What is PCI-DSS?

PCI DSS is a set of comprehensive requirements for enhancing payment data security. The standard was developed by all major card companies to offer consistent data security measures on a global basis. The standard covers both credit card and debit card transactions. It extends across online, retailers and call-centre environments.

Who should become PCI-DSS Compliant?

PCI DSS includes requirements for security management, policies, procedures, network architecture, and software design. The standard is intended to help organisations proactively protect customer account data. All organisations that store, process or transmit card data are required to comply with the PCI DSS. Compliance is mandatory for all these organisations, irrespective of their size.

Even if your card payment systems are outsourced and therefore your internal systems do not have to be compliant, it is good to demonstrate you are looking at best practice for protecting your data. A lot of the general principles of PCI-DSS are good practice, even if you are not using credit cards but are processing other sensitive types of data, making it widely recognised as a benchmark of good security practice.

An organisation that already follows best practice security policies should find the PCI-DSS compliance process quite straightforward.

How is PCI DSS enforced?

The standard is enforced by acquiring banks and many of these institutions are now proactively contacting their merchants-service account holders to ensure that they have embarked on a PCI DSS compliance program. Organisations that are not deemed to be working towards achieving compliance can be fined by the acquiring banks. The approach that is taken will vary from bank to bank, however this can includes a fixed charge fine or a per-transaction surcharge up to the point where the merchant achieves compliance.

What is the cost of not complying?

Offending organisations can expect to receive penalties or charges, which could easily be avoided through achieving compliance.

Suffering payment card losses or a breach of customer date due to not being compliant could damage your organisation's reputation.

Not being able to demonstrate compliance to a suitable security standard could also affect your organisation's ability to do work with other organisations or win government contracts.

Compliance Process

Your company must confirm that it is complying with the Data Security Standard annually, if it handles credit card data electronically. This involves delivering a package of two or three items:

  • Self Assessment Questionnaire
  • Regular network or web site scanning by an Approved Scanning Vendor (may not be required in some cases) and a Report on Compliance by a Qualified Security Assessor (only needed by the very largest companies)
  • Confirmation of Compliance

PCI-DSS Version 3.0 Changes

Click here to see the changes from version 2 to version 3.0

Please call 01993 623 010 to find out how Whitehelm can help you with the security challenges you are facing and how your company can benefit from a PCI DSS solution or e–mail sales@whitehelm.com