Every single business that takes credit card payments must be compliant to the Payment Card Industry Data Security Standard (PCI DSS). But what exactly is it? In this blog we take a deep dive into what PCI DSS is, and how to become compliant.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that companies who accept, process, store or transmit credit card information maintain a secure environment. It applies to all merchants and service providers that process, store or transmit credit card data.
The PCI DSS is administered and managed by the PCI Security Standards Council, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). You should understand your organisational approach to PCI DSS, your internal policies if applicable and your responsibility as an employee.
"The PCI DSS is a standard not a law" it is instead enforced between merchants and banks. However, although the PCI DSS is a standard set by the Payment Card Industry Security Standards Council, "the breach or theft of cardholder data is also a breach of the EU GDPR (General Data Protection Regulation)." This is because card holder data is classes as personal data under the regulation. Therefore, non-compliance may leave your company at risk of breaching GDPR laws, and receiving a hefty fine.
Cardholder Data includes Primary Account Number (PAN), Cardholder Name, Expiration Date, and Service Code. All sensitive information on a physical card is shown in the image below:
If this information is handled online, it has the same responsibility to security as a physical card. A lot of information is stored online, for example card payment information may be saved on multiple websites. Protecting this online data, if you are trading online, is a key part of PCI DSS compliance.Does PCI DSS apply to my organisation?
The PCI DSS applies to every single organisation, regardless of size, that accepts, transmits or stores any cardholder data. Following guidance in the PCI Data Security Standard helps keep your cyber defences primed against attacks aimed at stealing cardholder data.
However, not all parts of PCI DSS are applicable to every organisation. This may be the case, for example, if your organisation uses 3rd party providers to take card payments. In that case, you should find out which parts of PCI DSS are applicable to you.
It is important to note that the payment brands and acquirers (VISA, Mastercard etc) are responsible for enforcing PCI DSS compliance, not the PCI Council.
Why Does Data Need To Be Protected by PCI DSS?
When dealing with sensitive financial information such a payment cards, there are a variety of risk factors which could potentially lead to a data-breach. Hackers and scammers are keen to get their hands on this information. Some of the ways card details may get stolen are:
- A compromised card reader
- Paper stored in a filing cabinet
- Data in a payment system database
- Hidden camera recording entry of authentication data
- Hacking your organisation's wireless or wired network
If you suffer any of these breaches, you may end up leaking valuable customer banking information, which is bad for both them and your business.If your organisation processes or stores cardholder data (Credit Cards, Debit Cards & Pre-Paid cards) then PCI DSS is very important. You should understand your organisational approach to PCI DSS, your internal policies if applicable and your responsibility as an employee.
More information can also be found on the PCI Security Standards Website: https://www.pcisecuritystandards.org/
The 12 Requirements For PCI DSS Compliance*
- Protect your system with firewalls
- Configure passwords and settings (don't use system default passwords)
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Regularly update and patch systems
- Restrict access to cardholder data to only what you need to know.
- Assign a unique ID to each person with computer access
- Restrict physical access to workplace and cardholder data
- Implement logging and log management
- Conduct vulnerability scans and penetration tests
- Documentation and risk assessments
*These are the minimum requirements to be PCI DSS compliant, however, it does not necessarily mean that your payment procedure is completely secure. Look into developing new processes and ways of working that help improve further than these 12 points.
Sign up to uLearn for the PCI DSS Training Course
usecure offers bespoke PCI DSS Training for beginner users to get up to speed with the requirements of PCI DSS.
If you'd like a free trial, or to see the full range of courses, just click through to the link below.