Does your business take credit card or debit card payments? If so, you should make sure you meet PCI DSS compliance standards.
Here’s a look at PCI DSS’s meaning, its requirements and what it takes to achieve compliance.
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of rules aimed at making card payments safer and keeping the risk of fraud as low as possible. The guidelines set out how you should store, transmit and process your customers’ credit and debit card information.
PCI DSS came to be in 2006. At the time, e-commerce had just started booming. But lax security standards meant card fraud was at all-time highs.
During 2006, for instance, British consumers lost £212.7 million to online fraud. So, the five biggest card schemes in the world — Visa, MasterCard, American Express, Diners’ Club and JCB — got together to make online payments safer.
The result was the PCI Security Standards Council. This Council administers the PCI DSS standards.
As then Chairperson Seana Pitt explained:
“The payment brands that founded the Council are committed to ensuring the ongoing development of data security standards that are both efficient and effective. The creation of this Council is a significant step forward in protecting cardholder information and it underscores the critical nature of this effort.”
No. PCI DSS compliance isn’t a legal requirement in the UK. That said:
● The vast majority of UK banks and financial institutions comply. And this means it’s in your best interest to abide too.
● Credit and debit card data isn’t just financial information. It’s also personal data. Keeping personal data secure is a legal requirement under the General Data Protection Regulation (GDPR)
The upshot is that not complying with PCI DSS requirements has several serious consequences. In particular:
● Banks risk fines for security breaches. If you’re not PCI DSS-compliant, they can pass on these fines to you. Penalties can range from £3,000 to as much as £60,000
● You could get charged higher payment processing fees to make up for the added risk or even banned from accepting card payments.
● Suffered a data breach? The Information Commissioner’s Office will take into account whether you’re PCI DSS-compliant when investigating if you’re to blame and how much to fine you.
● Customers won’t buy from a website they don’t trust. In one study, 77 percent of consumers said they’d think twice about shopping from a site that didn’t have the green padlock in the address bar.
PCI DSS is made up of 12 requirements. These requirements are then split into six groups called ‘control objectives’. The control objectives are to:
● Build and maintain a secure network and systems
● Protect cardholder information
● Create a Vulnerability Management Programme
● Put in place strong access control measures
● Monitor and test networks regularly
● Put an information security policy in place
Let’s have a more in-depth look at each of these objectives in turn.
To meet this requirement, you’ll need to do two things:
● Store cardholder information, that is names, card numbers, billing addresses and so forth, securely
● Never use the default passwords and security parameters your software and hardware comes pre-installed with
PCI DSS standards specify that you should store sensitive data behind a firewall. But this doesn’t necessarily mean you have to set one up on your local network. In fact, to make sure the data is as safe as possible, you should:
● Partner with a PCI DSS-compliant payment processor. Companies such as Stripe and Square can process card payments and also store card data securely on your behalf.
● Collect card data using secure forms. Card-on-file, for instance, passes on card data to your PCI DSS-compliant payment processor for secure storage. Note that text fields aren’t PCI DSS-compliant, even if they’re encrypted. You’ll need a card-specific field.
● Get your customers’ permission before storing their details. You should never store card details — or any other personal data — without your customers’ express consent.
● Only store the least amount of information necessary to complete the transaction. You should also make it clear to your customers what information you’re collecting, where you store it and what you use it for.
The second requirement is pretty straightforward. Change system passwords regularly. And try making them as secure as possible. In particular:
● Avoid short passwords, as these are easier to guess. As a rule, aim for at least six characters.
● Use a mix of small letters, capital letters, numbers and special characters, such as exclamation marks and hash signs.
● Avoid memorable words and phrases. Think you might forget a meaningless password? Use a secure password utility such as LastPass or 1Password.
● Never, ever reuse an old password.
To meet this requirement, you’ll need to:
● Protect any stored card data
● Make sure sensitive data is encrypted when you transmit it across the internet
Here again, your PCI DSS-compliant payment processor can come to the rescue by storing card data and handling payments securely on your behalf. That said, you’ll also want to make sure your website is set up securely.
In particular, it should have a TLS 1.2 (Transport Layer Security version 1.2) certificate.
Many payment processors, including PayPal and Stripe, plan to start refusing websites that don’t have a TLS 1.2 certificate. Which means that, unless you get one, you risk being unable to process card payments at all.
You can get a TLS 1.2 certificate for free from Let’s Encrypt. Some e-commerce platforms, such as Shopify are set up, so they use TLS 1.2 automatically.
This requirement involves:
● Using a robust, regularly updated anti-virus software program. Yes, even if you use a Mac
● Developing and maintaining secure systems and applications
The second point means software developers should keep PCI DSS requirements in mind when they’re creating systems or apps that handle financial information in some way. As a small business, you can make sure you’re covered by only using apps and software that explicitly state they’re PCI DSS compliant.
To meet this objective, you have to:
● Make sure staff only have access to data if it’s strictly necessary
● Assign a unique ID to each person on your staff with computer access
● Restrict physical access to cardholder data
Put simply, your staff should have access to sensitive customer information strictly on a need-to-know basis.
You should also be able to identify who is accessing online and offline systems easily.
Making it easy to identify who is accessing customer information is only the start. For this to be effective, you also have to keep track of who’s doing what with that data. The upshot of monitoring is that:
● You can instantly trace the source of a breach
● More importantly, it keeps everyone who has access to your customers’ sensitive data accountable for their actions
You should also regularly test your system for vulnerabilities. Not especially tech-savvy or don’t have an IT specialist on staff? You should consider outsourcing to an IT support service provider.
Employees are the leading cause of cybersecurity breaches. So, your written security policy should make clear what’s expected of them. Nothing should be left open to interpretation.
Your policy should cover:
● How sensitive customer information is stored, processed and transmitted and the procedures your staff must follow at every stage.
● Security awareness training. All members of staff should attend training when they first join your business and have regular refreshers. But it’s especially critical for those staff members who have access to sensitive data.
● What happens if there’s a breach? This scenario should cover how to identify red flags, what actions to take and how to limit the damage.
It’s also important to review these written policies regularly, especially if there’s a breach.
There are four levels of PCI DSS compliance. These are:
● Level 1 — this applies to businesses that process more than six million card transactions a year
● Level 2 — this applies to businesses that process more than one million but less than six million transactions a year
● Level 3 — this applies to businesses that process more than 20,000 but less than one million transactions a year
● Level 4 — this applies to businesses that process less than 20,000 transactions a year
Businesses at all levels have to have a quarterly network scan by an approved scan vendor. This audit will look for areas where your security is weak. You’ll also get verification once you fix any issues that come up during your scan — great for proving your ongoing PCI DSS-compliance.
You can search for approved scan vendor using this handy online tool.
Depending on your level, you’ll also need to take additional compliance measures every year.
Level 2, level 3 and level 4 businesses have to:
● Complete a self-assessment questionnaire. This assessment is a series of yes and no questions designed to help you find out how compliant you are. There are nine versions of the inquiry. You’ll need to do the one that’s relevant to your business
● Submit an Attestation of Compliance form. This document confirms that you’re PCI-DSS-compliant
Level 1 businesses also have to submit an Attestation of Compliance form.
That said, they don’t have to complete the self-assessment questionnaire. Instead, they have to file a report on compliance signed by a Qualified Security Assessor or internal auditor.
You can find a Qualified Security Assessor using this online tool.
PCI DSS compliance may not be a legal requirement, but it can certainly make a huge difference to your business. Minimising the risk of financial fraud is right for your customers, good for your reputation and, ultimately, good for your bank account.
What better reason to get cracking, right?
Need further help?
Use this tool to get in touch with a qualified security assessor in your area.