Welcome to Avanté Consultants

PCI-DSS

Home | Services

WHAT IS PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.


While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.


PCI DSS CERTIFICATION

PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:

  • Installation of firewalls
  • Encryption of data transmissions
  • Use of anti-virus software


In addition, businesses must restrict access to cardholder data and monitor access to network resources.


PCI-compliant security provides a valuable asset that informs customers that your business is safe to transact with. Conversely, the cost of noncompliance, both in monetary and reputational terms, should be enough to convince any business owner to take data security seriously.


A data breach that reveals sensitive customer information is likely to have severe repercussions on an enterprise. A breach may result in fines from payment card issuers, lawsuits, diminished sales and a severely damaged reputation.


After experiencing a breach, a business may have to cease accepting credit card transactions, or be forced to pay higher subsequent charges than the initial cost of security compliance. The investment in PCI security procedures goes a long way toward ensuring that other aspects of your commerce are safe from malicious online actors.



PCI DSS COMPLIANCE LEVELS

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business processes. The classification level determines what an enterprise needs to do to remain compliant.


Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).

Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.

Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.

Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.



PCI DSS REQUIREMENTS

The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.

1) Secure network A firewall configuration must be installed and maintained System passwords must not be default i.e. (not vendor-supplied)
2) Secure card-holder data Stored card-holder data must be protected Transmissions of card-holder data across public networks must be encrypted
3) Vulnerability management Anti-virus software must be used and regularly updated secure systems and applications must be developed and maintained
4) Access control Card-holder data access must be restricted to a business need-to-know basis every person with computer access must be assigned a unique ID physical access to card-holder data must be restricted

5) Network monitoring and testing Access to card-holder data and network resources must be tracked and monitored Security systems and processes must be regularly tested
6) Information security A policy dealing with information security must be maintained

Business Benefits of PCI Compliance

Below is a list of the benefits to a business when they implement PCI DSS:


Decreased risk of security breaches

PCI compliance isn’t just about satisfying a list of guidelines — it’s a very real and proven way to protect you and your customers data from outside attacks. In fact, a recent Version study found that compliant businesses are 50% more likely to successfully withstand a breach.


Peace of mind for you (and your clients)

With breaches much less likely to happen, you’ll have one less thing to worry about in the daily course of running your business. You’ll appreciate this peace of mind, and over time, your customers will, too (see the next benefit below).


Boost in customer confidence

Your customers may not currently understand every detail about what it means to be compliant, but their awareness about the issue is growing. Every day, more and more of your customers are growing savvy about how their data is protected when they use their credit cards. It’s only a matter of time before customers see PCI compliance as a sign that your business follows best practices. That feeling of security will directly increase buyer's confidence, and make them more likely to choose you over a non-compliant competitor.


Avoid costly fines

PCI compliance dramatically lowers your likelihood of getting breached, but it doesn’t completely eliminate the possibility. If you are breached, fines can grow as high as $500,000 per incident. Companies who are PCI compliant significantly reduce their risk of a breach, and therefore, their likelihood of receiving a fine. If a company is breached, regardless of their state of compliance, they must immediately inform customers and their processor of the data breach in writing. The processor or bank will initiate an audit on that company to see if the merchant was in fact PCI DSS compliant at the time of the breach.


Relatively quick and easy

This is one benefit that comes from what PCI compliance doesn’t do: with the right partner, you won’t have to make any substantial changes or disruptions to your business while attaining compliance. The process may seem complicated (and in many ways, it is), but a good compliance partner will shield you from the complexities and make it seem simple.


Why is PCI DSS Compliance Important?

Being compliant with PCI DSS means that you are doing your very best to keep your customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. Not holding on to data reduces the risk that your customers will be affected by fraud.


Complying with the PCI DSS

The first thing a merchant needs to do is to fully understand how card payments are processed in your organisation. In particular if your e-commerce environment is capturing, storing, processing or transmitting card data then think very carefully whether this is really necessary?


If I’m not compliant, what may happen to me and my business?
  • You may be liable for non-compliance fines if you do not work towards compliance with your acquirer and ultimately your acquirer may be forced to terminate your relationship, which will prevent you from accepting payments by card.
  • Your customer’s data may be at risk of compromise and subject to fraudulent use. Fraudsters target the weak links in the payment chain to steal payment data (card numbers and card security codes) and customer’s personal information (names, addresses, phone numbers, email, date of birth etc.) for the purpose of committing fraud.
  • If the environment is identified as a Common Point of Purchase (CPP) for fraud. (If you are suspected to have suffered a data compromise), you will be required to engage with a PCI Forensic Investigator (PFI) to establish the source of the breach to ensure any compliance gaps are closed. The cost of a forensic investigation can run into thousands of pounds you will be liable for these costs if evidence of a compromise is established.
  • There are considerable Card Scheme fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant merchants have ceased trading because the fines could not be accommodated. The fines are passed from the Card Scheme to the acquirer and then onto the merchant.
  • Reputation damage is also a consideration if you are compromised and lose card data. Because it may lead to loss of customer confidence which could seriously impact their willingness to continue to do business with you.