PCI DSS – The Payment Card Data Security Standard – What is it?

Latest update:
5 Aug
2022

Often referred to as the PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB.  The five founding members of the SSC, along with their strategic member payment brand UnionPay, continue to maintain and update the standard.

In a nutshell, it is a set of controls, defined in a Standard, that MUST be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and payment cardholder data from being compromised or stolen.

The payment cards which are in scope of PCI are any debit, credit, or pre-paid cards branded with one of the above 6 card brand logos that participate in the PCI SSC, i.e., American Express, Discover, JCB, MasterCard, Visa International and UnionPay.

Unlike risk-based standards, such as ISO 27001, the in-scope controls are mandated or compulsory.  Which controls you need to comply with, and whether you need to be assessed by an external specialist assessor or can ‘self-assess’ via a questionnaire, is determined by how you accept payments and the volume, not value, of transactions.

As such, if you process, store or transmit cardholder data or could affect the security of cardholder data as it is processed, stored or transmitted, PCI applies to you.  And even if you have totally outsourced payment card handling, you still have a responsibility to ensure that your outsourcers/third parties are PCI compliant.  Non-compliance to the Standard can result in a number of penalties being imposed, including the ultimate sanction of losing the facility to take payment via payment cards.  Sanctions can also include monthly penalties until compliance is achieved and increased payment card transaction fees.

Additionally, any data breach will typically lead to the organisation suffering a loss of reputation and goodwill with cardholders.  If the data breach also involves personally identifiable information (PII), the organisation may also be investigated and fined by the Information Commissioner’s Office (ICO).

So, where does your PCI compliance journey start?

The first step is understanding the flow of your payment card data.  By that we mean, where payment card information comes into your organisation, where it goes, who it is shared with, what systems and components it touches, where it is stored, what form it is stored as and who has access to it.

You need to consider every payment channel you use and the data flow for each one.  This will determine your scope, with the aim being to keep the scope as tight and contained as possible.  You also need to understand, as above, the annual volume (number) of transactions you take.  This will determine which controls in the Standard you must comply with i.e., which controls you need to implement, and whether you can complete a self-assessment questionnaire (SAQ) or if you need to undertake an external assessment.  So, once you understand your payment card data flow, your scope and which controls in the Standard you need to comply with, what is next?  We would recommend that you conduct a gap analysis, so you can understand where you comply and where you need to make improvements.

Remember, whilst the controls are mandatory, there are a number of ways of achieving them and you need to be pragmatic about how you do that –you still have a business to run!!  Once the necessary improvements have been made, you can now invite the external assessor in or complete the SAQ.

It’s important not to treat PCI compliance as a project or a one-off requirement, but as an ongoing journey – you need to obtain and maintain compliance.  Whether your assessment is by an external specialist, or you complete an SAQ, it is an ongoing annual process.  The assessment is a snapshot at a point in time or at specific points through the year for time sensitive tasks; however, the obligation to your clients and those who trust you to process their card data is continuous, and you must ensure you maintain compliance, keep their confidence and protect your reputation.

Thumbnail of the Blog Illustration
Information Security
updateD:
8/8/2022
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security Assessor (QSA)...

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
8/8/2022
Preparing for a Report on Compliance (ROC)

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA. Like most trials...

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
5/8/2022
Can I Store Cardholder Data?

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around the protection of cardholder data (CHD) and, in particular, sensitive...

Read more
"
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.