The Payment Card Industry Data Security Standard (PCI-DSS or PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. Launched on December 15, 2004, it was formed to manage the ongoing evolution of the Payment Card Industry (PCI).
Here are the answers to some of the most asked questions surrounding PCI DSS:
1. There are different levels of compliance
Organisations fit into different levels of compliance depending on the number of credit card transactions they handle per year, these include:
- Level 1: A merchant processing over 6 million transactions per year
- Level 2: A merchant processing between 1 – 6 million transactions per year
- Level 3: A merchant processing between 20,000 and 1 million transactions per year
- Level 4: A merchant processing less than 20,000 transactions per year
2. Non-compliance could have significant ramifications on your organisation
If organisations aren’t taking relevant precautions to appropriately collect, process, store and re-use sensitive data, they will be at a much higher risk of a data breach. This can result in considerably high fines that can be extremely damaging to your business, especially after the implementation of the General Data Protection Regulation (GDPR). Other outcomes can include: increased transaction fees, prevention from accepting card payments, large forensic investigation fees for looking into the cause of a breach, bad publicity, a damaged reputation and expensive compensation fees to customers. Becoming PCI compliant, or more effectively, trusting a PCI level 1 third party payment services provider is a long-term solution to increasing the security of your business and network infrastructure.
3. All PCI compliant organisations need to prove they are following guidelines
There are different requirements depending on the merchant level your organisation falls into. However, all businesses will be asked to complete an Attestation of Compliance and conduct a quarterly network scan by an Approved Scanning Vendor (ASV). Level 1 merchants will also be required to conduct a Report on Compliance (ROC) which is an annual on-site assessment completed by an independent Qualified Security Assessor (QSA). Those falling into other merchant levels must submit an annual Self-Assessment Questionnaire (SAQ).
4. An Attestation of Compliance needs to be signed
Whoever is in charge of compliance within your organisation, may this be the Chief Financial Officer or Head of Compliance, is required to complete an Attestation of Compliance form. There are different versions of the form dependant on the scope of your business, but it essentially certifies that all the relevant PCI requirements have been met.
5. If you’re a Level 1 organisation, only a QSA can verify that you are PCI DSS compliant
Qualified Security Assessors (QSA) are independent security organisations that have completed the appropriate training from the PCI Security Standards Council, with the ability to validate an entity’s adherence to PCI DSS. You can find an up-to-date list of qualified QSA’s here.
6. The PCI DSS has specific SAQ’s for different types of organisations
Self-Assessment Questionnaires (SAQ’s) are completed by the business itself. They are a list of relevant questions that determine the security of your organisation when taking payments and are all different depending on the type of business and the methods they process transactions. Although, for level 1 merchants and service providers this will work differently, as they will need an independent QSA to assess and validate their compliance.
7. Just because your software is PA-DSS certified, doesn’t mean you’re fully compliant
Payment Card Application – Data Security Standard (PA-DSS) certified software has already undergone the relevant checks to ensure it is PCI compliant. Although using this software assists with PCI DSS, it does not mean that organisations are absolved of their overall responsibility of ensuring their networks are safe and secure. Services are not included in the PA-DSS list, it is only software applications or products.
8. There are simpler ways of becoming PCI compliant
By using a level 1 third-party PCI DSS payments solution provider, you can take a lot of the pressure away from your organisation when it comes to applying the appropriate levels of security. It’s often a very demanding and costly venture to become PCI compliant on your own, so by working with an already established PCI DSS compliant business to outsource and descope your payment services, you can remove your organisation’s network and environment away from the scope of PCI DSS.
In some examples, you could be starting with 233 detailed requirements from a Self-Assessment Questionnaire (SAQ). By outsourcing and descoping your payment channels this can reduce your SAQ to 13 ‘yes’ or ‘no’ questions.
9. Outsourcing your payment systems to PCI compliant provider doesn’t mean you’re not responsible for data security
The quarterly network scan and annual Attestation of Compliance still needs to be completed as the organisation itself is ultimately responsible for the overall security and safety of any data they capture, process, store or transmit. It’s essential to choose a level 1 payment service provider that will offer the best service possible with the right experience and credentials, in order to avoid any possible problems.
10. PCI compliance isn’t going away
Cybercrime is almost unavoidable with most organisations choosing to move their operations and offer front-end payment services online. Hackers are continuously on the look-out for new ways to steal personal data, so by following the requirements of the PCI-DSS it can drastically limit their chances of success. PCI compliance isn’t going away, so it’s essential to ensure you know how to appropriately meet the guidelines.