With roughly 46% of consumers today using digital channels exclusively for banking, this equates to almost half of the world’s banking customers relying on fintech firms — these often including startups.
However, the startups that usually play in this space have partnered with larger more established banks. These banks do so in order to increase functionality and create a more attractive model for their customer base.
No ad to show here.
But they can only partner with businesses that are Payment Card Industry Data Security Standard (PCI DSS) compliant. Yet, in the race to get to market, startups still underestimate the importance of PCI DSS compliance.
With growing card fraud, PCI DSS compliance isn’t optional – it’s the very least that startups should be doing to protect customers
In the face of escalating card fraud statistics in South Africa, PCI DSS compliance isn’t optional. It’s the very least that startups should be doing to protect their customers, partners, reputation and livelihoods.
What’s the big deal about card security?
Statistics for 2019 have yet to be released but combined gross fraud losses on South African-issued bank cards sky-rocketed by 18% in 2018, totalling a whopping R873.4-million.
In addition, 23 466 incidents took place across banking apps, online banking and mobile banking, amounting to R262.8-million in gross losses.
Scary stuff, and compelling numbers that indicate that all businesses regardless of size or status should be prioritising PCI DSS compliance if they haven’t already, in addition to insisting that their partner organisations do the same.
Regardless of the size of the organisation, where it is involved in the processing, storage, or transmission of cardholder data, there is a pressing compliance obligation.
However, for startups that still need to build their brand and reputation PCI compliance becomes critical.
In the PCI DSS space, there are potentially three classifications of entities — those that deal with the acquisition and issuing of cards, merchants and service providers.
Merchants sell goods or services for payment with a card and within this classification there are four different levels, all of which have different requirements in terms of achieving and maintaining compliance. Such merchant classifications do not depend on the value of the transactions, but rather the volume.
Why focus on PCI DSS compliance?
For startups that want to partner with larger financial service providers, PCI DSS is non-negotiable.
However, the reasons as to why they should consider being compliant lies in the fact that PCI improves processes in addition to increasing and showing credibility to clients and other businesses.
In other words, PCI DSS compliance is a form of virtue that communicates to customers and other businesses that this organisation is trustworthy and is safe to engage with.
How then does a startup become PCI compliant?
Put simply, the company must implement a checklist of requirements as it applies to their business.
While it’s not necessary for every startup to undergo a full PCI DSS compliance audit which is potentially costly, it is worthwhile bringing in the right consultant to assist from a practical perspective and get the ball rolling.
Such consultants are known as quality security assessors and they’ve been trained and certified by the PCI Security Standards Council to help businesses conduct assessments on how they handle credit card data.
These assessors are especially helpful for startups because they will have seen real-life solutions to the most daunting compliance requirements.
One last piece of advice for startups? Do it now. With fraudsters and hackers getting bolder and trickier, falling victim to a data breach is only a matter of time for most fintech companies – especially startups.
*Simeon Tassev is managing director and QSA at Galix Networking