Myths surrounding card payments abound. What is the PCI DSS, and do I need to comply with it? Here we delve into the detail and (hopefully) make it simple.
Taking compliant card payments
Taking Payment By Card
If you want to take debit or credit card payments, you need to do so in a secure way. In fact, you are required to.
Compliance with the PCI DSS is compulsory for any organisation, anywhere in the world that transmits, process or stores card information.
What is the PCI DSS?
The Payment Card Industry Data Security Standard
PCI DSS is the information security standard defined by major credit card companies (Visa, Mastercard, American Express, Discover and JCB).
These standards exist to reduce fraud, and form part of the operating regulations that are the rules under which merchants (you) are allowed to operate merchant accounts.
PCI DSS Requirements
The payment standard has 12 high level requirements which fall into the six categories below:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Sensitive Data
- Protect stored data (use encryption)
- Encrypt transmission of cardholder data and sensitive information across public net
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications in a managed programme
Implement Strong Access Control Measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses Information Security
What If I Don’t Comply?
There are considerable Card Scheme fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant merchants have ceased trading because the fines could not be accommodated.
- Loss of customer confidence
- Diminished sales
- Cost of reissuing new payment cards
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgments
- Fines, penalties, and cost of forensic investigation
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO and dependent professional positions)
- Going out of business
How do I become compliant?
In a nutshell, there are 4 levels that relate to the volume of card payments and how you take card payments. Payments can be online, over the phone, or in-store, with Level 1 being the highest volume or received payments.
Level 1 applies if you take a lot of payments (six million annually), and Level 4 applies to e-commerce merchants taking fewer than twenty thousand transactions annually, or non-ecommerce merchants processing up to one million payments each year.
Common PCI Compliance Myths
There are many incorrect assumptions out there, and here are just as few:
I don’t take payments over the phone, so it doesn’t apply to me.The PCI DSS applies to card payments over all channels, including in store and online.
I don’t record telephone calls, so I am compliant. In this case you have met a single requirement out of hundreds. This alone does not make you compliant.
I pause the call recording which makes us compliant. Manual ‘pause and resume’ is not compliant. Automated ‘pause and resume’ still leaves your entire network in scope, along with your staff. Chances are you are not compliant.
Common PCI DSS FAQ’s
How do I get PCI DSS compliance?
Get in touch with us and we can provide an initial assessment free of charge.
What does PCI DSS stand for?
Payment Card Industry Data Security Standard
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is the information security standard defined by major credit card companies (Visa, Mastercard, American Express, Discover and JCB).
What is PCI DSS compliance?
This means the extent to which you comply with the requirements of the Data Security Standard, ensuring customers’ card information is protected.
What is PCI DSS standard?
The PCI DSS is issued by the Security Standards Council (PCI SSC), and is updated from time-to-time. You can find a copy of the latest version on their website https://www.pcisecuritystandards.org/
Is PCI DSS compliance mandatory in the UK?
Yes. It is mandatory worldwide.
How do I get PCI DSS certified?
This depends on how many payments you take, and how you take those payments (online, over the phone, in store). You may need to have the parts of your network that are ‘in scope’ scanned each quarter by an Approved Scanning Vendor, complete an Attestation of Compliance form and complete one of several Self-Assessment Questionnaires. Get in touch and we can provide a free assessment.
What is a PCI DSS self assessment questionnaire?
Known by the acronym SAQ, a Self-Assessment Questionnaire is a form that you complete in which you indicate that you are complying with each requirement of the PCI DSS you need to comply with.
What is PCI DSS level 1?
There are 4 levels, and level 1 relates to any Merchant that processes more than six million transactions annually via all channels, or as identified as level one by any Visa region. Level 1 Merchants are required to complete quarterly network scans by an ASV (approved scanning vendor), and are required to undergo an annual ROC (Report on Compliance) completed by a QSA (Qualified Security Assessor)
Taking Payments Over the Phone?
It’s really tricky to be compliant with the PCI DSS requirements if you are taking payments over the phone without using an application like PayGuard®.
PayGuard® removes your staff, your network, and your business from scope of the PCI DSS when taking phone payments, making annual compliance a synch and keeping your customer information secure.