What is PCI DSS?

What is PCI DSS?

Whenever your customers pay by card face-to-face, online or over the phone, they’re trusting that your systems are secure. At the same time, you’re also trusting that your customers aren’t fraudsters in disguise.

So, to minimise the chance of fraud, the Card Schemes (Visa, Mastercard, Discover, American Express and JCB) came together and created the Payment Card Industry Data Security Standard, known as PCI DSS. 

The PCI DSS lists a set of requirements that each business needs to follow. The level of security needed depends on the size of your business and how it operates. If you have met the requirements relevant for your specific business set-up, you’re deemed as being ‘compliant’ with PCI DSS.

Every business taking card payments is required to have a yearly PCI DSS compliance assessment to ensure they’re still protecting cardholder data to the highest standard.

Think of PCI DSS compliance like a car’s yearly MOT. The car needs its MOT renewing every year by a qualified assessor. The assessor identifies any problems that need fixing to a certain standard before they officially authorise the vehicle for use.

PCI DSS applies to the processing and storage of all customer cardholder data. 

The PCI DSS is updated regularly by the Payment Card Industry Security Standards Council.  Visit the PCI Security Standards Council website for the most up to date information and version of the Standard. 

What if a third party supplier handles data for me?

The PCI DSS covers your entire trading environment, end-to-end. So, it’s not just your systems which must be compliant, but also the systems of any third party suppliers that store, process or transmit your customers’ cardholder data.

So, when choosing a supplier, make sure they’re certified PCI DSS compliant.

Find out more about third party compliance on our page ‘How to become PCI DSS compliant’.

Why is PCI DSS compliance important?

Anyone who takes card payments has a responsibility to comply with PCI DSS – it helps to prevent fraud for both consumers and businesses alike.

Becoming compliant isn’t a meaningless chore – it’s something that will actually benefit your business. This is because the requirements that underpin PCI DSS compliance will reduce the risk of your cardholder data environment being compromised.

If you’re a Barclaycard customer, being compliant also means you’re adhering to the terms of your Merchant Agreement with us.

If your customers’ cardholder data is compromised, there could be negative consequences, such as:

  • •           Financial penalties and charges
  • •           Damage to your business’ reputation and loss of customer trust
  • •           Stolen funds from your customers
  • •           Stolen identity of your customers

Be aware that being compliant with the PCI DSS won’t stop fraudsters targeting your business. However, it will put you in the best position to prevent an attack, and greatly reduce any financial penalties you may face. 

For more information, visit our page: how to become PCI DSS compliant.

How PCI DSS compliance protects you

The purpose of the PCI Data Security Standard is to keep every link in your transaction chain as secure as possible. If your business takes card payments face-to-face, on your website, or over the phone, this affects the following parts of your transaction chain:

Your PCI DSS responsibilities

What does PCI DSS compliance protect me from?

By complying with the PCI DSS requirements, you’re helping to protect your business and customers against the following:

Account tampering
‘Trojans’ and other malicious viruses can sneak into your system to change cardholder payment records from ‘paid in full’ to ‘unpaid’ to make unapproved transactions. Keeping your anti-virus software up to date helps you keep these attacks at bay.

Denial of service
Losing connectivity is a huge issue if your business relies heavily on the internet. This can be reduced, and even prevented, by building and maintaining a secure network that’s protected by one or more firewalls. For further help and advice, speak to a Qualified Security Assessor (QSA) or your Payment Card Industry Security Standards Council (PCI SSC) approved Internal Security Assessor. View more information on assessors and solutions on the PCI Security Standards website.

Identity theft
Whether it’s face-to-face, online or over the phone, each card transaction you take will send information across public networks. By encrypting cardholder data ‘in transit’, private details such as name, address, account number and expiry date are kept safe and hidden.

Internal theft
It’s not just attacks from outside your business that you need to protect against. Sometimes the threat is closer to home. Having secure internal access controls helps you protect yourself and your customers’ data from dishonest insiders as well as external fraudsters.

Website tampering
Company web pages and interactive forms are a big target for hackers and fraudsters. Ensuring your network is protected helps prevent ‘defacement’, where slight alterations to web data entry forms can trick customers into revealing sensitive data.

Ghost attacks
With so much information going back and forth, it’s easy for things to slip through the cracks. Constant and thorough monitoring of your transaction activity prevents critical log and audit data being tampered with or erased. It also makes it easier to trace attacks back to their source.

Legal entanglements
You can’t always be around to monitor how employees are using their computers. But with the correct measures in place, you can avoid having illegal pornography, unauthorised software or pirate movies being accessed and/or copied onto your business hardware.

Good governance
Working with the controls set out in the PCI DSS will help you with other governance and legal requirements that may be relevant to your business. For example, the Information Commissioner's Office considers cardholder data to be personal data. Merchants and service providers are therefore expected to be compliant with the PCI DSS in order to adhere to the Data Protection Act.

Next up, we recommend reading How to become PCI DSS compliant

For more information around PCI DSS, please visit the official PCI SSC website.