All the supporting documentation, advice and assessment to get you PCI compliant. All for a refreshingly low price that won’t break the bank.
The Payment Card Industry Data Security Standard. This is a data security standard that aims to reduce the risk of payment card data being compromised for fraudulent purposes.
PCI DSS Compliance is mandatory. The standard is globally enforced by the payment brands such as Mastercard, Visa, American Express, Diners and Discover. PCI DSS is standardised for all countries in the world. There are no regional versions.
PCI DSS is not new. It has been in existence for over a decade. It is developed and administered by The PCI Security Standards Council based in the United States.
The current version of the standard is version 3.2. The standard is reviewed on a regular basis and a new release issued every three years. This is to ensure that it remains current and stays aligned with technology developments.
Based on ISO 17799, the standard has twelve key sections. These sections detail requirements for disciplines such as secure management of firewalls, data storage, data transmission, application development, physical security, policies and procedures.
More information – including the full standard – can be found at the Standards Council’s website here: https://www.pcisecuritystandards.org/.
If your company stores, processes or transmits payment card data, then yes.
Payment card data includes the 16 (sometimes 15) digit Primary Account Number on payment cards. This, in combination with related data, is referred to as Cardholder Data.
The majority of organisations that are affected will be Merchants. These are the businesses that take payment card payments for goods and services.
Other organisations that are affected include Service Providers. A Service Provider might handle cardholder data on behalf of a merchant. An example might be payment processing or outsourcing a merchant’s Ecommerce environment.
If a Service Provider stores, processes or transmits cardholder data, it must comply with PCI DSS.
If you are a merchant, you will often be told to get PCI compliant by your Acquiring Bank. The Acquirer is the organisation that provides your card payment processing services. You will have a unique merchant account with your Acquirer.
If you are a Service Provider, your merchants may have requested proof of PCI DSS compliance for the services that are outsourced or managed by your organisation.
So, for Merchants, contact your Acquirer who should be able to tell you what to complete, who to submit the information to and any deadline dates. Normally, a merchant has a designated contact with the Acquirer – such as a relationship manager.
If you are a Service Provider, your Merchant may have contacted you to get PCI Compliant. What is important for Service Providers is that it is the services that you provide that need to be compliant.
For both Merchants and Service Providers, further guidance information can be found here: https://www.pcisecuritystandards.org .
The number of transactions being stored, processed or transmitted will dictate what materials need to be submitted to requesting organisations. Most organisations will be required to self-assess. This is a PCI DSS detailed questionnaire that you complete honestly and accurately.
Organisations handling a larger number of transactions will be expected to complete a Report on Compliance. This document is similar to the self-assessment questionnaire – but has a much more demanding burden of proof for each PCI DSS requirement. Many organisations use the services of a Qualified Security Assessor to help them assess in this case.
In summary, try to understand who is asking for PCI DSS compliance from your organisation. Try to understand when they need this information and reference the PCI Security Standards Council’s website mentioned above.
If you still have questions – and this is often the case – feel free to call us for a quick chat to point you in the right direction.
If you are a merchant, your Acquiring Bank. The Acquirer is the organisation that provides your card payment processing services. The Acquirer will normally contact you directly.
If you are a Service Provider, your merchants may contact you. As part of the merchant’s PCI DSS compliance programme, it will need to recognise that any outsourced services are secure and PCI DSS compliant.
Service Providers are encouraged to register with the brands (Mastercard, Visa, AMEX, etc) as offering PCI DSS compliant services. This is in the Service Provider’s interest to do so.
No. Using a QSA is not mandatory.
Any organisation working to PCI DSS compliance is encouraged to use a QSA to help it understand the PCI Standard. PCI DSS is a large and complicated standard and is open to interpretation. It can be ambiguous and easily misunderstood in places.
QSA’s are often used to perform onsite assessments to complete the Report on Compliance. They are also invaluable when it comes to advice and guidance on how to minimise the work required to get PCI compliant.
The answer to this question is… it depends.
Apologies for the evasive answer, but there really is no black and white answer. Some organisations will incur fines if the Acquirer sees that there is no real progress on meeting compliance or reducing risk.
Other customers will be fined automatically if they have been breached. They will also be expected to use a QSA to demonstrate full PCI DSS compliance to avoid further fines in the future.
Whenever we are asked this question at Ambersail it is also followed by the question – how much are these fines? Again, there is no stock answer. Fines can be small – with the expectation that the organisation that has been breached needs to get PCI Compliant very quickly. Fines can also be large – running into the tens of thousands. Even higher in certain cases.
Generally, the higher the number of card numbers compromised the more serious the implications for the breached organisation.
Also – do not underestimate the negative impact on your brand if you are breached. As we all know, customer is king and they can easily vote with their feet and shop elsewhere.
This is probably the most important consideration for any organisation looking to get, and stay, PCI compliant. Keep reading if you want to make your life easier…
Let’s go back to basics. An organisation is in scope for PCI DSS if it stores, processes or transmits payment card data. What that means is that the network or networks that support these arrangements are also in scope. You will need to apply all the applicable PCI controls to that network.
If you have a large, open network, it will come into scope. This makes PCI compliance extremely difficult.
If you have a small network, it follows that there will be less controls to apply over a smaller area.
PCI scope is all about reducing that area to make it smaller and therefore easier to manage and bring into line for PCI DSS.
There are many things that companies can do to help achieve this. This can include outsourcing to a third party, adding controls to section off or segment internal networks, or removing all sources of stored card data if not required. These are just a few techniques.
Reducing PCI scope is so important that we spend almost all out consultancy time with our customers on this single topic.