A Toronto-based IT services and infrastructure provider has announced compliance with Visa’s Tier 1 certification Payment Card Industry Data Security Standards (PCI DSS) to address the growing need of retailers looking for a secure IT infrastructure.
Fusepoint Managed Services said it serves a client base of mostly middle to large enterprise level customers – many of which process credit card data. George Kerns, president and CEO at Fusepoint, said giving its customers a PCI compliant infrastructure is a crucial piece of the puzzle in credit card security.
“For us to be compliant allows our clients to be compliant, because we’re part of their supply chain, in a sense,” Kerns said. “We believe that going through this rigorous audit and certification process will certainly help us address our customers that need to have this level of certification in order for them to fulfill PCI obligations.”
Kerns said he hasn’t heard about any Canadian managed hosting providers certified by PCI. Many of his newer clients, he said, have told him about their struggles in finding an IT infrastructure provider qualified under PCI to handle Tier 1 transaction numbers. According to Kerns, Visa would not disclose whether other hosted providers in Canada were PCI compliant. Despite this, he maintains that Fusepoint is one of the very few that has stepped up to the plate.
“I would suspect that some other companies in our industry will address this if they want to continue processes transactions, because if not, their customers are going to be subject to whatever penalties they get,” Kerns said. “But right now, we don’t know that there are any others at this level.”
Under PCI-DSS all companies that accept credit cards must comply with 12 security rules, which include maintaining a secure network via firewall, encryption of cardholder data and strong access control measures. The standard was developed by the major credit card companies in order to standardize credit card data protection. Prior to PCI-DSS, each card company had their own set of requirements. Visa Canada said compliance deadlines for its customers passed on December 31, 2005. Most of the other card company deadlines have also come and gone.
According to Visa Canada’s rules on the standard, Level 1 businesses as those which process more than six million transactions per year and are subject to an annual on-site audit and quarterly network scan by a PCI-qualified assessor. Level 2 businesses process between 150,000 to 6,000,000 transactions per year, while Level 3 and 4 businesses handle less than 150,000 transactions.
The penalties of noncompliance range from large fines to losing the ability to accept credit card transactions. Last month, Visa USA imposed $880,000 in fines on Cincinnati-based Fifth Third Bank, which processes most of the credit card transactions for the Framington, Mass.-based retail chain TJX. According to court papers filed for a class-action lawsuit by a group of U.S. banks, about 94 million payment cards were compromised in the data breach of TJX’s systems.
To avoid such fines, Burnaby, BC-based automated payment solution provider Digital Payment Technologies (DPT) said it was crucial to have an IT infrastructure provider that was PCI compliant after it was classified as a Level 1 service provider. The company, a Fusepoint client prior to the service provider’s PCI compliancy, and are now thankful it doesn’t need to send assessors to independently audit Fusepoint’s facilities as was originally planned.
“There are two parts to PCI compliance for service providers, so in our cases it’s not just where the service is hosted, but it also bleeds out into the surrounding networks and the infrastructure that connects in with those systems,” Christopher MacPhail, CTO at Digital Payment Technologies, said.
With Fusepoint now compliant, MacPhail said, it makes the difficult PCI process a lot easier.