09:17 PM
Angela K. Hipsher and Craig D. Sullivan, Crowe Horwath
Angela K. Hipsher and Craig D. Sullivan, Crowe Horwath

PCI Compliance: The Risks Banks Can Miss

Banks that outsource merchant services typically have given little thought to PCI compliance -- but times are changing, and all banks need to start taking action now to manage their risks related to payment cards.

When it comes to safeguarding credit cardholders' data, some financial institutions have fallen down on the job and failed to implement and maintain effective risk programs that comply with the data security standards of the Payment Card Industry (PCI). This failure often stems from the institutions' lack of understanding of how their operations fall within the scope of the standards.

The keystone of the PCI standards is the Data Security Standard (DSS), developed to enhance cardholder data security and facilitate globally consistent data security measures. The standard establishes 12 technical and operational requirements and applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data.

Card brands have focused primarily on PCI compliance efforts of the banks with direct connections to the card brands, service providers and merchants, but have devoted much less attention to the compliance efforts, or lack of efforts, of the banks not connected directly to the card network. Likewise, card issuers and banks that outsource merchant services typically have given little thought to PCI compliance.

A bank's management team might believe the standards don't apply because the bank owns the data related to the cards they issue. However, every bank that issues credit cards is a member of a card association, and members are contractually obligated to follow the operating rules defined by the association -- rules that specifically require compliance with PCI DSS and other standards that govern the security and handling of card and PIN data.

Until recently, regulators have had little to say about PCI compliance. However, the Information Technology Examination Handbook, published by the Federal Financial Institutions Examination Council (FFIEC), addresses retail payment systems and cautions participating banks about their responsibilities regarding PCI compliance. For example, the handbook notes that credit card associations require acquiring banks to verify that their merchants and third-party service providers comply with the DSS. Card associations also require issuing banks that use third-party service providers for transaction processing to confirm that the providers are in compliance. In addition, the FDIC recently released revised guidance on performing due diligence on these payment processors that suggests banks failing to adequately manage these relationships might be viewed as facilitating fraudulent activity and could be held liable.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.