This will be the sixth time I have written about the snappily-titled Payment Card Industry Data Security Standard (PCI DSS). But clearly some retailers still wonder whether it is a con. Yes, it’s a proper stitch-up - but an official one, so there’s no way around it. Mohammad Rafi, who runs Stevie’s Supersave outside Glasgow, started taking credit cards a few months ago and wanted to know what it was all about.
In a nutshell, retailers need to prove that their security methods and data protection are up to spec and certified as compliant. For a fee. And it’s really nothing to do with retailers protecting themselves; it’s actually protecting the banks.
My research led me to card swipe machine provider 3-R. One of its directors, Paul Wootten, who has a degree in compliance from the University of Johannesburg in South Africa, helped to build the system in the first place, to prevent money laundering on a global scale.
But now it has been appropriated by the greedy financial sector.
His analysis is worth repeating: “The banks provide the device and software and then charge the client. When the client prints a receipt it only has the last four digits on it, but the banks break their own rules when they send the statement to the retailer because they provide the full details so the retailer must be PCI compliant to protect the bank (in case those details get used in a fraudulent way).”
He called it “an absolute rip-off” and added that the banks could charge up to £70 a month in penalties if you don’t comply. He also reckoned there was a slush fund somewhere in the background.