PCI DSS is a comprehensive set of criteria for enhancing the security of payment card customer account data. All major credit card companies stipulate compliance from any company that stores, processes or transmits such data, including card issuers and any third party they work with. Non-compliant organisations risk fines and the withdrawal of their entitlement to process credit card payments.
Lou Venezia, CEO of Adeptra, warns of the limitations of self-assessment: âAlthough not mandatory for companies processing less than six million payment card transactions annually, we believe the meticulousness of an external review is vital to give our clients total confidence about how we handle their customersâ data. Card issuers using other auto-resolution providers could find that activities done in their name and involving their customerâs data have not been tested to the same exacting standards as they themselves are required to achieve. Adeptra was the first auto-resolution company to achieve independently-assessed compliance with PCI DSS and, as of our last audit, we remain the only provider in our industry to have achieved this in both Europe and the US.â
Adeptra began the process to achieve PCI DSS certification in May 2006 with a programme of security reviews and enhancements in accordance with PCI DSS v1.1. Instead of self-assessment, it opted to undertake the more rigorous independent assessment to ensure it would meet or exceed the standards expected of its clients. It became the first company to pass an external review in November 2007 and, following a routine annual audit, Adeptra was re-validated as compliant as of December 2008. The company maintains vigilance through continually enforced procedures and policies, compliance management tools that supports on-going vulnerability testing, and internal audits conducted at quarterly intervals.
Adrian Prim, Quality & Compliance Manager at Adeptra, said: âPayment card users justifiably expect that their account data is protected by robust security standards. Guidelines previously issued by individual payment card brands are now united within PCI DSS and they would deem it negligent for any organisation that handles customer data not to adhere with this industry requirement. As a mode of communication between issuers and card users, auto-resolution providers are subject to this obligation. Any security breach found to have occurred within a non-compliant provider would reflect very badly on them, and has potentially even more significant implications for the card issuers or other companies using such services.â