Payment Card Industry Data Security Standard (PCI DSS)
Protecting your customers, securing the industry
PCI DSS is a set of 12 requirements designed to secure and protect customer payment data, as most security breaches could be avoided if merchants:
- Remove sensitive authentication data and limit data retention
- Protect the perimeter, internal and wireless networks
- Secure applications
- Protect through monitoring and access control
Setting the standard for security
To date, criminals have stolen millions of customer card records, leaving the industry facing the increasing threat of data theft.
That's why card payment companies joined forces to create the Payment Card Industry Data Security Standard (PCI DSS) with the aim of safeguarding sensitive card data.
By implementing the standards, businesses are protected against:
Businesses that rely heavily on the internet are financially vulnerable to any loss of connectivity. This threat can be reduced and even prevented by building and maintaining a secure network that's protected by one or more firewalls.
Installing up-to-date antivirus software to help resist Trojans and other malicious viruses protects data that's been entered, stored, processed and maintained by merchants.
By protecting and encrypting cardholder data that's in transit across public networks, private details such as name, address, account number and expiry date are kept hidden.
By using secure internal access controls, businesses and service providers can protect cardholder data from dishonest insiders and external fraudsters.
To prevent 'defacement' where a slight alteration of web data entry forms deceives customers into revealing sensitive data, companies must be adequately protected by their network.
Constant monitoring of activity prevents critical log and audit information being tampered with or erased and allows attacks to be traced back to source.
With correct measures in place, businesses can avoid having illegal pornography or pirate movies copied onto their business computers.
Does PCI DSS apply to you?
If you store, process or transmit any cardholder data electronically or manually, then your business needs to comply.
- You're allowed to store primary account numbers, cardholder names, service code and expiry dates, provided they're protected in line with PCI DSS requirements.
- You're not allowed to store the following and if you are, must remedy the oversight
- Full magnetic stripe – track 2
- PIN/PIN block
- Sensitive authentication data, even if encrypted
Why your business needs to comply
At Barclaycard, it's our duty to regularly report to VISA and MasterCard, letting them know the status of merchants' compliance with PCI DSS. Based on these reports, they select businesses to investigate, with those found to be non-compliant facing fines and fraud costs.
That's why complying with PCI DSS should be seen as an insurance policy, protecting your business from the financial costs of failing to secure card data.
Furthermore, working towards compliance helps improve your processes, allowing you to operate more securely.
Ensuring that third-parties are compliant
Since PCI DSS covers your entire trading environment, all third-party partners that store, process or transmit data must also comply before you can achieve full compliance.
Third parties include:
- Till vendors
- EPOS vendors
- Software application providers
- Payment service providers
- Payment processing bureaux
- Data storage providers
- Web hosting providers
- Shopping cart providers
- Software vendors
Visa Europe and MasterCard maintain independent lists of Third Parties and you should use these when undertaking your own due diligence regarding which partners you wish to engage with.
PCI DSS Standards
12 requirements that meet the standards
PCI DSS features a group of principles and a set of requirements that aim to safeguard sensitive card data across the card payment industry:
Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Don't use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an information security policy
- Maintain a policy that addresses information security
The process of complying
Stages of compliance
Complying fully with PCI DSS is a 5 step process, with each stage determined by a merchant's status and actions:
- Unable to make contact
- Merchant either unwilling or unable to progress
- Contacted by acquirer
- Gap analysis in progress
- Has a Qualified Security Assessor (QSA) or an agreed Independent Assessment
- Gap analysis complete and preparing remediation plan/seeking budget
- Performing network scans, using an Approved Scanning Vendor (ASV)
- In progress
- Has QSA or agreed Independent Assessment
- Completed gap analysis
- Action plan and remediation plan in place
- Indication of final audit date
- Passing quarterly network scans, using an ASV
- Internal Audit Completed and passed (Level 1)
- Successfully completed SAQ (Level 2-3-4)
- Passing quarterly network scans, using an ASV
Once you're compliant, you and all your third-party partners must continue to adhere to PCI DSS. This involves renewing your compliance certificate every year and completing an annual onsite security audit or Self Assessment Questionnaire.
If you trade online, you need to continue performing and passing quarterly scans by an Approved Scanning Vendor.
What level of merchant are you?
Whether you just process a few payments or accept millions of them a year, your business is one of 4 levels of merchants, for PCI DSS purposes. Your level is based on the following criteria and actions you need to take:
|Level||Types of businesses||Actions required for compliancy|
Businesses in e-commerce
If your cardholder data is processed online you may have to complete, and pass, quarterly network scans. A scan would be conducted for each external IP address that processes cardholder data and has to be validated by an Approved Scanning Vendor (ASV).
These checks are necessary as using a compliant payment service provider (PSP) is no guarantee that you've implemented their solution in a compliant way.
How to find a compliant PSP
One way to simplify your compliance journey is using a Payment Service Provider (PSP) that provides hosted payment pages that are already compliant, as Barclaycard does.
Our ePDQ products are all compliant with PCI DSS and offer several benefits for your business.