PCI DSS – The Payment Card Data Security Standard – What is it?

|
|
PUBLISHED on
05
August
2022

Often referred to as the PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB.  The five founding members of the SSC, along with their strategic member payment brand UnionPay, continue to maintain and update the standard.

In a nutshell, it is a set of controls, defined in a Standard, that MUST be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and payment cardholder data from being compromised or stolen.

The payment cards which are in scope of PCI are any debit, credit, or pre-paid cards branded with one of the above 6 card brand logos that participate in the PCI SSC, i.e., American Express, Discover, JCB, MasterCard, Visa International and UnionPay.

Unlike risk-based standards, such as ISO 27001, the in-scope controls are mandated or compulsory.  Which controls you need to comply with, and whether you need to be assessed by an external specialist assessor or can ‘self-assess’ via a questionnaire, is determined by how you accept payments and the volume, not value, of transactions.

As such, if you process, store or transmit cardholder data or could affect the security of cardholder data as it is processed, stored or transmitted, PCI applies to you.  And even if you have totally outsourced payment card handling, you still have a responsibility to ensure that your outsourcers/third parties are PCI compliant.  Non-compliance to the Standard can result in a number of penalties being imposed, including the ultimate sanction of losing the facility to take payment via payment cards.  Sanctions can also include monthly penalties until compliance is achieved and increased payment card transaction fees.

Additionally, any data breach will typically lead to the organisation suffering a loss of reputation and goodwill with cardholders.  If the data breach also involves personally identifiable information (PII), the organisation may also be investigated and fined by the Information Commissioner’s Office (ICO).

So, where does your PCI compliance journey start?

The first step is understanding the flow of your payment card data.  By that we mean, where payment card information comes into your organisation, where it goes, who it is shared with, what systems and components it touches, where it is stored, what form it is stored as and who has access to it.

You need to consider every payment channel you use and the data flow for each one.  This will determine your scope, with the aim being to keep the scope as tight and contained as possible.  You also need to understand, as above, the annual volume (number) of transactions you take.  This will determine which controls in the Standard you must comply with i.e., which controls you need to implement, and whether you can complete a self-assessment questionnaire (SAQ) or if you need to undertake an external assessment.  So, once you understand your payment card data flow, your scope and which controls in the Standard you need to comply with, what is next?  We would recommend that you conduct a gap analysis, so you can understand where you comply and where you need to make improvements.

Remember, whilst the controls are mandatory, there are a number of ways of achieving them and you need to be pragmatic about how you do that –you still have a business to run!!  Once the necessary improvements have been made, you can now invite the external assessor in or complete the SAQ.

It’s important not to treat PCI compliance as a project or a one-off requirement, but as an ongoing journey – you need to obtain and maintain compliance.  Whether your assessment is by an external specialist, or you complete an SAQ, it is an ongoing annual process.  The assessment is a snapshot at a point in time or at specific points through the year for time sensitive tasks; however, the obligation to your clients and those who trust you to process their card data is continuous, and you must ensure you maintain compliance, keep their confidence and protect your reputation.

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Thumbnail of the Blog Illustration
Information Security
Published on
22/3/2024
Common Questions When Preparing to Transition to PCI DSS v4.0

URM’s blog answers key questions about the practicalities of PCI DSS v4.0 transition assessments and how you can best prepare for a successful v4.0 transition.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
14/11/2023
What are the Key New Requirements with PCI DSS 4.0

Everything you need to know about PCI DSS v4.0: With a particular focus on some of the more challenging requirements such as MFA and payment page scripts.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
10/11/2023
Pros and Cons of Delaying Your PCI DSS v4.0 Transition

Transitioning to PCI DSS v4.0 sooner rather than later has its advantages and disadvantages, in this article URM explores both sides of the argument.

Read more
We've been using URM for our PCI DSS assessments for the last 5 years and we are pleased with their service. The assessment is always completed promptly, the price is competitive, and communication is great. We'll keep using them and are happy to recommend URM to anyone.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.