Each time a customer pays you by card face-to-face, online or over the phone, they trust you with their personal and financial information. At the same time, you’re counting on them to be exactly who they say they are and the genuine cardholder. The Payment Card Industry Data Security Standard (PCI DSS) is designed to help protect you both.
All of the card brands Visa, MasterCard, American Express, Discover, JCB require merchants that accept their cards to protect cardholder data in accordance with the controls described within the PCI DSS. This helps you to ensure that you’re processing and storing customer card data as securely as possible. Being compliant won’t stop fraudsters targeting your business but it will make sure that you’re in the best position to prevent an attack, helping you avoid the financial and reputational losses that can result.
The purpose of the PCI DSS is to keep every link in your transaction chain as safe and secure as possible. If your business accepts card payments face to face, on your website, or over the phone, this includes:
By complying to and implementing the PCI DSS standards, you’re protecting your business and customers against the following:
‘Trojans’ and other malicious viruses can sneak into your system to change cardholder payment records from ‘paid in full’ to ‘unpaid’ to make unapproved transactions. Keeping your anti-virus software up to date helps you keep these attacks at bay.
A loss of connectivity is a huge issue if you rely heavily on the Internet to do business. This can be reduced, and even prevented, by building and maintaining a secure network that’s protected by one or more firewalls. For further help and advice speak to a QSA or your PCI SSC approved Internal Security Assessor. View more information on assessors and solutions on the PCI Security Standards website.
Whether it’s face-to-face, online or over the phone, each card transaction you make sends information across public networks. By encrypting cardholder data ‘in transit’, private details such as name, address, account number and expiry date are kept safe and hidden.
It’s not just attacks from outside of your business that you need to protect against. Sometimes the threat is closer to home. Having secure internal access controls helps you protect yourself and your customers’ data from dishonest insiders as well as external fraudsters.
Company webpages and interactive forms are a big target for hackers and fraudsters. Ensuring your network is protected helps prevent ‘defacement’, where slight alterations to web data entry forms trick customers into revealing sensitive data.
With so much information going back and forth, it’s easy for things to slip through the cracks. Constant and thorough monitoring of your transaction activity prevents critical log and audit data being tampered with or erased. It also makes it easier to trace attacks back to their source.
You can’t always be around to monitor how employees are using their computers. But with the correct measures in place, you can avoid having illegal pornography, unauthorised software or pirate movies being accessed and/or copied onto your business hardware.
Working with the controls set out by the PCI DSS will help you with other governance and legal requirements that may be relevant to your business. For example, the Information Commissioner considers cardholder data to be personal data. Merchants and service providers are therefore expected to be compliant with the PCI DSS in order to remain the same with the Data Protection Act.
The PCI DSS is something all businesses have a role to play in. If you store, process or transmit cardholder data electronically or manually, you’re required to maintain compliance with PCI DSS in the interest of your customers’ security as well as your businesses.
What you’re allowed to store, provided you follow PCI DSS requirements:
What you’re not allowed to store, which must be remedied immediately:
As a card payment acquirer, it’s our duty and responsibility to report the compliance status of the businesses we work with to Visa and MasterCard. They use this information to select which businesses to investigate. Those found to be non-compliant will face fines and fraud costs.
PCI DSS compliance is a mandatory part of your Merchant Agreement with Barclaycard for accepting card payments. Working towards these standards will help you improve your processes and allow you to operate more securely.
The good news is, you’re not on your own as we have partners, guides and support materials to help you become fully PCI DSS compliant. Find out more about how we can help your business become PCI DSS compliant
The PCI DSS covers your entire trading environment, end-to-end, which means all your third party partners that store, process or transmit data must also comply.
Find out more about third party compliance and how it affects your compliance.