PCI DSS is the Payment Card Industry Data Security Standard. It is a set of data security requirements that must be followed by everyone who takes any type of card payment. In the current COVID-19 lockdown shops are closing their doors, either permanently or until they get the go-ahead from the government to reopen.
With people only allowed to leave home for a select few reasons, we are seeing more and more businesses turning to apps or websites as a survival mechanism allowing customers to buy their goods.. Even my local butchers now offers online shopping for collection or delivery.
What business new to this way of working may not realise is that the PCI DSS applies to every organisation that takes card payments. This means it is their responsibility to ensure that they are compliant, even if the payment processing is fully outsourced to a PCI DSS compliant third party.
The PCI DSS is a set of the following 12 requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
There are different levels of merchant where the PCI DSS is concerned and the level that the merchant falls into will determine how compliance to the standard is confirmed:
Level 1: merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach.
Level 2: merchants with between 1 million and 6 million transactions annually, across all channels.
Level 3: merchants with between 20,000 and 1 million online transactions annually.
Level 4: merchants with fewer than 20,000 online transactions a year, or any merchant processing up to 1 million regular transactions per year. In general, levels 2, 3 and 4 can confirm compliance by completing a Self-assessment Questionnaire (SAQ), however there are exceptions to this rule and your Acquiring Bank can advise further.
Level 1 merchants must have a formal assessment conducted by a PCI Qualified Security Assessor (QSA) who will confirm compliance via a Report on Compliance (RoC).
If businesses are able to confirm compliance by completion of an SAQ there are different types depending on the way the business operates and the setup of the payment processing activities. It is important to get this right from the start to ensure that the correct security controls are being applied to protect the card payments.
If in doubt, seek advice before progressing down a compliance route as this could save time and money.
Non-compliance with the PCI DSS can lead to an insecure environment that may be a target for card data thieves. In the event that a breach does occur, and compliance can’t be proven, the fines will be higher and a forensic investigation will need to be carried out at the cost of the merchant. Furthermore, following a breach the merchant is obliged to have a QSA conduct an assessment and produce a RoC at their own expense.
How can we help?
Bridewell can help to interpret the PCI DSS and apply it to your environment and also provide advice on the implementation of solutions to reduce the scope of PCI DSS. This will not only reduce risk but it will also cut the cost of both implementation and the annual assessment, whether it be a time-saving cost, or a financial one.
PCI DSS – Where To Start?
Listen to our PCI DSS webinar on-demand.
Helping businesses to identify the people, processes and technology that should be included in the PCI DSS scope.
- Provide tips on how to implement the PCI DSS standard.
- Help businesses to prepare for an assessment.
At Bridewell Consulting we are in it for the long term. As a trusted partner, our team of experts can assist you on your cyber security journey and beyond. For further information or a no commitment chat, on any of the above, please get in touch here or give us a call on 03303 110 940.