-

Beginner’s guide to PCI DSS

What is PCI DSS?

The Payment Card Industry Data Security Standard, known as PCI DSS, is a set of requirements which explains how to protect yourself and your customers when taking payments. These are industry-wide requirements, and so any supplier that takes payments for you will expect you to take PCI DSS compliance seriously.


What happens if I don’t comply with PCI DSS?

If you want to take card payments, you’ll need to become and remain compliant with PCI DSS requirements. 

If you can’t prove that you’re protecting your customer’s cardholder data, there could be negative consequences for both you and your customer, such as: 

  • Financial penalties and charges
  • Damage to your business’ reputation and loss of customer trust
  • Stolen funds from your customer
  • Stolen identity of your customer

How do I become PCI DSS compliant?

Unfortunately, there’s no straightforward answer to this. Becoming PCI DSS compliant depends on the complexity of your payments environment, and the data security measures you already have in place. In fact, you may already be compliant and not realise!

Fraudsters are known to target the weakest businesses, regardless of whether they are large corporations or small local businesses. The easiest targets are those who aren’t compliant with the PCI DSS, so it makes sense that compliance will put you in a stronger position to prevent attacks.

Every business is different, but here are some examples to give you an idea of what’s involved:

Example 1: Sharon’s corner shop – a simple payment system 

Set up:

  • The card machine is connected via the telephone line
  • Paper receipts are printed and handed to customers
  • Till reports are stored in a box underneath the till 

Risks / threats:

  • Card machines can be tampered with by fraudsters in order to steal data
  • Paper receipts can contain cardholder data; e.g. the long number on someone’s card (known as a primary account number)

Solution (PCI DSS compliant):

  • Ensure any customer till receipts left behind are destroyed
  • Ensure any merchant till receipts are locked away
  • Keep a close eye on your card machines. Inspect for any questionable damage or changes. And make sure they receive the security updates provided by your vendor (if your machine comes from Barclaycard, simply leave it powered on overnight so it can perform the monthly ‘maintenance call’)
  • Keep till reports locked in a safe environment, and make sure you remove any cardholder data which you don’t need (e.g. long card number)

Example 2: a more complex system 

Set up:

  • Gareth has his own website 
  • When customers check out, they’re directed to a payment page, which is managed by an outsourced 3rd party provider
  • This 3rd party processes the payment, then sends authorisation back to Gareth’s web servers to confirm payment 
  • No cardholder data ever touches Gareth’s servers

Risks / threats:

  • If there are vulnerabilities on Gareth’s website (for example: easy-to-guess passwords), hackers could intercept cardholder data, even though the intended process is to not have any cardholder data on Gareth’s servers in the first place
  • 3rd party provider’s servers could get hacked, also intercepting customer data 

Solution (PCI DSS compliant):

  • Use strong, hard-to-guess passwords
  • Install latest security patches from your vendors (e.g. website hosting company)
  • Install anti-virus software on computers and keep the software up to date
  • Choose 3rd party providers that are PCI DSS compliant
  • Ask your technology suppliers for help if you need it 

Getting assessed for PCI DSS compliance

Again, every organisation is set up differently and therefore needs to be assessed on an individual basis. What you’ll need to do to become compliant is dependent on the kinds of security risks that your business faces. 

Many small- and medium-sized businesses can prove their compliance with PCI DSS by filling out a Self-Assessment Questionnaire. At Barclaycard, we provide a portal called Data Security Manager to help our customers with this process.

You can also choose to have your payment environment assessed by an accredited Qualified Security Assessor,  but this usually applies to larger organisations due to the costs and volume of transactions involved. 

If you’d like more detail about PCI DSS compliance, visit our help & support page.

Are there any costs in becoming PCI DSS compliant?

There may or may not be costs involved in becoming and maintaining PCI DSS compliance, depending on the complexity of your set up. For example, the security measures you have in place at the moment and how much they need to change in order for you to become compliant.

PCI DSS costs typically fall into four categories:

  • PCI DSS validation costs; such as assessment fees or support fees
  • Technology upgrades; such as anti-virus software for your work computers or mobile devices (if applicable)
  • Upkeep of PCI DSS compliance; such as training staff on PCI DSS procedures 
  • Miscellaneous costs; such as buying a paper shredder 

For more detail on PCI DSS costs, please visit our help & support page.