As words go, ‘compliance’ has such soft connotations. Yet in the retail world, it’s often at a cost. Rachel Morrison got in touch from her Pitton Post Office and Store in Salisbury to ask whether having to fork out another £30 a year to card processor Streamline to prove her security methods and data protection were up to spec was just another way of twisting money out of her. What were these new rules?
It seems that the Payment Card Industry Data Security Standards (PCI DSS for short) requires assurance that merchants must be certified as compliant. Streamline was offering Rachel the services of its approved Qualified Security Assessor called Trustwave, for £30.
Two things occurred to Rachel. One, she runs a post office which annually tests on security and data protection, and two, she does not like the idea of feeding data into her computer. Streamline, whom Rachel pursued for a couple of weeks for a solution to her second point, said it could be done verbally with an assessor for an extra £20.
She is still pursuing the Post Office to see whether its annual test would measure up, but the UK Cards Association spokeswoman told me that she doubted it as it wouldn’t cover merchant acquirer compliance at the till.
She added that the compliance checks are there to secure retailers from fraud.
I said, so, the penalty of £30+ per annum is to prevent further penalties in case things go wrong? Pretty much, she agreed.
We both thought that there is much confusion (the pair of us certainly were while trying to distinguish processors from merchants from acquirers and all other jargon) and she added that it didn’t help that the council globally in charge was in America.
I’d like to hear from other ‘merchants’ about their experience with compliance. Any acceptable DIY methods or cheaper schemes?