Key Takeaways:
- The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard that affects any company that stores, processes, or transmits credit card data.
- PCI DSS compliance is mandatory for all companies that accept credit cards, and failure to comply can result in hefty fines, loss of merchant status, and damage to reputation.
- PCI DSS compliance requires a number of security measures, including the use of firewalls, encryption, and access control.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data. PCI compliance is mandatory for all organisations that store, process or transmit cardholder data.
An independent body called the PCI Security Standards Council (PCI SSC) was created by Visa, Mastercard, Discover and American Express, to oversee the development and management of the PCI DSS.
Companies and businesses that fail to comply with PCI DSS can be fined by card brands, and may also be subject to fines and higher transaction costs, legal action and public disclosure of their non-compliance.
In extreme cases, non-compliant organisations may be banned from processing card payments altogether.
In this post, we’re going to cover:
- How does PCI DSS apply to my business?
- What needs to be kept secure to be PCI DSS compliant?
- Is PCI DSS compliance mandatory in the UK?
- Benefits of being PCI DSS Compliant
- The 12 requirements for PCI DSS compliance
- Get PCI DSS compliant with Trust Hogen
How does PCI DSS apply to my business?
The PCI DSS applies to any organisation that stores, processes or transmits cardholder data. This includes businesses of all sizes, from small retailers to large banks and eCommerce platforms.
If your business accepts credit card payments, you must be PCI compliant. There are different levels of compliance depending on the number of credit card transactions your business processes each year.
The four types of PCI DSS merchant level are:
- Level 1 merchants: More than 6 million transactions per year
- Level 2 merchants: 1-6 million transactions per year
- Level 3 merchants: 20,000-1 million transactions per year
- Level 4 merchants: Fewer than 20,000 transactions per year
Even if your business uses third-party payment processors, you are not exempt from PCI DSS, although your risk exposure may be reduced.
PCI DSS compliance consists of three main components:
1. Handling the input of credit card data from customers. The priority is that sensitive card details are collected and transmitted securely.
2. Safe storage of data, outlined by the 12 security domains of the PCI standard (but more on that later).
3. Annually validate security controls, such as external vulnerability scanning services and third-party audits.
What needs to be kept secure to be PCI DSS compliant?
By taking somebody’s Primary Account Number and sensitive authentication data, a fraudster could impersonate the cardholder, use the card for unauthorised transactions and in turn steal their identity.
To ensure cardholder data isn’t compromised, you must ensure the places where you store cardholder data are well protected.
These include, but are not limited to:
- Card readers
- Point of sale systems
- Online payment applications and shopping carts
- Wireless access routers and store networks
- Payment card data stored in paper-based records
- Payment card data storage and transmission
Is PCI DSS compliance mandatory in the UK?
Yes, PCI DSS compliance is mandatory in the UK.
As PCI DSS compliance is compulsory for any organisation that processes, stores or transmits cardholder data, there are a number of consequences for businesses that fail to comply.
These can include:
- Fines and penalties from card brands and the government
- Increased transaction costs
- Legal action, such as lawsuits and insurance claims.
- Public disclosure of non-compliance
- Loss of business
In extreme cases, businesses that are non-compliant with PCI DSS may be banned from processing card payments altogether.
Benefits of being PCI DSS Compliant
Although being PCI DSS compliant can seem like a daunting task, there’s a lot to gain from sticking to the standards.
There are many benefits of being PCI DSS compliant, including:
- Confidence your systems are secure
- Reducing the risk of fraud and data breaches
- Protecting your customers’ confidential information
- Maintaining the trust and confidence of your customers
- Avoiding costly fines and legal action
- Reducing your transaction costs
- Improved IT infrastructure
PCI DSS compliance can also help you to streamline your business operations, as well as improve staff morale and motivation.
Compliance can be seen as a measure of how well you are doing as a business and can give you a competitive advantage over non-compliant businesses.
The 12 requirements for PCI DSS compliance
Remember the 12 security domains of the PCI standard mentioned earlier in the post? It’s time to break them down.
The PCI DSS data security standards are a set of 12 requirements that businesses must adhere to in order to be compliant to the standards.
Let’s take a deeper look at them.
1) Firewalls to protect cardholder data
You must have a firewall in place to protect your cardholder data environment and any systems that connect to it. A firewall is regarded as the first line of defence against hackers and other unauthorised access to your systems.
This includes ensuring that only authorised traffic is allowed into your network and that all unauthorised traffic is blocked.
2) Proper password configuration
You must use strong passwords to protect all systems that have access to cardholder data. These passwords must be changed regularly and never reused.
Having a secure password that’s regularly changed is an easily overlooked aspect of Payment Card Industry Data Security Standard compliance that can have serious consequences if neglected.
3) Protect stored cardholder data
Any cardholder data stored must be encrypted to certain algorithms. This includes all offline and online storage methods such as hard drives, servers, removable media and backups.
Encryption keys are used to protect cardholder data but also used to meet encrypted compliance.
4) Encrypt any transmitted data
When cardholder data is sent across multiple ordinary channels, such as a payment processor, all cardholder data must be encrypted. This includes all online transmissions such as email, social media and instant messaging.
Cardholder data should never be sent to unknown locations or without encryption.
It’s also vitally important to encrypt any backups or offline storage methods as well.
5) Use, maintain and regularly update anti-virus software
You must have anti-virus software installed on all systems that store or process cardholder data, such as Primary Account Number.
This software must be kept up-to-date at all times to ensure it can protect against the latest threats.
You should also have a system in place to regularly scan devices for viruses and malware.
6) Update and patch systems regularly
You must keep all systems that store or process cardholder data up-to-date with the latest security patches. This includes firewalls, anti-virus software, operating systems, applications and firmware.
Not only does this help to protect against known threats and ensure maximum security of sensitive data, but it also helps to reduce the chances of unknown vulnerabilities being exploited.
7) Restrict data access to cardholder data
You must have strict controls in place to limit access to cardholder data. Only authorised personnel should have access to this data and all access must be logged and monitored.
Any user with access to cardholder data should have their own unique login credentials that are regularly changed.
8) Assign a unique ID for access to data
Each person with access to cardholder information should have a unique ID assigned to them.
Under no circumstance should there be a single login to encrypted data where multiple employees have access to both the username and password. All user activity should be logged and monitored for any suspicious activity.
This measure helps to ensure that only authorised personnel have access to systems and data, creating more security and quicker response times if data is compromised.
9) Restrict physical access to workplace and cardholder data
You must have physical security measures in place to protect against unauthorised access to systems and data. This includes things like entry control, locked rooms, mantraps and CCTV.
All physically written or typed access should be logged and monitored. Access to this data must be limited and locked in a secure room, drawer or cabinet.
10) Create and maintain log management
Proper record keeping and documentation of sensitive data is one of the most imperative yet overlooked aspects of PCI DSS compliance.
All activity surrounding cardholder data and Primary Account Numbers must be put in a log entry. This includes things like user logins, file changes, application activity and system events.
These logs should be regularly reviewed and any suspicious activity should be investigated immediately.
11) Scan and test for vulnerabilities
You must regularly scan and test all systems for vulnerabilities. This includes things like external and internal network scans, application security testing and penetration testing.
Any vulnerabilities that are found must be promptly addressed to reduce the chances of data being compromised.
To learn more about penetration testing and vulnerability scanning, read our latest posts:
12) Document policies
You must have written policies and procedures in place surrounding the handling of cardholder data. This includes things like data retention, employee training, security incident response and vendor management.
These policies should be reviewed and updated regularly to ensure they are up-to-date with the latest industry best practices.
Get PCI DSS compliant with Trust Hogen
Thank you for reading our PCI DSS compliance guide! We hope you enjoyed it.
Now you know who is affected by PCI DSS compliance, it’s time to make sure your company is ticking the correct boxes.
Trust Hogen is a leading independent managed service provider (MSSP) offering a highly effective PCI DSS service so you can keep your customer’s sensitive credit card information safe.
You could start your journey to PCI DSS compliance by contacting Trust Hogen today and a member of our team will get back to you shortly.