What is PCI DSS and how does it affect you and your organisation?
If your company processes card payments, then it’s likely you have heard of the Payment Card Industry Data Security Standard (or the PCI DSS, as it is more commonly known). You may also know that in order to process these payments, credit card providers require you to comply with the requirements outlined in the standard. Yet knowing exactly what this means – and how to comply with each requirement – is a very different proposition.
Without getting a grasp on PCI DSS, you could not only be in breach of the providers’ requirements, but also be putting customer payment information at risk. Here then is a brief explanation of the Payment Card Industry Data Security Standard: what it is, why it’s important, and what you need to know to comply with it, and keep your data and organisation safe.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that companies who accept, process, store or transmit card information maintain a secure environment. This includes credit cards, debit cards, or pre-paid cards that feature any of the five association/brand logos named below.
PCI DSS was established by five major card companies – Visa, MasterCard, American Express, Discover, and JCB – to bring their separate data protection standards into alignment, and develop an evolving and cohesive set of policies for the card payments industry. The PCI DSS is administered and managed by the PCI Security Standards Council, while the payment brands and acquirers are responsible for enforcing PCI DSS compliance.
The PCI DSS applies to any organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. By following guidance in the PCI Data Security Standard, you’ll help to keep your cyber defences primed against attacks aimed at stealing cardholder data. The parts of PCI DSS which apply to your organisation will depend on how many transactions you process, and whether you use a 3rd party payment provider.
What is the risk of not complying with PCI DSS?
PCI DSS is not a legal requirement per se, but not complying with it does open you up to other liabilities. In the event of a data breach that compromises card information, merchants who have failed to comply with PCI DSS may be subject to fines, forensic audits, and reputational damage.
Accepting payments from cardholders requires you to adequately protect that data, and the PCI DSS is the easiest way to demonstrate that you have done this. If you compromise on the standards of the PCI DSS, you may struggle to prove that you have taken adequate steps to keep payment data safe.
How does PCI DSS apply to my business?
PCI has four compliance ‘levels’, determined by the number of transactions you process per year. These are as follows:
- Level 1 – any merchant processing over 6M Visa transactions per year, or who is determined to meet the Level 1 requirements at Visa’s discretion.
- Level 2 – Any merchant processing 1M to 6M Visa transactions per year.
- Level 3 – Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
- Level 4 – Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1M Visa transactions per year.
PCI DSS applies to all credit card transactions, including those taken over the phone. Businesses using 3rd party payment processors are not exempt from PCI DSS, but their risk exposure may be reduced as a result. More information on compliance and the self-assessment process can be found on the PCI Security Standards website.
How can payment data be exposed?
Criminals are actively looking to steal cardholder data in order to make purchases. By obtaining an individual’s Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.
Take a look at the payment card diagram. Everything at the end of a red arrow is sensitive cardholder data. In short, the CID and anything on the reverse of a card must never be stored. You must have a good business reason for storing anything else, and that data must be protected.
Think about all the places where you store or process cardholder data. Consider how data might be exposed in your role – and what steps you might need to take to protect it.
These are just a few examples of how payment card data can be compromised:
- Compromised card reader;
- Paper stored in a filing cabinet;
- Data in a payment system database;
- Hidden camera recording entry of authentication data;
- Hacking your organisation’s wireless or wired network.
What needs to be kept secure to comply with PCI DSS?
Your secure cardholder data where it is captured at the point of sale and as it flows into the payment system. The best step you can take is to not store any cardholder data. This includes protecting:
- Card readers;
- Point of sale systems;
- Store networks & wireless access routers;
- Payment card data storage and transmission;
- Payment card data stored in paper-based records;
- Online payment applications and shopping carts.
If your organisation processes or stores cardholder data (credit cards, debit cards & pre-paid cards), PCI DSS compliance is vitally important. You should understand your organisational approach to PCI DSS, your internal policies if applicable, and your responsibility as an employee.
Sota has helped numerous clients to maintain a secure environment that is fully compliant with PCI DSS. To discuss your payment card security processes, and find out how we can help your business apply the PCI DSS, get in touch with us today.