Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Compliance

09:17 PM
Angela K. Hipsher and Craig D. Sullivan, Crowe Horwath
Angela K. Hipsher and Craig D. Sullivan, Crowe Horwath
Commentary
50%
50%

PCI Compliance: The Risks Banks Can Miss

Banks that outsource merchant services typically have given little thought to PCI compliance -- but times are changing, and all banks need to start taking action now to manage their risks related to payment cards.

When it comes to safeguarding credit cardholders' data, some financial institutions have fallen down on the job and failed to implement and maintain effective risk programs that comply with the data security standards of the Payment Card Industry (PCI). This failure often stems from the institutions' lack of understanding of how their operations fall within the scope of the standards.

The keystone of the PCI standards is the Data Security Standard (DSS), developed to enhance cardholder data security and facilitate globally consistent data security measures. The standard establishes 12 technical and operational requirements and applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data.

Card brands have focused primarily on PCI compliance efforts of the banks with direct connections to the card brands, service providers and merchants, but have devoted much less attention to the compliance efforts, or lack of efforts, of the banks not connected directly to the card network. Likewise, card issuers and banks that outsource merchant services typically have given little thought to PCI compliance.

A bank's management team might believe the standards don't apply because the bank owns the data related to the cards they issue. However, every bank that issues credit cards is a member of a card association, and members are contractually obligated to follow the operating rules defined by the association -- rules that specifically require compliance with PCI DSS and other standards that govern the security and handling of card and PIN data.

Until recently, regulators have had little to say about PCI compliance. However, the Information Technology Examination Handbook, published by the Federal Financial Institutions Examination Council (FFIEC), addresses retail payment systems and cautions participating banks about their responsibilities regarding PCI compliance. For example, the handbook notes that credit card associations require acquiring banks to verify that their merchants and third-party service providers comply with the DSS. Card associations also require issuing banks that use third-party service providers for transaction processing to confirm that the providers are in compliance. In addition, the FDIC recently released revised guidance on performing due diligence on these payment processors that suggests banks failing to adequately manage these relationships might be viewed as facilitating fraudulent activity and could be held liable.

Previous
1 of 2
Next
Register for Bank Systems & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.
FULL SCHEDULE | ARCHIVED SHOWS