PCI DSS - The Payment Card Industry Data Security Standard.
What is it?
The Payment Card Industry Data Security Standard (PCI DSS) is the standard that has been created to help to secure the information associated with any payment card.
The standard covers how the banks store this information and how retailers protect it when a payment is made by credit or debit card. The standard was written by the major global card acquirers, including American Express, Visa and MasterCard, and is applicable all over the world.
PCI DSS applies to any organisation, regardless of size or number of transactions that accepts, transmits, processes or stores any cardholder data. It applies to anyone who processes card payments, either electronically using a terminal or via an ecommerce website. It also applies to those which process cards manually using paper methods.
Although the need to register compliance with the relevant acquiring bank depends on the volume of data that is processed over the course of a year, it is the responsibility of every organisation to establish how (or whether) they should comply with PCI DSS. Those that do not comply, or demonstrate that they are working towards compliance, may be liable for non-compliance fines. Ultimately an acquirer will be forced to terminate a relationship, which will prevent the organisation from accepting payments by card.
Why do we have it?
Since the 1960s when credit cards were introduced, stealing the card number and other associated data, such as the expiry date, has been attractive to criminals. Banks have tried to make it more difficult to get hold of this data and also to make it harder to use if it falls into the wrong hands. The introduction of Chip and PIN cards and terminals in the UK was all part of the development of better security for card data. PCI DSS is another part of this process.
Compliance is an annual task, a bit like a car MOT test, and it is something that needs to be managed continually throughout the year.
What to do next
An organisation’s acquiring bank will usually be able to advise on the need for compliance. Some have developed special portals for their customers to be able to do this easily. But establishing the exact PCI DSS requirements can be a complex business and professional advice should be obtained.
Larger retailers need to have an external assessment conducted by a Qualified Security Assessor (QSA) or have an internal member of staff trained specifically to perform this function. All entities that process more than 1 million transactions in a 12 month period are required to have a PCI DSS assessment performed by a QSA.
Smaller entities also need to comply with the requirements of the PCI DSS. As soon as a single card transaction is processed that organisation is in scope for compliance. They are able to complete various self-assessment questionnaires (SAQs) depending on the way in which transactions are taken. But it can sometimes be confusing as to which SAQ is appropriate for each environment, and smaller companies may need help to understand how they should comply and what must be done to meet the standards.
Compliance requirements can also vary and there are some circumstances that affect the nature of PCI DSS compliance. For example the requirements are different for entities that sell directly to the public or service providers who act as a middle men for processing payments.
SRM has a wealth of experience in helping companies understand not only how to comply but how to reduce the scope to make compliance each year as simple as possible. From understanding how to complete the SAQ document right through to full PCI assessments for FTSE 100 companies, SRM has the experience to help achieve compliance at any level.
Thanks, we've received your details.
We'll be in touch shortly to discuss your requirements. In the meantime, please download your exclusive free copy of SRM's Guide to Cyber Essentials below.
Download your free copy