PCI DSS Compliance

What is PCI DSS compliance?

PCI DSS stands for Payment Card Industry Data Security Standard.

(Now there’s a mouthful 😁)

It is an information security standard designed to:

• Secure cardholder data
• Prevent payment card data fraud
• Allow people to shop safely and with confidence

PCI DSS was originally developed through a collaboration between the five leading payment brands:

• American Express
• Discover
• JCB
• MasterCard
• Visa

It’s now managed by the by the PCI SSC (Payment Card Industry Security Standards Council or PCI Security Standards Council).

Why do I need to be PCI DSS compliant?

Payment-card fraud is a serious problem.

According to the most recent UK Finance report, unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £783.8 million in 2020.

You will need to be compliant in PCI DSS for the following reasons:

• Handle cardholder data and money securely
• Prevent identity theft
• Prevent fines
• Trust in your business
• Compliance

So PCI DSS compliance is definitely something worth getting right first time.

Do I have to comply with PCI DSS?

All merchants and PSPs who process, transmit or store credit card data should abide with PCI compliance.

You need to comply with the PCI DSS if you:

• Take card payments online through an ecommerce website
• Take card payments in person using a card reader or contactless payments – for example, in a shop or restaurant
• Take card payments over the phone, using the details provided by the cardholder

You also have to comply with the PCI DSS if you process payments or handle credit card data on behalf of someone else.

If you do this, you are known as a PSP (Payment Service Provider).

Some businesses can be both a merchant and PSP at the same time.

How many requirements are needed to become PCI DSS compliant?

There are a total of 12 steps or security controls that you need to take to meet the PCI data security standard.

The 12 PCI DSS compliance steps are divided into 6 goals:

#1 Build and maintain a secure network and systems to protect cardholder data

• Install and maintain a firewall configuration to protect cardholder data, and test it regularly
• Do not use vendor-supplied defaults for system passwords and other security parameters. Change them as soon as you can and update them frequently

#2 Protect stored cardholder data with encryption

• Protect stored cardholder data. Only store cardholder data what you absolutely need to, and keep it safe both digitally (through backups, passwords and access control) and physically (through limiting access to your server)
• Encrypt transmission of cardholder data across open, public networks, so nobody can read it in transit

#3 Maintain a vulnerability management program

• Protect all systems against malware and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications, so you stay one step ahead of potential problems

#4 Implement strong access control measures

• Restrict access to cardholder data to those who genuinely need to know it
• Identify and authenticate computer access to system components
• Restrict physical access to cardholder data

#5 Regularly test security systems

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

#6 Maintain an information security policy

• Maintain a policy that addresses information security for all personnel

Each of these steps helps to reduce your risk of cardholder data loss or fraud.

It can also help you to understand any potential security vulnerabilities.

You can read the full requirements for PCI DSS at the PCI SSC’s website.

What happens if you don't comply with PCI DSS?

If you aren’t compliant and there’s a breach of the standard, your payment provider can impose a fine on your bank.

For their part, the bank may:

• Pass the fine on to you
• Refuse to accept card payments from you
• Close your bank account altogether

Suffered a breach and want to carry on taking card payments?

You’ll have to meet Level 1 requirements for cardholder data from then on, regardless of how many credit card transactions you process.

Got fined and still can’t prove your compliance?

You may face further fines until you take the necessary steps to data security.

For larger firms, the fines can add up to as much as £80,000.

That should be a clear indication of why you need to protect cardholder data.

Is PCI compliance mandatory in the UK?

PCI compliance is a standard rather than a law.

It’s enforced through contracts between:

• Merchants
• The banks who process payment
• The major payment companies

However, that doesn’t mean that you can relax about PCI DSS, or put it off until later.

The risks of not following PCI compliance can be very serious.

Even endangering your ENTIRE business.

If you suffered a breach, you would lose trust.

This includes trust from your bank and your customers.

While you might be able to afford the fine, you might never get back your reputation.

More importantly:

Nobody wants to be known as the firm that can’t be trusted to look after sensitive cardholder data.

To make things more interesting:

Allowing cardholders data to be lost or stolen is a breach of GDPR (General Data Protection Regulation).

This covers consumers’ rights over their data, including payment data.

The penalties for GDPR data breaches are severe:

Up to £17m or 4% of your annual turnover.

💳 Need advice on PCI Compliance? Feel free to get in touch.

What are the PCI DSS compliance levels for merchants?

Not all merchants have to reach the same standards in order to comply with PCI DSS.

There are 4 levels of validation:

1 (Highest) to 4 (Lowest).

The level you must comply with depends on how many transactions you process per year.

For each level, there are different tasks that you must carry out every year in order to stay validated.

The table below shows the full details.

For the meaning of terms and abbreviations used here, see the Glossary of Terms above.

Level 1

Transactions processed per year:

6M+ (or if your cardholder data has previously been compromised)

Validation requirements:

• RoC (Report on Compliance) carried out by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor)
• Quarterly scan of external vulnerabilities by an ASV (Approved Scanning Vendor)

Level 2

Transactions processed per year:

1M-6M

Validation requirements:

• RoC by a QSA, or an SAQ (Self-Assessment Questionnaire) signed by an officer of the company
• Quarterly scan by an ASV

Level 3

Transactions processed per year:

20k-1M

Validation requirements:

• SAQ signed by an officer of the company
• Quarterly scan by an ASV (once the SAQ has been done)

Level 4

Transactions processed per year:

Under 20k

Validation requirements:

• SAQ signed by an officer of the company
• Quarterly scan by an ASV (once the SAQ has been done)

How do I become PCI DSS compliant in the UK?

#1 Determine Validation Level

Determine which level of validation you need to achieve.

Base this on the number of transactions you plan to process within a year.

#2 Gap Analysis

Carry out a gap analysis to work out what you need to do in order to become compliant.

In other words:

• Look at where you are now
• Determine where you need to be
• Consider how to bridge the gap between them

#3 Report on Compliance (RoC)

Do you need a Report on Compliance (RoC)?

Contact a QSA and ask them to prepare it for you.

#4 Scan for Vulnerabilities

Do you need to scan for vulnerabilities?

Contact an ASV.

To simplify the process, contact businesses that fulfil both #3 and #4.

#5 Self-Assessment Questionnaire (SAQ)

Do you need to complete an SAQ?

There are 9 questionnaires available.

Each one is aimed at businesses with different payment setups.

Work out which one is applicable to your business, download it and complete it.

How much does it cost to become compliant in PCI DSS?

The cost of becoming PCI compliant varies depending on the level of validation you need.

You may even be compliant with the standard already!

Or you may need to make some changes to the way you handle cardholder data and take payments.

Most notably:

PCI compliance is not just a one-off task.

You’ll probably have some recurring tasks that you need to keep performing to make sure you stay compliant.

The main costs are likely to be:

• Paying PSPs to help you with assessments or support
• Upgrading technology – for example, by installing anti-virus software
• Buying new equipment such as a paper shredder
• Maintaining compliance – for example, by training your staff.

On top of that:

PCI needs careful management.

It will take up some of your time as a manager, or that of your IT team.