What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard and is an information security system for major brand credit cards including: MasterCard, Visa, American Express and JCB. This means it covers the vast majority of the credit card market, although some private label cards aren’t covered by the system.
PCI DSS was created in response to the increased levels of credit card fraud in recent years and is a requirement for any merchant who takes payment by card. When PCI DSS compliance was introduced, fraud was seen as a very serious risk, with levels of fraud rising at a rate of anything up to 16% per year.
PCI DSS optimises the security of card transactions and protects cardholders against their personal information being misused. Standards are set by the Payment Card Industry Security Standards Council in conjunction with major card labels, with current standards resulting from an amalgamation of the main card labels’ individual schemes in 2004.
There have been several updates to PCI DSS, the most recent of which was in November 2013.
Does My Business Need To Be PCI DSS Compliant?
Any merchant who accepts card payments, and is not using a fully hosted payment, must conform to PCI DSS standards and be certified as PCI DSS compliant.
Fully hosted payment solutions are those where transactions take place on a third party website such as PayPal, Amazon Payments, WorldPay, Secure Trading and Sage Pay. These payment gateways offer online and / or physical storefront payment solutions and are responsible for the overall compliance of these systems.
You may typically find, however, that for you to be accepted as a merchant using one of these services, you may be required to meet the payment service provider’s own internal compliance requirements.
If your company or website processes card payments directly and you are not using a fully hosted payment solution (such as those solutions described above), then you need to be PCI DSS compliant before you can accept payments.
PCI DSS Requirements
In order for a business to be compliant, the PCI DSS has 12 requirements which can be split into 6 key areas. It is also important to remember that this process is not a one-off, but rather a continuous one so that these requirements must be consistently met.
The key areas to consider are as follows:
1. Build and Maintain a Secure Network
This requires the creation and maintenance of a secure network in which transactions can be conducted. This means robust firewalls are installed which, while strong, don’t inconvenience customers. Wireless LANs (a local network of computers connected via WiFi) require the use of very specialised firewalls due to their greater level of risk.
Additionally, a company’s authentication data (i.e. username and passwords) mustn’t involve the use of defaults supplied by a vendor or any other common passwords; and customers should be able to modify their authentication data at any time.
2. Protect Card-holder Data
This obligation consists of two key requirements. Firstly all card-holder data should be stored in such a way that it is secure against hacking. Secondly, whenever personal data such as addresses or phone numbers are transmitted across a public network, this must be encrypted. This is particularly important in e-commerce transactions.
3. Maintain a Vulnerability Management Programme
This third area covers requirements 5 and 6 which help prevent systems from attacks by hackers. All systems should be protected using the latest anti-virus and anti-malware software. These solutions should be well tested to ensure they are free from vulnerabilities and all patches from software suppliers should be installed in a timely fashion. This comes under the obligation to develop and maintain secure applications.
4. Implement Strong Access Control Measures
This covers three of the PCI DSS conditions and ensures access to system data is restricted. Only those employees who absolutely require access to the data should be permitted to have contact with it.
Each and every person who uses the computer system should be given a unique ID so all transactions can be tracked.
Access to card-holder data should be restricted physically, and includes controlled disposal of paper containing card-holder information, paper shredding, and minimising the duplication of paper documents.
5. Regular Testing and Monitoring of Networks
To ensure security measures are working effectively, networks should be constantly tested, and ideally this should be carried out continuously. All RAM and storage media should be covered in the tests. All access to card-holder data should be permanently monitored too.
6. Maintain an Information Security Policy
Lastly, an information security policy must be formally adopted by the company. This should be followed at all times and audit should be used to track compliance with the policy. It may also be necessary to issue penalties for not conforming with the policy.
Why Is PCI DSS Compliance Required?
Sometimes PCI DSS can appear a lot of effort, particularly for smaller organisations, however it can have a number of benefits for your firm. Being PCI DSS compliant means you are at much lower risk of being subject to security breaches or theft of card-holder data. It also means that your business will be much less likely to be subjected to fraud.
Compliance is also an ongoing process. You need to have a number of processes in place in order to be compliant, including quarterly internal data scans (and in some cases and depending on how many transactions you carry out, quarterly external data scans), as well as annual checks using specialist Qualified Security Assessors and an Approved Scanning Vendor.
A Qualified Security Assessor (QSA) is a data security company that has been trained and is certified by the PCI Security Standards Council to perform on-site security assessments for verification of compliance with PCI DSS.
An Approved Scanning Vendor (ASV) is a data security firm, also trained and qualified by the PCI Security Standards Council. They perform network and systems scans as required by the PCI DSS. These scanning solutions determine whether or not your business is compliant with the PCI DSS external vulnerability scanning requirement.
PCI DSS – FAQs
What is the cost of auditing? Is this an annual cost?
The cost of certification will be dependent on the volume of card transactions. Compliance will pass a number of stages that may typically include a self-assessment questionnaire (SAQ), and on-site audit and security scans on the network infrastructure of the merchant.
The cost of is dependent on a pre-compliance review and/or on-site audit and therefore will be specific to individual merchants.
Some auditing services will have monthly payment plans, others will have annual.
What is the typical cost of putting the systems in place to comply with the requirements?
This really depends on a number of factors:
- Are you an online and/or offline business?
- How many transactions do you carry out a year using payment service providers?
- Do you have your own in-house IT professional who can control the security of your systems? Etc.
When setting up a payment system, typically the costs and requirements of being compliant will be incorporated. It is then up to you to make sure you carry out regular checks.
If you have any questions around being compliant, please speak to your Acquirer for assistance, your Acquirer is the company that you have your merchant account with. Most Acquirers have programmes in place to manage and support their merchants’ ongoing PCI DSS compliance and validation.
Which requirements are the most expensive to implement? Which requirements are the most time consuming to implement?
Again, this will depend on what existing systems you already have in place – if any – and how they will be integrated in to your PCI DSS compliant system.
Many businesses will turn to third party firms that provide the compliant systems for them. Companies such as Ogone, Netpay and Cardstream are just three examples of PCI DSS compliant businesses that partner with merchant account providers.
Protecting Your Business and Reputation – The Facts
If you do not comply with PCI DSS requirements, then you may typically incur substantial fines enforced by the card schemes. You could also find yourself being permanently banned from any further card processing. This means you may not be able to accept any payments from your customers other than cash or cheques.
Being PCI DSS compliant gives you gives you greater protection against security breaches, which can be costly and damage your reputation. The facts speak for themselves:
- Figures reveal that in 2013, UK card fraud amounted to £450.4m – a 16% increase since 2012 – with the increase being linked to data hacking.
- At the time of writing (November 2014) the Poodle Bug had set alarm bells ringing within the security industry. This is a bug in web-encryption technology that could allow hackers to take over email, banking and other online accounts. Sage Pay issued instructions for their online partners to use in order to protect their data.
- Earlier, in October 2014, finance giant JP Morgan had 70 million client names and personal information stolen in a major data breach.
The moral of this story is that data breaches can happen to any business, so you need to do what you can to protect yours.
Next Steps: Getting PCI DSS Compliant!
To get started with becoming PCI DSS compliant you should contact a specialist Qualified Security Assessor through your merchant acquiring bank or through an independent supplier such as Sage Pay. Your acquiring bank or Payment Service Provider (PSP) will assist you in finding someone qualified, although most do not charge a fee for this service, some companies might – be sure to check this when you get a quote.
There are four different levels of PCI DSS certificate depending on the number of transactions you have and the QSA will be able to help you to acquire the correct certification for your company.
Once you have done this, your business will be able to access a number of benefits including:
- Increased customer orders due to higher levels of trust
- Customers who are more likely to recommend you as trustworthy
- An improved reputation with B2B partners
- The safety of knowing that you are working with the experts in the field at preventing card fraud
- An improved IT infrastructure
- Reduced risk of fraud incidents which can damage your reputation
- Reduced risk of data breaches which lead to a loss of sales or even legal action and insurance claims.
In short, PCI DSS compliance will help to protect the business you have worked hard to build.