With virtually all of the UK's SME merchants being provided with access to acquiring bank sponsored PCI DSS self validation portals it is worth noting that recent changes could seriously expose those who simply 'tick boxes' in the hope that it will keep the said acquirers off their back.
On the premise that 'actions speak louder than words', Foregenix is working with acquiring banks to protect SME merchants from the attacks most commonly used to steal personally identifiable information, including payment card details, the driver behind PCI DSS.
The technology within FGX-Web has been at the heart of many hundreds of PCI forensic investigations we have undertaken over recent years and is now available to be deployed proactively as an integral component of a PCI DSS merchant program.
The ability to 'comply' by simply ticking boxes, has long been cited as the fundamental flaw in the otherwise sound principles behind PCI DSS. So with this shift of emphasis in the way acquiring banks and their merchants will be penalised for 'account data compromises', the value of having more than just a compliant self assessment certificate should no longer be underestimated.
This move to the risk based model is further supported by the news that the card schemes have removed the non-compliance and non-progression fines for merchants. So, if you are not going to get fined for non-compliance, then you are less likely to find the need to be compliant in the first place. Equally, the fining mechanism for PCI data losses or breaches has also changed. Of old, there would have been an investigation and fines for the number of live cards that you had at an appropriate point and price. Now the card schemes say that if you have a breach, you will be fined for the aggregated losses associated with that breach or loss.