What is PCI DSS?

Protecting your business. Securing the industry

Each time a customer pays you by card face-to-face, online or over the phone, they trust you with their personal and financial information. At the same time, you’re counting on them to be exactly who they say they are and the genuine cardholder. The Payment Card Industry Data Security Standard (PCI DSS) is designed to help protect you both.

Created in 2004 by Visa and MasterCard, the PCI DSS helps ensure that you’re processing and storing customer card data as securely as possible. Being compliant won’t stop fraudsters targeting your business but it will make sure that you’re in the best position to prevent an attack, helping you avoid the financial and reputational losses that can result.

PCI DSS at a glance

  • A set of 12 mandatory standards for storing, processing or transmitting cardholder data. View these 12 steps  along with further information on becoming PCI DSS compliant
  • Applies to the processing and storage of cardholder data for both manual and electronic transactions
  • Secures and protects customer payment data
  • Businesses found to be non-compliant in the event of a data compromise face financial penalties and costs
  • Please note PCI DSS version 3.2 came into effect on 1st November 2016.  You can find a summary of the changes between version 3.1 and 3.2 on the PCI Security Standards Organisation  website and search for “summary of changes”

Strengthening your payment chain

The purpose of the PCI DSS is to keep every link in your transaction chain as safe and secure as possible. If your business accepts card payments face to face, on your website, or over the phone, this includes:

Merchant's responsibilities

Covering all the angles

By complying to and implementing the PCI DSS standards, you’re protecting your business and customers against the following:

Account tampering

‘Trojans’ and other malicious viruses can sneak into your system to change cardholder payment records from ‘paid in full’ to ‘unpaid’ to make unapproved transactions. Keeping your anti-virus software up to date helps you keep these attacks at bay.

Denial of Service

A loss of connectivity is a huge issue if you rely heavily on the Internet to do business. This can be reduced, and even prevented, by building and maintaining a secure network that’s protected by one or more firewalls.  For further help and advise speak to a QSA or your PCI SSC approved Internal Security Assessor. See our Qualified Security Assessors .

Identity theft

Whether it’s face-to-face, online or over the phone, each card transaction you make sends information across public networks. By encrypting cardholder data ‘in transit’, private details such as name, address, account number and expiry date are kept safe and hidden.

Internal theft

It’s not just attacks from outside of your business that you need to protect against. Sometimes the threat is closer to home. Having secure internal access controls helps you protect yourself and your customers’ data from dishonest insiders as well as external fraudsters.

Website tampering

Company webpages and interactive forms are a big target for hackers and fraudsters. Ensuring your network is protected helps prevent ‘defacement’, where slight alterations to web data entry forms trick customers into revealing sensitive data.

Ghost attacks

With so much information going back and forth, it’s easy for things to slip through the cracks. Constant and thorough monitoring of your transaction activity prevents critical log and audit data being tampered with or erased. It also makes it easier to trace attacks back to their source.

Legal entanglements

You can’t always be around to monitor how employees are using their computers. But with the correct measures in place, you can avoid having illegal pornography, unauthorised software or pirate movies being accessed and/or copied onto your business hardware.

Good governance

Working with the controls set out by the PCI DSS will help you with other governance and legal requirements that may be relevant to your business. For example, the Information Commissioner considers cardholder data to be personal data. Merchants and service providers are therefore expected to be compliant with the PCI DSS in order to remain the same with the Data Protection Act.

Payment cardholder data is not the only important asset that the PCI DSS protects. The scheme guidelines can also be applied to wider information security projects such as Information Security Management Standard ISO 27001 implementation projects see projects here and search ISO 27001.

We’re all in this together

The PCI DSS is something all businesses have a role to play in. If you store, process or transmit cardholder data electronically or manually, you’re required to maintain compliance with PCI DSS in the interest of your customers’ security as well as your businesses.

What you’re allowed to store, provided you follow PCI DSS guidelines:

  • Primary account numbers
  • Cardholder names
  • Service code and expiry dates

What you’re not allowed to store, which must be remedied immediately:

  • Full magnetic stripe – track 2
  • CVC2 / CW2 / CID
  • PIN / PIN block
  • Sensitive authentication data, even if encrypted

The importance of PCI DSS compliance

As a card payment provider, it’s our duty and responsibility to report the compliance status of the businesses we work with to Visa and MasterCard on a quarterly basis. They use this information to select which businesses to investigate. Those found to be non-compliant will face fines and fraud costs.

PCI DSS compliance is a mandatory part of your Merchant Agreement with Barclaycard for accepting card payments. Working towards these standards will help you improve your processes and allow you to operate more securely.
The good news is, you’re not on your own as we have partners, guides and support materials to help you become fully PCI DSS compliant.  Find out more about how we can help your business become  PCI DSS compliant

All parties on the same page

The PCI DSS covers your entire trading environment, end-to-end, which means all your third party partners that store, process or transmit data must also comply.

Find out more about third party  and how it affects your compliance.