Lots of organisations think they don’t need to worry about theft of credit card data. I don’t know why. Payment card data theft is now big business – the level of professionalism available in this industry includes the development of bespoke software supported by an extremely efficient helpdesk and you don’t usually get this level of specialization until the industry is starting to mature.
Apart from the interesting fact that darkside helpdesks appear to be more efficient than many over on this side, you have to wonder why every organisation that accepts payment card data isn’t already at least PCI DSS compliant? Why hasn’t the PCI Security Council already come up with some form of ‘PCI DSS Compliant’ badge and certification scheme so that paying customers can concentrate all their business on the websites and businesses of those organisations that have actually bothered to do what it takes to protect their card holder data?
Some suppliers are being proactive in their support for PCI DSS compliant products and are publishing white papers suggesting the best way to be fully compliant for a particular technology. A Google search for ‘pci dss compliant recording’ will show a list of call recording products that are compliant and at least one white paper on the best way to guarantee call recording compliance.
PCI DSS compliant badge will interpret that you have reasonable security based on the standard requirements. In that case credit card companies and PCI security council have to share the liability, certification will make it pretty hard to push the liability to just merchant and acquirer bank which happens to be the case now.