What is PCI DSS?

What is PCI DSS?


Protecting your business

If you need to speak to an advisor you can call us on:
0800 161 5350
Monday - Friday 9am - 5pm

  • Overview

    Protecting your business. Securing the industry

    Each time a customer pays you by card face-to-face, online or over the phone, they trust you with their personal and financial information. At the same time, you’re counting on them to be exactly who they say they are and the genuine cardholder. The Payment Card Industry Data Security Standard (PCI DSS) is designed to help protect you both.

    All of the card brands Visa, MasterCard, American Express, Discover, JCB require merchants that accept their cards to protect cardholder data in accordance with the controls described within the PCI DSS. This helps you to ensure that you’re processing and storing customer card data as securely as possible. Being compliant won’t stop fraudsters targeting your business but it will make sure that you’re in the best position to prevent an attack, helping you avoid the financial and reputational losses that can result.

    PCI DSS at a glance

    • View further information on becoming PCI DSS compliant including a set of 12 mandatory standards for storing, processing or transmitting cardholder data
    • Applies to the processing and storage of cardholder data for both manual and electronic transactions
    • Secures and protects customer payment data
    • Businesses found to be non-compliant in the event of a data compromise face financial penalties and costs
    • Please note PCI DSS version 3.2 came into effect on 1st November 2016.  You can find a summary of the changes between version 3.1 and 3.2 on the PCI Security Standards Council  website and search for “summary of changes”
  • How it protects you

    Strengthening your payment chain

    The purpose of the PCI DSS is to keep every link in your transaction chain as safe and secure as possible. If your business accepts card payments face to face, on your website, or over the phone, this includes:

    Covering all the angles

    By complying to and implementing the PCI DSS standards, you’re protecting your business and customers against the following:

    Account tampering

    ‘Trojans’ and other malicious viruses can sneak into your system to change cardholder payment records from ‘paid in full’ to ‘unpaid’ to make unapproved transactions. Keeping your anti-virus software up to date helps you keep these attacks at bay.

    Denial of Service

    A loss of connectivity is a huge issue if you rely heavily on the Internet to do business. This can be reduced, and even prevented, by building and maintaining a secure network that’s protected by one or more firewalls.  For further help and advice speak to a QSA or your PCI SSC approved Internal Security Assessor. View more information on assessors and solutions on the PCI Security Standards website.

    Identity theft

    Whether it’s face-to-face, online or over the phone, each card transaction you make sends information across public networks. By encrypting cardholder data ‘in transit’, private details such as name, address, account number and expiry date are kept safe and hidden.

    Internal theft

    It’s not just attacks from outside of your business that you need to protect against. Sometimes the threat is closer to home. Having secure internal access controls helps you protect yourself and your customers’ data from dishonest insiders as well as external fraudsters.

    Website tampering

    Company webpages and interactive forms are a big target for hackers and fraudsters. Ensuring your network is protected helps prevent ‘defacement’, where slight alterations to web data entry forms trick customers into revealing sensitive data.

    Ghost attacks

    With so much information going back and forth, it’s easy for things to slip through the cracks. Constant and thorough monitoring of your transaction activity prevents critical log and audit data being tampered with or erased. It also makes it easier to trace attacks back to their source.

    Legal entanglements

    You can’t always be around to monitor how employees are using their computers. But with the correct measures in place, you can avoid having illegal pornography, unauthorised software or pirate movies being accessed and/or copied onto your business hardware.

    Good governance

    Working with the controls set out by the PCI DSS will help you with other governance and legal requirements that may be relevant to your business. For example, the Information Commissioner considers cardholder data to be personal data. Merchants and service providers are therefore expected to be compliant with the PCI DSS in order to remain the same with the Data Protection Act.

  • Why comply?

    We’re all in this together

    The PCI DSS is something all businesses have a role to play in. If you store, process or transmit cardholder data electronically or manually, you’re required to maintain compliance with PCI DSS in the interest of your customers’ security as well as your businesses.

    What you’re allowed to store, provided you follow PCI DSS requirements:

    • Primary account numbers
    • Cardholder names
    • Service code and expiry dates

    What you’re not allowed to store, which must be remedied immediately:

    • Full magnetic stripe – track 2
    • CVC2 / CW2 / CID
    • PIN / PIN block
    • Sensitive authentication data, even if encrypted

    The importance of PCI DSS compliance

    As a card payment acquirer, it’s our duty and responsibility to report the compliance status of the businesses we work with to Visa and MasterCard. They use this information to select which businesses to investigate. Those found to be non-compliant will face fines and fraud costs.

    PCI DSS compliance is a mandatory part of your Merchant Agreement with Barclaycard for accepting card payments. Working towards these standards will help you improve your processes and allow you to operate more securely.
    The good news is, you’re not on your own as we have partners, guides and support materials to help you become fully PCI DSS compliant.  Find out more about how we can help your business become  PCI DSS compliant

    All parties on the same page

    The PCI DSS covers your entire trading environment, end-to-end, which means all your third party partners that store, process or transmit data must also comply.

    Find out more about third party compliance and how it affects your compliance.