Businesses that accepts credit cards from their website are compelled to abide by The Payment Card Industry Data Security Standard (PCI DSS) which is a set of comprehensive requirements for the protection of payment card data; developed by Visa, MasterCard, American Express, Discover and JCB.
PCI DSS provides business best practice guidelines to establish a “minimum security standard” to ensure customer personal details and credit card information are secured from thief. There is an industry built around this to help ecommerce site owners achieve PCI Compliance. PC1 Compliance includes testing procedure put in place by site owner to ensure the way they handle data is safe and secure.
Private companies that doe not sell online but collect sensitive personal details re required to collect such information over SSL and register with information commissioner office to ensure data in their possession are collected and stored safely and securely however there does not seem to be a rigorous data safety enforcement similar to PCI DSS which could partly explain what could have gone wrong with Parcelforce customer tracking system which was in the new recently.
It was reported that personal data including signatures of recipients of Parcels has been exposed to those tracking deliveries on the Parcelforce website. A failure in Parcelforce system allowed people using the mail tracing service access to the name, postcode and signature of various Parcelforce customer details. This clearly put Parcelforce at risk of breaching data protection rules.
Data Protection just like PCI DSS ?
Information Commissioner’s Office (ICO) stipulates that businesses have a responsibility to keep personal and sensitive information secure. Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure,” said a spokeswoman for the ICO.
“Failure to protect personal details such as names, addresses and signatures could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence.
Requirements of the ICO and PC1 DSS are not too dissimilar; the only difference is that the credit card consortium that created PC1 DSS enforces compliance proactively on merchants that processes their credit cards.