Whenever your customers pay by card face-to-face, online or over the phone, they’re trusting that your systems are secure. At the same time, you’re also trusting that your customers aren’t fraudsters in disguise.
So, to minimise the chance of fraud, the payments industry came together and created the Payment Card Industry Data Security Standard, known as PCI DSS.
The PCI DSS lists a set of requirements that each business needs to follow. The level of security needed depends on the size of your business and how it operates. If you have met the requirements relevant for your specific business set-up, you’re deemed as being ‘compliant’ with PCI DSS.
Every business taking card payments is required to have a yearly PCI DSS compliance assessment to ensure they’re still protecting cardholder data to the highest standard.
Think of PCI DSS compliance like a car’s yearly MOT. The car needs its MOT renewing every year by a qualified assessor. The assessor identifies any problems that need fixing to a certain standard before they officially authorise the vehicle for use.
PCI DSS applies to the processing and storage of all customer cardholder
PCI DSS version 3.2 came into effect on 1st November 2016. You can find a summary of the changes between version 3.1 and 3.2 on the PCI Security Standards Council website and search for “summary of changes”.
The PCI DSS covers your entire trading environment, end-to-end. So, it’s not just your systems which must be compliant, but also the systems of any third party suppliers that store, process or transmit your customers’ cardholder data.
So, when choosing a supplier, make sure they’re certified PCI DSS compliant.
Find out more about third party compliance on our page ‘How to become PCI DSS compliant’.
Anyone who takes card payments has a responsibility to comply with PCI DSS – it helps to prevent fraud across the economy for both consumers and businesses alike.
Becoming compliant isn’t a meaningless chore – it’s something that will actually benefit your business. This is because processes and policies that support PCI DSS compliance will reduce the risk of your data environment being compromised.
If you’re a Barclaycard customer, being compliant also means you’re adhering to the terms of your Merchant Agreement with us, so passing your yearly compliance assessments should be a breeze.
If your customers’ cardholder data is compromised, there could be negative consequences, such as:
Be aware that being PCI DSS compliant won’t stop fraudsters targeting your business. However, it will make sure that you’re in the best position to prevent an attack, and greatly reduce the financial penalties you may face.
For more information, visit our page: how to become PCI DSS compliant.
The purpose of the PCI Data Security Standards is to keep every link in your transaction chain as secure as possible. If your business takes card payments face-to-face, on your website, or over the phone, this affects the following parts of your transaction chain:
By complying with the PCI DSS requirements, you’re helping to protect your business and customers against the following:
‘Trojans’ and other malicious viruses can sneak into your system to change cardholder payment records from ‘paid in full’ to ‘unpaid’ to make unapproved transactions. Keeping your anti-virus software up to date helps you keep these attacks at bay.
Denial of service
Losing connectivity is a huge issue if your business relies heavily on the internet. This can be reduced, and even prevented, by building and maintaining a secure network that’s protected by one or more firewalls. For further help and advice, speak to a Qualified Security Assessor (QSA) or your Payment Card Industry Security Standards Council (PCI SSC) approved Internal Security Assessor. View more information on assessors and solutions on the PCI Security Standards website.
Whether it’s face-to-face, online or over the phone, each card transaction you take will send information across public networks. By encrypting cardholder data ‘in transit’, private details such as name, address, account number and expiry date are kept safe and hidden.
It’s not just attacks from outside your business that you need to protect against. Sometimes the threat is closer to home. Having secure internal access controls helps you protect yourself and your customers’ data from dishonest insiders as well as external fraudsters.
Company web pages and interactive forms are a big target for hackers and fraudsters. Ensuring your network is protected helps prevent ‘defacement’, where slight alterations to web data entry forms trick customers into revealing sensitive data.
With so much information going back and forth, it’s easy for things to slip through the cracks. Constant and thorough monitoring of your transaction activity prevents critical log and audit data being tampered with or erased. It also makes it easier to trace attacks back to their source.
You can’t always be around to monitor how employees are using their computers. But with the correct measures in place, you can avoid having illegal pornography, unauthorised software or pirate movies being accessed and/or copied onto your business hardware.
Working with the controls set out in the PCI DSS will help you with other governance and legal requirements that may be relevant to your business. For example, the Information Commissioner's Office considers cardholder data to be personal data. Merchants and service providers are therefore expected to be compliant with the PCI DSS in order to adhere to the Data Protection Act.