If your organisation accepts, processes, stores or transmits card payments, the chances are you’ve heard of the Payment Card Industry Data Security Standard (or PCI DSS or PCIDSS as it is commonly known), but what is PCI DSS?
It’s your responsibility to ensure that your customers’ payment data, such as sensitive card numbers and other forms of “Sensitive Authentication Data” (SAD) are safeguarded, free from exposure from contact centre agents, fraudulent attacks (internal and external) and other security breaches. By achieving PCI compliance and adhering to the comprehensive requirements of PCI DSS your organisation can be confident that you are improving the safety of your customer’s data and the way payments are processed.
In addition to this, with the introduction of the General Data Protection Regulation (GDPR) that covers strict guidelines on how personal information is stored and transmitted. Companies experiencing data breaches are facing fines from the Information Commissioners Office (ICO) of up €20m (approximately £17.5 million) or 4% of turnover, whichever is greater.
If you accept, process, store or transmit card data then PCI DSS affects your organisation. Cardholder data is continuously at risk of theft from hackers that are on the lookout for a way to exploit weaknesses in your organisation. So, no matter the size of your business, PCI DSS is there to protect your customers and their data, assisting in the prevention of a data breach which could have a huge impact.
The security standard started in December 15, 2004 by Visa, Mastercard, American Express, Discover and JCB who formed the Payment Card Industry Security Council (PCI SSC) in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI).
The PCI SCC continues to administer the guidelines with a focus on improving payment account security throughout the transaction process. However, it is the payment brands and acquirers, not the PCI council, that are responsible for enforcing compliance and are able to issue fines and restrictions on your ability to accept card payments.
The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
- Cardholder name
- Expiration date
- Service code
Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.
To be PCI compliant, there are a set of 12 requirements set by the PCI Security Standards Council (PCI SSC) that are designed to ensure the highest level of protection for any data that is being used throughout the transaction process of a payment. This can be manually or electronically, but if organisations adhere to these requirements, they will dramatically improve their security against malicious attacks towards their organisation, including any internal risks.
There are specific reporting requirements based on your organisation’s merchant level, determined by the number of transactions made over a year.
Merchant Level 1: On-site assessment by a Qualified Security Assessor (QSA)
Merchant Levels 2–4: Self assessment via the Self-Assessment Questionnaires (SAQ)
You must also have a quarterly network scan by an Approved Scan Vendor and an attestation of Compliance Form.
All organisations will fall into one of the four merchant levels based on transaction volume over a 12-month period.
The following are the 4 levels of PCI compliance:
A merchant processing over 6m VISA and MasterCard transactions p/a
A merchant processing between 1m and 6m VISA and MasterCard transactions p/a
A merchant processing between 20k and 1m VISA and MasterCard transactions p/a
A merchant processing less than 20k VISA and MasterCard transactions p/a
Any merchant that suffers a breach involving card payment data can be escalated to a higher compliance level.
Although PCI DSS is not a legal requirement, it is mandatory if your organisation wishes to process transactions with the major card schemes. Here are some of the potential drawbacks and penalties that could occur if you do not maintain PCI compliance:
- Fines and penalties ranging from £3,000 to £6,000
- Lost confidence, so customers go to other merchants
- Diminished sales
- Cost of reissuing new payment cards
- Data breaches and fraud losses
- Legal costs, settlements and judgments
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO and dependent professional positions)
- Going out of business
- Higher subsequent costs of compliance
The bottom line is, if you’re not compliant and you experience a data breach, your bank provider could choose to impose fines onto you or restrict your ability to take card payments. This can have a huge impact on how you do business.
If you experience a data breach as a result of non-compliance with PCI-DSS, you could also face investigation from the Information Commissioners Office (ICO) around your organisation’s compliance with the General Data Protection Regulation (GDPR), which has the possibility of resulting in huge fines from up to €20m (approximately £17.5 million) or 4% of turnover, whichever is greater.
Find out more about GDPR
Firewalls are there to protect and monitor your network for any outgoing and incoming traffic that may contain harmful or untrustworthy content. By maintaining your network firewall, it adds a crucial layer of security.
The default settings supplied by vendors when systems and networks are first installed can be easily exploited by hackers. These must be changed with any non-essential default accounts disabled/deleted (This applies to all default passwords, without exception).
Appropriate data retention and disposal policies, procedures and processes should be implemented with the storage of cardholder data being kept to a minimum. Data that should never be stored includes: full contents of chip/magnet strip, card verification number or personal identification number (PIN). Any other data should be appropriately stored with encryption, truncation, masking and hashing being critical components of ensuring that if a breach was to occur, hackers would not be able to decipher the contents of the data.
Open, public networks include the Internet, wireless technologies (e.g. Bluetooth), general packet radio service (GPRS) and satellite communications. If data is transmitted through these open networks, strong cryptography and security protocols must be used to safeguard sensitive cardholder data.
Malware such as Viruses, Worms or Trojans can cause a huge threat to your network security. Antivirus software should be installed to detect and remove all known forms of malware from systems commonly affected. For those not commonly affected, they must be periodically evaluated to determine whether antivirus software is needed.
An organisation’s IT network can comprise of numerous software applications, either built and developed internally, or externally by a 3rd party. These are all subject to security vulnerabilities which should be identified, evaluated and ranked based on risk. Suitable security patches should be made for the software and developed in accordance with the PCI-DSS within a month of their release if the patches are supplied by a 3rd party software vendor. By incorporating best practice security across your software and avoiding outdated and vulnerable software applications, you can significantly reduce the number of potential exploits on your network.
A documented process and system should be implemented ensuring limited rights and access to critical data based on a ‘need to know’ basis by authorised personnel with clearly defined job responsibilities. ‘Need to know’ is defined in the PCI DSS as “when access rights are granted to only the least amount of data and privileges needed to perform a job”.
By identifying each network user, this allows systems to not only limit access to specific personnel based on their permissions, but it helps to establish a clear audit trail in the event of an incident (eg, Data Breach). A unique ID must be assigned to all users (non-consumers and administrators) which must be managed according to specific guidelines of documented policies and procedures.
Networks should have procedures that distinguish between internal personnel and visitors (eg consumers/external members). Access to certain areas should therefore be restricted to specific types of visitors. Storage, access and distribution of media should be properly controlled and devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution.
If a breach was to occur and system usage was not appropriately logged, then it could continue as the incident cannot be properly identified. In order to properly prevent, detect and minimise the impact of a data breach, the use of logging mechanisms is critical. Audit trail history should be retained for at least a year, with a minimum of three months logs immediately available for analysis.
New vulnerabilities in systems and networks are regularly found and often exploited. It is essential that system components, processes and custom software are regularly tested to ensure that they are appropriately dealt with so they can continue to deliver a high standard of security.
To become PCI compliant, organisations must establish, publish, maintain and disseminate a Security Policy. This includes:
- A documented risk assessment process
- Usage policies for critical technologies
- A definition of security responsibilities for all personnel
- Formal awareness programme
- An Incident response plan for any system breach
Maintaining appropriate security of cardholder data is essential and affects everybody involved. Data breaches or data theft affects the entire payment card ecosystem.
- For customers, they can have a sudden loss of trust in the organisations or financial institutions that “allowed” the breach to happen, and their credit can occasionally be negatively affected. It can result in a lot of reconciliation including changing passwords, handling legalities, transferring banks etc.
- For organisations and financial institutions, they lose their credibility and in worst case scenarios, their business. Subject to numerous financial liabilities, they have a very long-winded restoration process.
By becoming PCI compliant, organisations are not only protecting their customers, but they are protecting themselves. The PCI SSC say “Such standards help ensure healthy and trustworthy payment card transactions for the hundreds of millions of people worldwide that use their cards every day.”
For any organisation, becoming PCI compliant on your own can be a very timely and costly venture with a lot of room for error. Key IVR takes all the pressure off, with already established PCI-DSS level 1 compliant payment solutions, we help assess your systems and provide a secure platform to suit your organisation.
The FCA regulations impose that any financial firm that provides services to consumers must record their phone calls for training and monitoring purposes in order to prevent, detect and deter market abuse. The Payment Card Industry Data Security Standard (PCI-DSS), on the other hand, outlines that in order to be compliant no card sensitive data can be recorded or stored by the organisation.
DTMF masking can aid with PCI compliance and adhere to FCA regulations, customers key in their sensitive card number into their phone keypad rather than reading it aloud to a call agent. The DTMF tones cannot be decrypted, so the entire call can be recorded and stored in a compliant manner without worrying about logging sensitive data.
PCI-DSS considers any person, system, or piece of technology that touches payment information as “in-scope”. For example, call centre agents/customer service representatives (CSRs), telephony systems and the IT network and databases used to take payments are all in scope for compliance and should be reviewed as part of the 12 PCI-DSS requirements.
To reduce scope of compliance for your organisation and the number of PCI controls you would have to implement, you can decrease the number of staff and systems that are involved in card payment processing by outsourcing and “de-scoping” them to a dedicated 3rd-party provider offering PCI compliant payment systems, such as Key IVR. This can often lead to a quicker and cheaper journey to PCI compliance, allowing your organisation to focus on other business objectives.
Whatever stage of the PCI compliance journey you’re on, we can help. By providing a range of PCI compliant payment services that fit in with how your organisation operates, we can help descope a lot of the risk and requirements needed to achieve PCI compliance.
In some examples, you could be starting with 233 detailed requirements from a Self-Assessment Questionnaire (SAQ). By outsourcing and descoping your payment channels this can reduce your SAQ to 13 ‘yes’ or ‘no’ questions.
Simply want to know how to get started with your PCI compliance journey? Talk to us and we’d be happy to discuss how you currently take payments and what’s needed to descope and become compliant.
We’re trusted by hundreds of clients providing a range of payment services across agent assisted payments, automated telephone lines, SMS and more, processing over £1 billion annually. Our PCI DSS Level 1 v3.2 platform is constantly evolving to keep ahead of the latest PCI requirements, saving you time and money when compared to building and maintaining your own PCI environment.
Take a look at our wide range of services.