What is PCI DSS and how does it affect me?


Written by Wayne Campbell

Published May 2018

In this article...

The Payment Card Industry Data Security Standard (PCI DSS) was established by the payment card schemes, as a unified standard, to baseline the minimum security requirements necessary to protect payment card data.

PCI DSS applies to all entities (other than the payment card schemes themselves - Visa, Mastercard, American Express, Discovery and JCB) that store, process and/or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Compliance to the PCI DSS is a contractual obligation between merchants and their acquiring bank, and between the acquiring bank and the payment card schemes. The acquiring banks are obliged under their agreement with the card schemes to report all their merchants compliance status either monthly, quarterly or annually, depending on the risk they present to the card schemes. This could be based on the merchant experiencing a data compromise, their period of non-compliance and/or the number of transactions they process.

What happens if I’m not PCI DSS compliant?

Failure to comply with PCI DSS means higher processing costs from your acquiring bank. Non-compliance in the event of a data compromise or data breach may also mean significant penalties and/or a 90 day notice to withdraw card processing facilities issued directly by the payment card schemes.

What advice and guidance do the payment card schemes provide?

The payment card schemes deliver their guidance and advice via the Payment Card Industry Standards Security Council (PCI SSC). The PCI SSC website is a primary source of PCI DSS related documentation. The links below take you directly to the current version of the Standard itself and the latest guidance on how the DSS should be applied to a merchants environment www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf

What are the key themes within PCI DSS?

The PCI SSC’s Quick Reference Guide www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf, provides a good overview of the standard and is a good companion. The key theme of the PCI SSC is security first and ensuring that in the event of a data compromise, criminals have no payment Card Holder Data (CHD) or Sensitive Authentication Data (SAD) to steal. In his speech at the European PCI Summit in Berlin in November 2015, Stephen Orfei. GM PCI SSC described the Councils recommended approach as “Using technology to devalue the data. To get risk off the table.” That was backed up more recently by Troy Leach, the PCI SSC CTO when he was commenting on the new PCI DSS Scope Guidelines in December 2016 “If you can limit exposure of payment data in your systems, you simplify compliance and reduce the chance of being a target for criminals.”

How should that shape my approach to PCI DSS compliance?

What that means is that the scope of PCI DSS is reduced if Cardholder Data (CHD) and Sensitive Authentication Data (SAD) are not stored, processed and/or transmitted within your environment. Should that be achieved, then PCI DSS Requirements 1 to 11 may not need to be applied as no Card Data Environment exists and ONLY Requirement 12 applies. This approach significantly reduces the time, cost and effort in achieving and maintaining PCI DSS compliance.

How do I achieve PCI DSS compliance?

Merchants processing more than one million Visa transactions per annum can achieve PCI DSS compliance by being externally audited by a Qualified Security Accessor (QSA) a list of is available on the PCI SSC website. The QSA will complete a Record of Compliance (RoC) and certify compliance by completing an Attestation of Compliance (AoC). For those merchants processing less that one million Visa transactions per annum, they can self-certify compliance by completing the appropriate Self-Assessment Questionnaire (SAQ) and the appropriate AoC. Help is understanding which SAQ to complete can be found within the PCI DSS Guidance document.

WARNING - Whilst PCI DSS compliance is certified annually, it is not a payment card security MOT. Far from it. The DSS focuses on the constant monitoring of payment card (CHD and SAD) security, which may put significant and additional corporate governance obligations on the entity you represent.

How can Pay360 help?

Pay360 can take the pain out of PCI DSS compliance.

We believe that you want to serve your customers and maximise every sales and payment opportunity. That means providing you with the ability to make sales and take payments across all the available communication channels (face to face, over the phone, via web chat and social media and via direct mail). Pay360 can help you maximise your payments opportunities across all channels in a way that reduces the time, cost and effort you spend achieving PCI DSS compliance.

We do that by making available and helping you deploy proven technologies that “take risk off the table”, “devalue the data” and “simplify compliance” across all your customer communication channels.

The first step is letting us help you understand where you are in your PCI DSS compliance journey and how you can optimise your approach to achieving PCI DSS compliance.