PCI DSS Beginner’s guide
What is PCI DSS?
The Payment Card Industry Data Security Standard, known as PCI DSS, is a set of requirements that explain how to protect you and your customers when taking payments. These are industry-wide requirements, and so any supplier that takes payments for you will expect you to take the PCI DSS seriously.
When you take card payments, your customers are trusting you with their valuable details and assume you’re keeping them out of the hands of fraudsters. Meeting the requirements of the PCI DSS can help you do just that.
What happens if I don’t meet the PCI DSS?
When you first start taking payments, you’ll have 90 days before you need to meet the requirements of the PCI DSS. After that, you’ll need to keep meeting the requirements and show you’re doing so at least once a year.
If you can’t prove that you’re protecting your customers’ cardholder data, the results could be serious for both you and your customers, such as:
- financial penalties and charges
- damage to your business’ reputation and loss of customer trust
- money stolen from your customers
- your customers’ identities stolen
How do I meet the requirements of the PCI DSS?
Unfortunately, there’s no straightforward answer to this. Meeting the requirements of the PCI DSS depends on how complex your business is, and the data security measures you already have in place. In fact, you may already be meeting the requirements and not realise.
Meeting the requirements isn’t just a one-off task – you’ll need to take measures regularly to make sure you’re still meeting the rules.
Fraudsters are known to target the weakest businesses, regardless of whether they are large corporations or small local businesses. The easiest targets are those who aren’t meeting the PCI DSS, so it makes sense that adopting the requirements will put you in a stronger position to prevent attacks.
Every business is different, but here are some examples to give you an idea of what’s involved:
Example 1: Sharon’s corner shop – a simple payment system
Risks / threats
Solution (meeting the PCI DSS)
• Make sure you destroy any till receipts that customers leave behind
• Don’t forget to lock away your till receipts
• Keep a close eye on your card machines. Inspect for unusual damage or changes. And make sure you install the security updates provided by your vendor (if your machine comes from Barclaycard, simply leave it powered on overnight so it can perform the monthly ‘maintenance call’)
• Keep till receipts locked in a safe environment, and make sure you remove any cardholder data which you don’t need, such as the long card number
Example 2: a more complex system
• Gareth has his own website
• When customers check out, they’re sent to a payment page, which is run by a third-party provider
•This third party processes the payment, then sends an authorisation back to Gareth’s web servers to confirm payment
• No cardholder data is ever held on Gareth’s servers
Risks / threats
• If Gareth’s website has poor security such as easy-to-guess passwords, hackers could get his cardholder data, even though Gareth doesn’t intend having any customer data on his servers in the first place
• Fraudsters could get his cardholder data by hacking into the servers of his third-party providers
Solution (meeting the PCI DSS):
• Use strong, hard-to-guess passwords
• Install the latest security patches from your vendors, such as your website hosting company
• Install anti-virus software on computers and keep the software up to date
• Choose third-party providers that meet the PCI DSS
• Ask your technology suppliers for help if you need it
Getting assessed for meeting the requirements of the PCI DSS
Again, every organisation is set up differently and therefore needs to be judged on an individual basis. What you’ll need to do to meet the requirements depends on the kinds of security risks that your business faces.
Many small-and medium-sized businesses can prove they meet the requirements of the DSS by filling out a Self-Assessment Questionnaire. At Barclaycard, we provide a portal called Data Security Manager to help our customers with this process.
You can also choose to have an official Qualified Security Assessor examine how you take payments, but this usually applies to larger organisations due to the costs and level of transactions involved.
If you’d like more detail about meeting the requirments of the PCI DSS, visit our help & support page.
Are there any costs in meeting the requirements of the PCI DSS?
There may or may not be costs involved in meeting the requirements of the PCI DSS, as it depends on how complex your set up is. For example, the security measures you have now and how much you need to change them to meet the requirements.
There are four types of PCI DSS costs you may have to pay:
• PCI DSS validation costs, such as assessment fees or support fees
• technology upgrades, such as anti-virus software for your work computers or mobile devices
• keeping to the requirements of the PCI DSS, such as training staff on PCI DSS procedures
• miscellaneous costs, such as buying a paper shredder
For more detail on PCI DSS costs, please visit our help & support page.