News & Blog
As online shopping became a staple with the advent of the internet era, the avenues for payment card fraud spiked dramatically.
As the issue escalated, payment card companies established a set of policies and guidelines to safeguard cardholders from having their payment data misused. This new standard was called PCI DSS.
The Payment Card Industry Data Security Standard (or PCI DSS for short) is an internationally recognised security standard which sets out the global guidelines and minimum requirements for companies on how to protect consumer payment data. Created by 5 major credit card companies in 2005 (Visa, Mastercard, Discover, JCB and American Express) as a response to the increasing threat of payment data theft online, the main purpose of the standard is to safeguard and secure sensitive cardholder data, including card numbers, issue/expiry dates, CVV numbers and cardholder addresses. PCI DSS is administered by the PCI Security Standards Council.
PCI DSS outlines 12 core requirements, split into 6 control objectives aimed at protecting cardholder information. These are:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
PCI DSS compliance offers a huge range of benefits to businesses that handle credit or debit card transactions. Beyond avoiding penalties, it will strengthen company security, improve consumer trust, and enhance your operational efficiency.
Benefits can include:
Improved Data Security
Regulatory and Contractual Compliance
Increased Customer Trust
Minimised Financial Liability
Operational Improvements
Implementing PCI DSS often leads to better:
These improvements can boost efficiency and reduce IT downtime.
Better Vendor and Partner Relationships
Global Acceptance
If you store, process or transit cardholder data, you must be PCI DSS compliant. From corner shops to conglomerates, secure payment information is paramount in all aspects of commerce. This includes:
Before understanding how to achieve PCI DSS certification, it is worth noting that the regulations are split into four different compliance levels, which are:
Level 1 (Highest Level)
Quarterly network scans by an Approved Scanning Vendor (ASV) and Attestation of Compliance (AOC).
Level 2
Level 3
Level 4
Now that we've covered the different levels of certification, let's break down how certification can be achieved.
Identify your merchant or service provider level (Level 1-4 for merchants) and outline the validation requirements your business needs to achieve certification (through an SAQ or a full audit with a QSA).
Compare your existing security practices to the 12 current PCI DSS requirements, which were laid out earlier. Assess where your current security vulnerabilities fall short of the criteria needed to achieve PCI DSS compliance and set out an action plan to improve your security in the affected areas.
Fix any gaps identified during the self-assessment. These could include:
Ensure that all the changes that you make are documented when it comes to validating your company's security.
For merchants requiring PCI DSS Level 2-4 certification, you are required to submit a Self-Assessment Questionnaire (SAQ), whereas Level 1 merchants and some service providers need to provide a Report on Compliance (RoC), making it crucial to document and report on all the fixes and changes made to your business's security information.
Once all your documentation is updated, it's time to complete the SAQ (if you're a Level 2-4 merchant). Depending on how your business handles card data, a different SAQ will require completion. You can find out which questionnaire you'll need on the PCI DSS website.
Make sure you answer the questions carefully and accurately, and provide your supporting documents where needed. As well as this, ensure that the Attestation of Compliance (AoC) is completed, which is found within the SAQ.
If your business is doing an RoC, you will need to hire a Qualified Security Assessor (QSA). Their job is to:
The QSA will also produce a formal RoC document and AoC.
Depending on your setup, you'll also need:
Once the above has been completed, send the following to your acquirer or payment processor:
Some companies may also request evidence documentation or conduct their own reviews.
Compliance is annual, but security is always ongoing. Be sure to manage and update your documentation, upskill and train employees, audit your security measures, as well as track changes to systems and data flows.
Also, ensure that your organisation's quarterly scans and annual revalidation are done on time.
If your company handles financial data but does not make a commitment to securing sensitive payment data, the consequences can be severe. This can include:
Data Breaches
Non-compliant systems are more vulnerable to cyberattacks. Hackers can steal cardholder data, leading to financial theft, identity fraud, and huge exposure of sensitive customer information.
Hefty Fines and Penalties
Card brands (such as Visa or Mastercard) can fine your acquiring bank, which will then pass the cost down to you. These fines can range from £5,000 to £100,000+ per month, depending on the size of the company, the violations committed and the duration of said violations.
Legal Liability
You may face civil lawsuits, regulatory investigations, government investigations or damage liability suffered by affected customers or businesses in the event of a cybersecurity breach.
Increase Costs
In the event of a security incident, you'll likely pay for:
Loss of Payment Processing Privileges
Acquiring banks can terminate your card processing practices. Getting reinstated is difficult and expensive, and processors could refuse to work with you.
Reputation Damage
Loss of customer trust can be long-term, in some cases, permanent. If the media covers your company's data breach, your brand can be severely harmed, losing existing customers and making it harder to gain new ones.
Business Disruption
Post security breach, your organisation's systems may be shut down or isolated during an investigation. You'll likely have to go through a remediation process, halting normal business operations. Compliance enforcement actions can create ongoing scrutiny and oversight.
PCI DSS compliance is not optional if your business handles payment data. Ensuring your company falls in line with security regulations not only keeps your brand protected but also maintains customer trust and makes your business a more attractive company to work with.
At Igentics, we work alongside our partners to ensure all client payment data is kept as secure as possible, keeping up to date with relevant guidelines and implementing the most advanced security practices to maintain smooth business operation.
An introduction to the three main cybersecurity standards
It is unsurprising that nowadays, having up-to-date, reliable cybersecurity is indispensable for your business. Although you may never assume your businesses' online data may be at risk, the landscape for threat is only growing.
Boost Your Website Speed with Image Optimisation
Image optimisation means compressing and resizing your images so they load faster without losing quality.
The importance of micro–interactions
From the revolutionary 'like' button on Facebook to scroll bars that show users where they are on a page.