British Red Cross wants more help from banks

Lack of information from banks and cost of implementation are the challenges to overcome in the charity's PCI DSS compliance process

British Red Cross is still unclear about the details it needs to provide

The British Red Cross (BRC) is considering working with other not-for-profit organisations to meet the demands of new credit card data security requirements.

The charity is struggling with the PCI DSS standard, and has blamed banks for not providing sufficient information to help compliance. It has had to reshuffle IT priorities to accommodate the changes, said head of IT Miguel Fiallos.

“Even though we have to meet a deadline, the communication from the merchant banks in relation to what is wanted is very poor,” he said. Fiallos also said he is working with other charities to share the burden for parts of the process such as testing.

The PCI DSS security standard affects any company transmitting, processing or storing credit card information. Compliance is graded, with merchants divided into four different levels based on the number of transactions they process throughout the year.

“If the charity is accepting transactions over the phone or the internet, it will typically need the card number, expiry date and sometimes the three-digit code on the back of the card,” said Steve Wilson, head of policy compliance management at Visa.

“Charities should not be keeping information after the transaction is completed.”

BRC is undergoing tests under the Qualified Security Assessor programme.