How to become PCI DSS compliant

In this guide, you’ll learn the following (click to scroll to that section):

What level of compliance is right for your business?
How to comply with the PCI DSS
How we can help you become compliant
How much PCI DSS compliance costs

If you’re taking card payments, you’ve already committed to ensuring your systems and policies are secure to the Payment Card Industry Data Security Standard. (For more background on PCI DSS and why it’s important, read our guide: What is PCI DSS?)

Get the right level of compliance for your business

Different businesses will need to comply with different levels of PCI DSS, depending on the volume of transactions they process. This is called a ‘merchant level’, and the definitions of these levels are outlined below.

Please also note that we list some examples of how merchants can comply, but their individual needs will have specific requirements set out by a ‘PCI Security Standards Council (SSC) accredited Qualified Security Assessor’.

Level 1 merchants

What qualifies a merchant as level 1?

· Any merchant processing over six million transactions per year via Visa or MasterCard
· Any merchant who has had a data breach

How can level 1 merchants comply?

· Yearly on-site security assessment by a PCI SSC-accredited Qualified Security Assessor, or Internal Security Assessor, with a subsequent report on their compliance
· Quarterly network scans (if they take payments online)
· Yearly penetration testing
· Implemented security policies

Level 2 merchants

What qualifies a merchant as level 2?

Any merchant processing one to six million Visa or MasterCard transactions a year.

How can level 2 merchants comply?

· Yearly on-site security assessment by a PCI SSC-accredited Qualified Security Assessor, or Internal Security Assessor, with a subsequent report on their compliance
· Quarterly network scans (if they take payments online)
· Yearly penetration testing
· Implemented security policies
· If your organisation is completing an annual Self-Assessment Questionnaire (SAQ), make sure any staff involved in the self-assessment attend PCI Security Standard Council merchant training programmes, and also that they pass any yearly associated accreditation programmes

Level 3 merchants

What qualifies a merchant as level 3?

Any merchant processing 20,000 to one million Visa or MasterCard online transactions per year.

How can level 3 merchants comply?

If you qualify as a level 3 merchant, you fall in to the ‘self-assessment’ category.

If you’re a Barclaycard customer doing a self-assessment, you can use our online service, Data Security Manager, to complete all of your PCI DSS-related tasks, as well as prove your compliance each year.

If don’t want to use our online service, you can use another PCI DSS Assessor. In this method, you’ll still need to prove your compliance by uploading your completed Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AOC) to our online service, Data Security Manager.

You may also be required to run quarterly vulnerability scans as part of your compliance validation. This can be done in two ways:

Scans performed using Barclaycard’s Data Security Manager online portal, or
Scans performed by an Approved Scanning Vendor (ASV), then uploading to the portal a technical report that proves your systems have passed the scan.

Level 4 merchants

What qualifies a merchant as level 4?

· eCommerce-only merchants processing fewer than 20,000 Visa or MasterCard transactions per year, or
· Non-eCommerce merchants processing up to one million Visa or MasterCard transactions per year.

How can level 4 merchants comply?

If you qualify as a level 4 merchant, you fall in to the ‘self-assessment’ category.

You may also be required to run quarterly vulnerability scans as part of your compliance validation. This can be done in two ways:

Scans performed using Barclaycard’s Data Security Manager online portal, or
Scans performed by an Approved Scanning Vendor (ASV), then uploading to the portal a technical report that proves your systems have passed the scan.

How to comply with PCI DSS

There are twelve general requirements that form the PCI Data Security Standard (taken from the PCI SSC website):

Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel

After assessing your payment environment, your compliance assessor will give you specific actions you need to take, all of which will be based these around twelve principles.

How we can help with your compliance

Barclaycard customers get the following PCI DSS compliance benefits:

· A dedicated Payment Security team who are happy to help with any queries you have
· For Level 1 and level 2 merchants, we assign you a Payment Security Manager, who will support you throughout the PCI DSS compliance process
· For Level 3 and 4 merchants, we offer the Barclaycard Data Security Manager. This online portal guides you through the self-assessment process, providing suggested actions that may support achieving compliance. For more information, see the section below.
· All of our services are backed up by a range of leaflets, online information and white papers providing straightforward information about the PCI DSS, payment security and fraud.
· We also have a PCI DSS compliant online payments solution, and have members on the PCI SSC Advisory Board, providing a voice for merchants

Barclaycard Data Security Manager

Data Security Manager is our online portal¹ which provides level 3 and 4 merchants with all the tools and resources they need to be able to report their PCI DSS compliance each year.

For just £2.40 per month, per billing address, you get:
· Access to the online portal. The portal takes you step-by-step through registration, profiling your business, completing the assigned Self-Assessment Questionnaire (SAQ), and completing your Attestation of Compliance.
· Access to a team of trained advisors. You can speak to us via the portal’s live chat feature, or by phone if you have any issues or questions.
· Access to a Qualified Security Assessor (QSA) as a referral, if needed.
· Access to quarterly vulnerability scans to help you stay compliant with PCI DSS, if you need it.

To find out more about how Data Security Manager can help you, call 0844 811 0089 (Mon-Fri, 8am-8pm, and Sat 9am–12pm).

¹Minimum browser requirement: Microsoft Internet Explorer 8, Firefox 4.0 and Safari 5.0 and above. Flash Versions: Adobe Flash Player 8 and above or Adobe Flash Player Plugin for Firefox. The Data Security portal is an online service. If you do not have access to the internet, please call the Data Security Helpdesk on 0844 811 0089.

How much does it cost to become PCI DSS compliant?

Unfortunately, there’s no simple answer to how much it costs to become compliant with the PCI DSS. It all depends on the security you have in place at the moment, and how much it needs to change for you to become compliant.

PCI DSS compliance costs typically fall into three categories:

Technology upgrades, such as applications, networks, firewalls and monitoring tools
Validation costs, such as assessments, audits and network scans
Compliance maintenance, including keeping up with the development of the standard and information security, checking policies are in place and being adhered to, and making sure documentation is up to date

Complying with PCI DSS isn’t just about ticking boxes. Any changes you make in order to comply also mean you’re upgrading the security and efficiency of your systems, so you can attribute these to your bottom line as infrastructure costs, as opposed to a PCI DSS entry.

The total cost for these upgrades will vary depending on the size, scope and setup of your organisation. Typical expenses for PCI DSS validation would be:

On-site audits

These are mandatory for Level 1 merchants, or merchants who have been compromised. An on-site audit needs to be performed by a Qualified Security Assessor (QSA), or a qualified internal assessor. This could cost upwards of £10,000.

The final cost depends on how much work the QSA has to do, and whether you have the right level of information security resources in house.

Self-Assessment Questionnaires (SAQs)

At Barclaycard, we require all Self-Assessment Questionnaires to be validated by a QSA. For Level 3 or 4 merchants, you can use Barclaycard Data Security Manager to validate your compliance online.

If you’re a Barclaycard customer and you want to use a different supplier for your self-assessment, you will still need to prove your compliance by logging into Barclaycard Data Security Manager and uploading your completed SAQ or signed Attestation of Compliance (we can’t accept paper copies).

Network vulnerability scans

Network vulnerability scans need to be done by an Approved Scanning Vendor. These tend to cost around £100 per external facing IP address.

Customers using Barclaycard Data Security Manager get scans for up to 10 IP addresses included in their monthly management fee.

The cost of non-compliance

While it may seem expensive and painful to become PCI DSS compliant, a data breach can cost far more than the cost of compliance. Sometimes costs can run into the millions, and even result in bankruptcy. Not to mention the potential damage to your organisation’s reputation.

Third party compliance

If you’re a merchant

It’s not just your business that needs to be PCI DSS compliant. If any third party suppliers handle your cardholder data, they also have to comply with PCI DSS.

Ask yourself this:

· Do any of my suppliers directly or indirectly process, store or transmit my customers’ cardholder data?
· Do they have an impact on the security of my customers’ cardholder data?

If the answer to either of these questions is yes, the PCI DSS also extends to these suppliers. So if any third party suppliers aren’t proven to be compliant, and there’s a data breach involving your customers’ cardholder data, you will share responsibility for any damages. That’s why it’s important to only work with PCI DSS-compliant suppliers.

Third parties may include those that supply:

· Hardware. Tills, EPOS systems, card machines/POS systems/PDQ machines
· Software. Online shopping carts, billing platforms
· Hosting. Web hosting, data storage, data transmission
· Processing. Payment service providers, payment processing bureaux, payment gateways

If you’re a third party supplier

If you’re a third party (or if you work with a third party) who supplies services that could impact the security of cardholder data, you need to take the following steps:

Register with the card schemes and inform them of your PCI DSS compliance:
- Register as a Third Party Agent with Visa
- Register as a Service Provider with MasterCard
Make sure you have an enforceable agreement with the merchant, acknowledging that each party (Service Providers/Merchant Agent/Third Party) is responsible for their security of payment card data under their respective control, as required by the PCI DSS.
Create an incident response plan for the event of a system breach. Find out more about how to respond to a data breach.
Implement the incident response plan, and be prepared to respond immediately to a system breach. If you suspect a compromise, notify the merchant immediately, so they can inform their acquirer, who will then tell the Card Schemes to take action

Payment applications

If you buy payment applications which store, process or transmit cardholder data, they must be compliant with the Payment Applications Data Security Standard. You can see a list of these officially validated applications on the PCI SCC website.

Latest news

Here are some good places for keeping up to date on what’s happening in the industry:

· Barclaycard News & Insights blog
· Read the headlines from Finextra Cards
· Get the latest from Finextra Payments
· View the blog articles on the PCI Security Standards website

If you don't have Adobe Reader installed on your computer, download it here for free:
Get Adobe Reader

FAQs

What are the guidelines surrounding PCI DSS and the storing of voice recordings?

If the data is recorded in an analogue format (i.e. on tape), and there’s no way to access this data other than by manually searching through it, then the tapes must be subject to the same level of security as normal paper transaction records. This means you must Restrict Access to the electronic data, track access through user IDs etc., and physically restrict access to the data media.

If you store the data electronically and it can be searched using any data mining or other automated methods, then you’ll need to apply the same access control methods as you would for any storage of digital media. You should remove the CVV2 check digits after authorisation, and ensure the PAN is unreadable using any of the accepted techniques.

I find it difficult to understand which PCI DSS Self Assessment Questionnaire (SAQ) to complete, can you help?

Barclaycard is not an accredited QSA, and so we’re not allowed to provide you with any advice about which SAQ you should complete. It’s your responsibility to make sure you complete the right SAQ and complete the eligibility section of the applicable SAQ.

We strongly recommend our smaller merchants call the Data Security Helpdesk on 0844 811 0089* to find out which SAQ is relevant to your business. The Data Security Helpdesk is backed by Sysnet Global Solutions, who is authorised by the Security Standards Council to give advice on which SAQ you need to complete.

Next up, we recommend reading How to deal with a data security breach.

If you have PCI DSS-related questions, please visit the official PCI SSC website.

Menu

How do I become PCI DSS compliant?