation from the issuing bank. The issuing bank sends an approval to the credit card network to validate whether funds are available. The credit card network sends a ‘thumbs up’ to the acquiring bank. At that point in time, you see ‘Approved’ on the POS terminal. Off you go with your new pair of shoes!

Who enforces the merchants?

PCI Security Standards Council (SSC) develops and regulates the standards; the not so fun stuff, but still heavily important. The council is formed by the card brands, including VISA, MasterCard, American Express, Discover and JCB who create and set the PCI Data Security Standards (DSS). The banks are then responsible for enforcing the standards amongst their merchants, as well as reporting on a regular basis to the card brands on the status of compliance.

PCI DSS is a set of requirements designed to ensure that the cardholder data is transmitted, processed and stored in a secure manner. Any merchant that accepts, processes or transmits cardholder data must comply with PCI DSS requirements. This helps to keep cardholders safe from any malicious interference.

What happens if merchants fail to be compliant?

Any merchant who fails to comply with PCI DSS is at risk of potentially having a major data breach. The risk increases depending on the number of transactions the merchant makes per annum. Subsequently, there are other repercussions of non-compliance, which includes higher interchange fees charged by banks or even loss of merchant accounts and fines due to failure to comply.

Why is PCI important?

As a merchant, you want to ensure you are engendering trust with your clients. You do not want your company on the front page of the newspaper because their credit card details have now been breached and have permeated around the globe. It creates an inconvenience to consumers to then go and renew their credit cards. It may have impacts from a brand reputational point of view as being the untrusted merchant.

As part of working within the cybersecurity market, it is crucial to uphold your company’s integrity, security posture and confidentiality to help protect your clients and ensure their trust is sustained.

The next time you are shopping at David Jones you will understand the importance of PCI and you will have some insight into how the transactional flow operates and why PCI exists.

 

Karissa Breen is currently working as a BDM for Green Light who are an IT service provider and has a back ground in Cyber Security and consulted to financial institutions. Karissa publishes her own IT blog.