Any organisation that handle branded credit or debit cards must meet the Payment Card Industry Data Security Standard (PCI DSS), which is an information security standard administered by the Payment Card Industry Security Standards Council. Cybercriminals have become more sophisticated in their digital crimes, and so the standard was created in response to the rise in technological advances. By increasing controls around cardholder data, the council's main objective is to reduce credit card fraud and data breaches.
Payment Card Industry Security Standards Council
The main role of the PCI Security Standards Council is to maintain and endorse PCI DSS. It also helps businesses by providing critical tools needed for implementation of the standards. For example, the council take responsibility for administrating assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programmes.
The founding members of the council include American Express, Discover Financial Services, JCB International, Mastercard, and Visa. As part of their membership, they've agreed to incorporate the PCI DSS as part of the technical requirements for each of their data security compliance programs.
What are the requirements?
In order to be compliant with PCI DSS and receive certification, your business must comply with the 12 requirements:
Build and maintain a secure network:
1) Businesses must install and maintain a firewall configuration to protect cardholder data.
2) Businesses should not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data:
3) Businesses are required to protect stored cardholder data.
4) Transmission of cardholder data across open, public networks must be encrypted.
Maintain a vulnerability management programme:
5) Businesses should use and regularly update anti-virus software or programs.
6) Businesses are required to develop and maintain secure systems and applications.
Implement strong access control measures:
7) Businesses must restrict access to cardholder data by business need-to-know.
8) A unique ID should be assigned to each person with computer access.
9) Businesses should restrict physical access to cardholder data.
Regularly monitor and test networks:
10) All access to network resources and cardholder data should be tracked and monitored.
11) Businesses must regularly test security systems and processes.
Maintain an information security policy:
12) Finally, businesses should maintain a policy that addresses information security for all personnel.
Who needs to be compliant?
Any entity that stores, processes or transmits cardholder data should comply with PCI DSS. Merchant and service provider levels give a ranking relating to annual transactions. This ranking determines the risk level of a merchant or service provider, and the appropriate level of security for their business. This also determines the assessment and validation requirements for each merchant and service provider. A merchant will have four levels, whilst a service provider has two.
An organisation's compliance with the PCI DSS must be validated annually or quarterly through on-site assessments or questionnaires. Either an external Qualified Security Assessor (QSA) or a firm-specific Internal Security Assessor (ISA) takes responsibility for this validation by creating a Report on Compliance for organisations handling large volumes of transactions.
The PCI Security Standards Council certify QSAs with a certificate, which gives them authority to audit merchants for PCI DSS compliance. ISAs are individuals who've earned a certificate from the PCI Security Standards Company for their sponsoring organisation. This individual can perform PCI self-assessments for their business. If a company handles smaller volumes of transactions, they're permitted to carry out a Self-Assessment Questionnaire (SAQ). The SAQ involves a set of Questionnaires documents that merchants are required to complete every year and send to their transaction bank.
For compliance to be validated, an organisation's security controls and procedures must be evaluated to ensure that they've been properly implemented. Assessors will compare their findings against the policies recommended by the PCI DSS to determine whether the measures are adequate. By implementing ongoing compliance assessments, the council are able to regulate the conduct of all organisations and ensure they're handling card payment data responsibly and safely.
Why is PCI DSS important?
Technically, compliance with the standards for PCI DSS is not required by law in the UK. However, if your business fails to comply with the requirements, you could be at risk for data breaches, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more. The main objective of the PCI DSS is to keep customers' payment card data safe. However, the requirements are also in place to protect businesses from data breaches and digital crimes. Occasionally, businesses might have to cease accepting credit card transactions if they experience a data breach, which can be detrimental to sales. If customers' sensitive information is compromised, organisations also face prosecution and hefty fines. Therefore, whilst complying with the standards might seem like a lengthy process, they're there to protect both consumers and businesses.