How to become PCI DSS compliant

How to become PCI DSS compliant

If you need to speak to an advisor you can call us on:
0844 811 6666
Monday - Friday 9am - 5pm

  • What's right for your business?

    The right compliance for your business

    If you’re accepting payments, you’ve already committed to being PCI DSS compliant – and to ensuring your daily processes are properly secure.

    Your merchant level dictates the standards you need to meet and maintain for PCI DSS compliance. There are four levels of merchants, based on the number of transactions you process each year – find yours below.

    Level

    Types of businesses

    Example of actions required for compliance

    1

    • Any merchant processing over 6 million Visa or MasterCard transactions a year and Report on Compliance
    • Any compromised merchant
    • Annual onsite security assessment by PCI SSC Accredited Qualified Security Assessor and report on compliance
    • Quarterly network scan (if in ecommerce)
    • Annual penetration testing
    • Implemented Security Policies

    2

    Any merchant processing 1 to 6 million Visa or MasterCard transactions a year

    • *Annual Self Assessment Questionnaire by a PCI SSC Accredited Internal Security Assessor or an Annual onsite security assessment by PCI SSC Accredited Qualified Security Assessor
    • Quarterly network scan (if in ecommerce)
    • Annual penetration testing
    • Please note that with effect from 30th June 2012 any Level 2 merchant choosing to complete an annual Self Assessment Questionnaire (SAQ) must ensure that all staff engaged in the self-assessment attend PCI Security Standard Council (SSC)-offered merchant training programmes and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation.

    3

    Any merchant processing 20,000 to 1 million Visa or MasterCard ecommerce transactions a year

    If you are a level three merchant you must use the Barclaycard Data Security Manager portal to either:

    1. Upload a Self-assessment Questionnaire (SAQ) that has been validated by a qualified Security Assessor (QSA) each year
    OR
    2. Complete the online profile and follow up steps to complete your Self-assessment and compliance validation each year

     

    If as part of your compliance validation, you are required to run quarterly vulnerability scans, they must be conducted by an Approved Scan Vendor (ASV);
    this can be done using the Barclaycard Data Security Manager service. To see a list of ASVs, visit the PCI Security Standards Council and search for ‘approved scanning vendors’.

    If you use another ASV you must upload the technical report demonstrating a pass status each quarter.

    4

    • Any merchant processing fewer than 20,000 Visa or MasterCard ecommerce transactions a year
    • All other merchants processing up to 1 million Visa or MasterCard transactions a year

    If you are a level four merchant you must use the Barclaycard Data Security Manager portal to either:

    1. Upload a Self-assessment Questionnaire (SAQ) that has been validated by a qualified Security Assessor (QSA) each year
    OR
    2. Complete the online profile and follow up steps to complete your Self-assessment and compliance validation each year

     

    If as part of your compliance validation, you are required to run quarterly vulnerability scans, they must be conducted by an Approved Scan Vendor (ASV);
    this can be done using the Barclaycard Data Security Manager service. To see a list of ASVs, visit the PCI Security Standards Council and search for ‘approved scanning vendors’.

    If you use another ASV you must upload the technical report demonstrating a pass status each quarter.

  • What is PCI DSS compliance?

    An overview of the Payment Card Industry Data Security Standard (PCI DSS)

    PCI DSS (Payment Card Industry Data Security Standard) compliance is a framework which helps companies protect their customers’ cardholder data from theft or misuse. Here are six goals to help you, and your business, achieve it.

     

    The 12 steps of compliance

    There are 12 requirements that make up PCI DSS compliance. They’re all designed to protect consumer cardholder account data during all aspects of storage transmission and processing throughout the card payment industry.

    Build and Maintain a Secure Network and Systems

    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters

    Protect Cardholder Data

    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data across open, public networks

    Maintain a Vulnerability Management Program

    5. Protect all systems against malware and regularly update anti-virus software or programs
    6. Develop and maintain secure systems and applications

    Implement Strong Access Control Measures

    7. Restrict access to cardholder data by business need to know
    8. Identify and authenticate access to system components
    9. Restrict physical access to cardholder data

    Regularly Monitor and Test Networks

    10. Track and monitor all access to network resources and cardholder data
    11. Regularly test security systems and processes

    Maintain an Information Security Policy

    12. Maintain a policy that addresses information security for all personnel

  • Compliance support

    Choose the right security partner

    It’s an important decision, selecting the right Qualified Security Assessor (QSA) to help you become PCI DSS compliant. You should feel confident that they have the knowledge and expertise to get the job done. Their job is to help you:

    • define the scope of the project
    • identify the controls you need to put in place
    • discover where the gaps are
    • calculate the cost of achieving compliance

    Our commitment to your compliance

    Our dedicated team will help you manage fraud from an investigation, compliance and relationship perspective.

    • We aim to gather all the information necessary for you to gain and maintain PCI DSS compliant status, as well as providing expert advice and assistance
    • We have relationships with Qualified Security Assessors (QSA) and Payment Service Providers (PSP) to help with your PCI DSS compliance
    • We’ve teamed up with industry security specialists to offer you comprehensive payment security and protection against fraud at preferential rates
    • We ensure your transactions are safe, secure and compliant with industry standards
    • We are on the advisory board of the PCI Security Standards Council, providing a voice for merchants
    • We report Merchant compliance status regularly to the Card Schemes (Visa and MasterCard) as part of our commercial obligation to the Card Schemes
    • We seek to develop pragmatic and innovative solutions for your business
    • We produce a wide range of leaflets, online information and white papers on topical issues
    • All our SmartPay solutions are compliant with PCI DSS

    Barclaycard Data Security Manager

    We constantly strive to deliver innovative and practical ways to help businesses fight fraud, reduce their data security risks and meet their compliance obligations with the Payment Card Industry Data Security Standard (PCI DSS).

    We’ve listened to our merchants and looked at how we can improve the efficiency and effectiveness of the services we provide to help merchants manage and maintain their PCI DSS compliance. Our research led us to develop Data Security Manager, a ‘smart’ online Portal1. It provides smaller merchants with all the tools and resources they need to help reach and maintain PCI DSS compliance, fully inclusive of vulnerability scanning requirements.

    About Data Security Manager

    This tool provides a quick and easy way of managing your PCI DSS compliance. It guides you through the validation requirements, and expert assistance is available, which can help protect you from the risks of a data compromise and the associated costs and penalties that could result.

    Benefits include:

    • Fully inclusive vulnerability scans should you require them, which could save you money 
    • Specially trained advisers who can provide you with individual assistance
    • ‘Smart’ on-line assistance with your Self Assessment Questionnaires (SAQs)
    • Management of all your scanning and reporting requirements
    • Proactive advice that could help save you time, effort and money
    • A dedicated Qualified Security Assessor (QSA) is available as a referral from the Data Security Manager Helpdesk on  0844 811 0089

    Please note that SecurityMetrics, the organisation we formerly used to manage and report our merchants’ PCI DSS compliance, is no longer our preferred security partner.

    A fee will be charged for Data Security Manager which will be based on your specific business.  Further detail on the types of costs are provided below.

    To find out more about the range of services that Data Security Manager can offer, please call our Data Security Helpdesk on  0844 811 0089  (lines open Mon-Fri 8am-8pm, and 9am-12 noon on Saturdays).

    1Minimum browser requirement: Microsoft Internet Explorer 8, Firefox 4.0 and Safari 5.0 and above. Flash Versions: Adobe Flash Player 8 and above or Adobe Flash Player Plugin for Firefox. The Data Security portal is an online service. If you do not have access to the internet, please call the Data Security Helpdesk on  0844 811 0089 .

  • Costs

    How much does it cost to become PCI DSS compliant?

    There’s no straight answer to how much it costs to become PCI DSS compliant. You’ll find numerous estimates from industry leaders, but the specific cost for your business will probably be different. It will depend on the security measures you have in place at the moment and how much they need to change for you to become compliant.

    PCI DSS costs typically fall into three categories:

    • Technology upgrades – applications, networks, firewalls, monitoring tools
    • PCI DSS validation costs – assessments, audits, network scans
    • Compliance maintenance – keeping up with the development of the standard and information security, checking policies are in place and adhered to, and ensuring documentation is up to date

    The changes your business makes impact beyond PCI DSS compliance. Improvements to the security and efficiency of your IT system should be attributed to bottom line infrastructure costs as opposed to a PCI DSS entry.

    The total cost for these upgrades will vary from business to business depending on the size, scope and setup of the organisation. The typical expense for PCI DSS validation includes:

    • onsite audits – Performed by a Qualified Security Assessor (QSA) or a qualified internal assessor, these are mandatory for Level 1 merchants (or compromised merchants) that could range from £10,000 to £50,000+. The final cost will depend on how much the QSA is required to be involved and whether your business has sufficient information security resources in-house
    • SAQs (Self Assessment Questionnaires) – We require all SAQs to be validated by a QSA. In the past we have accepted paper SAQs, and we found a high number of merchants were not completing the forms correctly and remaining non-compliant without knowing it. If you are a level 3 or 4, please use Barclaycard Data Security Manager to validate your compliance online, or upload an approved certificate from another QSA. If you are a customer of SecurityMetrics please make sure you have validated with them
    • network vulnerability scans – These are required to be completed by an Approved Scanning Vendor (ASV), with an average cost of £100 per external facing IP address. However, the cost of these service offerings is always negotiable with vendors. Up to 10 IP addresses are included in Barclaycard Data Security Manager, as standard

    The cost of the flip side

    While it may seem expensive to meet and maintain compliance, the cost and time associated with recovering from a data breach is far greater. Not complying jeopardises profitability as well as the reputation of your business and future sales.

    The cost of a breach can be up to 20 times that of PCI DSS compliance. In the last five years, the cost of a data breach has risen by 68% to £79 per record1. For a large organisation, the total cost can easily run into the millions and even result in bankruptcy.

    1Symantec Press Release March 20, 2012

  • Third-party compliance

    Stronger together

    Not only is it important for your business to be compliant. Any third party suppliers you work with should be as well. Do they process, store or transmit cardholder data – directly or indirectly – or provide services that could have an impact upon the security of cardholder data? If so, the PCI DSS extends to them too and affects your status as well.

    Third parties may include

    •  Resellers
    •  Till vendors
    •  EPOS vendors
    •  Software application providers
    •  Payment service providers
    •  Payment processing bureau
    •  Data storage providers
    •  Web hosting providers
    •  Shopping cart providers
    •  Software vendors

    360 degree compliance

    If you’re a third party supplier or a business that works with third party agents, here are the steps that need to be taken to ensure everyone plays their part to protect payment card data from fraudulent use.

    Third parties should:

    1. Register as a Third Party Agent with Visa at https://www.visaeurope.com/receiving-payments/security/third-party-agents and with MasterCard as a Service Provider at  https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/service-providers-need-to-know.html
    2. The card schemes (e.g. Visa Inc and MasterCard) require all businesses providing services to Merchants that could impact the security of cardholder data to register and indicate whether or not they (i.e. the third party) are compliant with the PCI DSS
    3. Ensure an enforceable agreement exists with the Merchant, acknowledging that the Service Providers/Merchant Agent/Third Party are responsible for the security of payment card data under their control as required by the PCI DSS
    4. Create an incident response plan to be implemented in the event of a system breach. Further information regarding the content of an incident response plan can be found in
    5. Implement the incident response plan and be prepared to respond immediately to a system breach. In the case of a suspected compromise, the Merchant should be notified immediately so they can let us know. We’ll then alert the Card Schemes to initiate immediate action

    Payment Application Data Security Standard (PA-DSS)

    Do you purchase payment applications that are specifically designed to store, process or transmit cardholder data? You must do so using applications that are accredited as compliant with the PA-DSS. These are known as validated applications. The current list of validated applications is maintained and available from the

  • Industry resources

    Level 4 merchants

    To support PCI level 3 and 4 merchants, we have an established programme ‘Barclaycard Data Security Manager’ a programme which helps you make it easier to meet the PCI DSS requirements without having to use a third party assessor. The online service provides you with the tools needed to achieve, record and maintain compliance with the PCI DSS.

    A fee will be charged for Data Security Manager which will be based on your specific business.
    Visit Barclaycard Data Security Manager

    Or call the Data Security Helpdesk on:
    0844 811 0089

    Monday-Friday 8am–8pm Saturday 9am–12 Noon

    Other PCI DSS compliant suppliers

    Visa Europe

    Visit Visa's website for downloads & resources

    MasterCard

    Visit MasterCard's website for compliant Payment Service Providers
    More about MasterCard's Site Data Protection (SDP) program

    Qualified Security Assessors

    Only approved accredited organisations can help you become PCI DSS compliant. That's why we recommend you use a Qualified Security Assessor, when you are ready to proceed.

    View list of Qualified Security Assessors

    Approved Scanning Vendors

    If you require network scans as part of your PCI compliance only use Approved Scanning Vendors

    View list of Approved Scanning Vendors

    Educate yourself

    Here's a selection of learning PCI DSS materials:

    Barclaycard teleconference presentations
    Payment Security Account Data Compromise (ADC) PDF (558KB)
    Payment Security teleconference Third Party Management PDF (684KB)
    PCI DSS Compliance Validation Options PDF (633KB)

    Contact Centres and the PCI DSS
    PCI & the Contact Centre. The Acquirer Perspective PDF (715KB)

    Mobile payment acceptance security advice
    Download the paper PDF (153KB)
    See a video of the presentation given to the European Information Security Summit 2014

    Barclaycard Merchant Education & Awareness Programme offline webinars
    PCI DSS – Investing wisely... Hotel webinar PDF (955KB)
    PCI DSS demystified for SMEs PDF (1.35 MB)

    OWASP guide to handling e-commerce payments
    Visit their online guide

    Processing telephone payments securely
    Processing telephone payments securely PDF (1.99 MB)

    Processing online card payments securely
    Processing online card payments securely PDF (5.97 MB)

    Financial fraud issues and fraud prevention advice
    Visit the financial fraud action website

    Merchant data breach case studies
    Level 2 Retailer data breach PDF (415KB)
    Level 4 Ecomm Merchant data breach PDF (318KB)

    PCI SSC Small Merchant Safer Payments guidance
    Visit the PCI Security Standards website

    Guide to safe payments
    Guide to safe payments PDF (8.87 MB)

    Latest news

    Read the headlines from Finextra Cards
    Get the latest from Finextra Payments
    View the blog articles on the PCI Security Standards website

    If you don't have Adobe Reader installed on your computer, download it here for free:
    Get Adobe Reader