How to become PCI DSS compliant

The right compliance for your business

If you’re accepting payments, you’ve already committed to being PCI DSS compliant – and to ensuring your daily processes are properly secure.

Your merchant level dictates the standards you need to meet and maintain for PCI DSS compliance. There are four levels of merchants, based on the number of transactions you process each year – find yours below.

Level Types of businesses Example of actions required for compliance
1
  • Any merchant processing over 6 million Visa or MasterCard transactions a year and Report on Compliance
  • Any compromised merchant
  • Annual onsite security assessment by PCI SSC Accredited Qualified Security Assessor and report on compliance
  • Quarterly network scan (if in ecommerce)
  • Annual penetration testing
  • Implemented Security Policies
2
  • Any merchant processing 1 to 6 million Visa or MasterCard transactions a year
  • *Annual Self Assessment Questionnaire by a PCI SSC Accredited Internal Security Assessor or an Annual onsite security assessment by PCI SSC Accredited Qualified Security Assessor
  • Quarterly network scan (if in ecommerce)
  • Annual penetration testing
  • Please note that with effect from 30th June 2012 any Level 2 merchant choosing to complete an annual Self Assessment Questionnaire (SAQ) must ensure that all staff engaged in the self-assessment attend PCI Security Standard Council (SSC)-offered merchant training programmes and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation.
3
  • Any merchant processing 20,000 to 1 million Visa or MasterCard ecommerce transactions a year
If you are a level three or four merchant you must use the Barclaycard Data Security Manager portal to either:

1. Upload a Self-assessment Questionnaire (SAQ) that has been validated by a qualified Security Assessor (QSA) each year
OR
2. Complete the online profile and follow up steps to complete your Self-assessment and compliance validation each year

If as part of your compliance validation, you are required to run quarterly vulnerability scans, they must be conducted by an Approved Scan Vendor (ASV);
this can be done using the Barclaycard Data Security Manager service. To see a list of ASVs, visit the PCI Security Standards Council and search for ‘approved scanning vendors’.

If you use another ASV you must upload the technical report demonstrating a pass status each quarter.
4
  • Any merchant processing fewer than 20,000 Visa or MasterCard ecommerce transactions a year
  • All other merchants processing up to 1 million Visa or MasterCard transactions a year

An overview of the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS (Payment Card Industry Data Security Standard) compliance is a framework which helps companies protect their customers’ cardholder data from theft or misuse. Here are six goals to help you, and your business, achieve it.

PCI DSS Compliance


The 12 steps of compliance

There are 12 requirements that make up PCI DSS compliance. They’re all designed to protect consumer cardholder account data during all aspects of storage transmission and processing throughout the card payment industry.


Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters


Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Choose the right security partner

It’s an important decision, selecting the right Qualified Security Assessor (QSA) to help you become PCI DSS compliant. You should feel confident that they have the knowledge and expertise to get the job done. Their job is to help you:

  • define the scope of the project
  • identify the controls you need to put in place
  • discover where the gaps are
  • calculate the cost of achieving compliance

“How many assessments have you undertaken this year?”

More assessments means more experience, which means they are more likely to spot gaps and help you avoid the common pitfalls.

“How many assessments have you undertaken in our industry sector?”

It’s not the end of the world if they don’t have experience in your industry. However, if they do, it makes their advice all the more relevant.

“How many assessments have you undertaken for businesses our size?”

The size of your business will affect the setup of your technology infrastructure. So if you have someone familiar with your level of complexity it will make the process more efficient.

“How long have you been with your consultancy?”

Have they moved from one business to another in quick succession? The last thing you want is for your QSA to leave half way through the process. Instead, work with a QSA who has an established track record with their consultancy.

“What other services does your consultancy provide?”

Some QSA consultancies offer technical services that can help make the process of updating your systems more efficient. If so, it’s important they can remain independent of the compliance process and only offer additional services when relevant.


View list of Qualified Security Assessors

Our commitment to your compliance

Our dedicated team will help you manage fraud from an investigation, compliance and relationship perspective.

  • We aim to gather all the information necessary for you to gain and maintain PCI DSS compliant status, as well as providing expert advice and assistance
  • We have relationships with Qualified Security Assessors (QSA) and Payment Service Providers (PSP) to help with your PCI DSS compliance
  • We’ve teamed up with industry security specialists to offer you comprehensive payment security and protection against fraud at preferential rates
  • We ensure your transactions are safe, secure and compliant with industry standards
  • We are on the advisory board of the PCI Security Standards Council, providing a voice for merchants
  • We report Merchant compliance status regularly to the Card Schemes (Visa and MasterCard) as part of our commercial obligation to the Card Schemes
  • We seek to develop pragmatic and innovative solutions for your business
  • We produce a wide range of leaflets, online information and white papers on topical issues
  • All our SmartPay solutions are compliant with PCI DSS

Barclaycard Data Security Manager

We constantly strive to deliver innovative and practical ways to help businesses fight fraud, reduce their data security risks and meet their compliance obligations with the Payment Card Industry Data Security Standard (PCI DSS).

We’ve listened to our merchants and looked at how we can improve the efficiency and effectiveness of the services we provide to help merchants manage and maintain their PCI DSS compliance. Our research led us to develop Data Security Manager, a ‘smart’ online Portal1. It provides smaller merchants with all the tools and resources they need to help reach and maintain PCI DSS compliance, fully inclusive of vulnerability scanning requirements.

About Data Security Manager

This tool provides a quick and easy way of managing your PCI DSS compliance. It guides you through the validation requirements, and expert assistance is available, which can help protect you from the risks of a data compromise and the associated costs and penalties that could result.

Benefits include:

  • Fully inclusive vulnerability scans should you require them, which could save you money 
  • Specially trained advisers who can provide you with individual assistance
  •  ‘Smart’ on-line assistance with your Self Assessment Questionnaires (SAQs)
  •  Management of all your scanning and reporting requirements
  •  Proactive advice that could help save you time, effort and money
  •  A dedicated Qualified Security Assessor (QSA) is available as a referral from the Data Security Manager Helpdesk on  0844 811 0089

Please note that SecurityMetrics, the organisation we formerly used to manage and report our merchants’ PCI DSS compliance, is no longer our preferred security partner.

A fee will be charged for Data Security Manager which will be based on your specific business.  Further detail on the types of costs are provided below.

To find out more about the range of services that Data Security Manager can offer, please call our Data Security Helpdesk on  0844 811 0089  (lines open Mon-Fri 8am-8pm, and 9am-12 noon on Saturdays).

1Minimum browser requirement: Microsoft Internet Explorer 8, Firefox 4.0 and Safari 5.0 and above. Flash Versions: Adobe Flash Player 8 and above or Adobe Flash Player Plugin for Firefox. The Data Security portal is an online service. If you do not have access to the internet, please call the Data Security Helpdesk on  0844 811 0089 .

How much does it cost to become PCI DSS compliant?

There’s no straight answer to how much it costs to become PCI DSS compliant. You’ll find numerous estimates from industry leaders, but the specific cost for your business will probably be different. It will depend on the security measures you have in place at the moment and how much they need to change for you to become compliant.

PCI DSS costs typically fall into three categories:

  • Technology upgrades – applications, networks, firewalls, monitoring tools
  • PCI DSS validation costs – assessments, audits, network scans
  • Compliance maintenance – keeping up with the development of the standard and information security, checking policies are in place and adhered to, and ensuring documentation is up to date

The changes your business makes impact beyond PCI DSS compliance. Improvements to the security and efficiency of your IT system should be attributed to bottom line infrastructure costs as opposed to a PCI DSS entry.

The total cost for these upgrades will vary from business to business depending on the size, scope and setup of the organisation. The typical expense for PCI DSS validation includes:

  • onsite audits – Performed by a Qualified Security Assessor (QSA) or a qualified internal assessor, these are mandatory for Level 1 merchants (or compromised merchants) that could range from £10,000 to £50,000+. The final cost will depend on how much the QSA is required to be involved and whether your business has sufficient information security resources in-house
  • SAQs (Self Assessment Questionnaires) – We require all SAQs to be validated by a QSA. In the past we have accepted paper SAQs, and we found a high number of merchants were not completing the forms correctly and remaining non-compliant without knowing it. If you are a level 3 or 4, please use Barclaycard Data Security Manager to validate your compliance online, or upload an approved certificate from another QSA. If you are a customer of SecurityMetrics please make sure you have validated with them
  • network vulnerability scans – These are required to be completed by an Approved Scanning Vendor (ASV), with an average cost of £100 per external facing IP address. However, the cost of these service offerings is always negotiable with vendors. Up to 10 IP addresses are included in Barclaycard Data Security Manager, as standard

The cost of the flip side

While it may seem expensive to meet and maintain compliance, the cost and time associated with recovering from a data breach is far greater. Not complying jeopardises profitability as well as the reputation of your business and future sales.

The cost of a breach can be up to 20 times that of PCI DSS compliance. In the last five years, the cost of a data breach has risen by 68% to £79 per record1. For a large organisation, the total cost can easily run into the millions and even result in bankruptcy.

1Symantec Press Release March 20, 2012

Stronger together

Not only is it important for your business to be compliant. Any third party suppliers you work with should be as well. Do they process, store or transmit cardholder data – directly or indirectly – or provide services that could have an impact upon the security of cardholder data? If so, the PCI DSS extends to them too and affects your status as well.

Third parties may include

  •  Resellers
  •  Till vendors
  •  EPOS vendors
  •  Software application providers
  •  Payment service providers
  •  Payment processing bureau
  •  Data storage providers
  •  Web hosting providers
  •  Shopping cart providers
  •  Software vendors

360 degree compliance

If you’re a third party supplier or a business that works with third party agents, here are the steps that need to be taken to ensure everyone plays their part to protect payment card data from fraudulent use.

Third parties should:

  1. Register as a Third Party Agent with Visa at https://www.visaeurope.com/receiving-payments/security/third-party-agents and with MasterCard as a Service Provider at  https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/service-providers-need-to-know.html
  2. The card schemes (e.g. Visa Inc and MasterCard) require all businesses providing services to Merchants that could impact the security of cardholder data to register and indicate whether or not they (i.e. the third party) are compliant with the PCI DSS
  3. Ensure an enforceable agreement exists with the Merchant, acknowledging that the Service Providers/Merchant Agent/Third Party are responsible for the security of payment card data under their control as required by the PCI DSS
  4. Create an incident response plan to be implemented in the event of a system breach. Further information regarding the content of an incident response plan can be found in
  5. Implement the incident response plan and be prepared to respond immediately to a system breach. In the case of a suspected compromise, the Merchant should be notified immediately so they can let us know. We’ll then alert the Card Schemes to initiate immediate action

Payment Application Data Security Standard (PA-DSS)

Do you purchase payment applications that are specifically designed to store, process or transmit cardholder data? You must do so using applications that are accredited as compliant with the PA-DSS. These are known as validated applications. The current list of validated applications is maintained and available from the

Level 4 merchants

To support PCI level 3 and 4 merchants, we have an established programme ‘Barclaycard Data Security Manager’ a programme which helps you make it easier to meet the PCI DSS requirements without having to use a third party assessor. The online service provides you with the tools needed to achieve, record and maintain compliance with the PCI DSS.

A fee will be charged for Data Security Manager which will be based on your specific business. 

Visit Barclaycard Data Security Manager

Or call the Data Security Helpdesk on:

0844 811 0089 Opens a new window

Monday-Friday 8am–8pm Saturday 9am–12 Noon

Qualified Security Assessors

Only approved accredited organisations can help you become PCI DSS compliant. That's why we recommend you use a Qualified Security Assessor, when you are ready to proceed.

View list of Qualified Security Assessors

Approved Scanning Vendors

If you require network scans as part of your PCI compliance only use Approved Scanning Vendors

View list of Approved Scanning Vendors

Educate yourself

Here's a selection of learning PCI DSS materials:

Barclaycard teleconference presentations
Payment Security Account Data Compromise (ADC) PDF (558KB)
Payment Security teleconference Third Party Management PDF (684KB)
PCI DSS Compliance Validation Options PDF (633KB)

Contact Centres and the PCI DSS
PCI & the Contact Centre. The Acquirer Perspective PDF (715KB)

Mobile payment acceptance security advice
Download the paper PDF (153KB)
See a video of the presentation given to the European Information Security Summit 2014
Opens a new window

Barclaycard Merchant Education & Awareness Programme offline webinars
PCI DSS – Investing wisely... Hotel webinar PDF (955KB)
PCI DSS demystified for SMEs PDF (1.35 MB)

OWASP guide to handling e-commerce payments
Visit their online guide
Opens a new window

pens a new windowProcessing telephone payments securely
Processing telephone payments securely PDF (1.99 MB)

Processing online card payments securely
Processing online card payments securely PDF (5.97 MB)

Financial fraud issues and fraud prevention advice
Visit the financial fraud action website

Merchant data breach case studies
Level 2 Retailer data breach PDF (415KB)
Level 4 Ecomm Merchant data breach PDF (318KB)

PCI SSC Small Merchant Safer Payments guidance
Visit the PCI Security Standards website

Guide to safe payments
Guide to safe payments PDF (8.87 MB)

Latest news

Read the headlines from Finextra Cards
Get the latest from Finextra Payments
View the blog articles on the PCI Security Standards website
Opens a new window

If you don't have Adobe Reader installed on your computer, download it here for free:
Get Adobe Reader
Opens a new window