PCI DSS – The Payment Card Data Security Standard – What is it?

5 Aug

Often referred to as the PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB.  The five founding members of the SSC, along with their strategic member payment brand UnionPay, continue to maintain and update the standard.

In a nutshell, it is a set of controls, defined in a Standard, that MUST be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and payment cardholder data from being compromised or stolen.

The payment cards which are in scope of PCI are any debit, credit, or pre-paid cards branded with one of the above 6 card brand logos that participate in the PCI SSC, i.e., American Express, Discover, JCB, MasterCard, Visa International and UnionPay.

Unlike risk-based standards, such as ISO 27001, the in-scope controls are mandated or compulsory.  Which controls you need to comply with, and whether you need to be assessed by an external specialist assessor or can ‘self-assess’ via a questionnaire, is determined by how you accept payments and the volume, not value, of transactions.

As such, if you process, store or transmit cardholder data or could affect the security of cardholder data as it is processed, stored or transmitted, PCI applies to you.  And even if you have totally outsourced payment card handling, you still have a responsibility to ensure that your outsourcers/third parties are PCI compliant.  Non-compliance to the Standard can result in a number of penalties being imposed, including the ultimate sanction of losing the facility to take payment via payment cards.  Sanctions can also include monthly penalties until compliance is achieved and increased payment card transaction fees.

Additionally, any data breach will typically lead to the organisation suffering a loss of reputation and goodwill with cardholders.  If the data breach also involves personally identifiable information (PII), the organisation may also be investigated and fined by the Information Commissioner’s Office (ICO).

So, where does your PCI compliance journey start?

The first step is understanding the flow of your payment card data.  By that we mean, where payment card information comes into your organisation, where it goes, who it is shared with, what systems and components it touches, where it is stored, what form it is stored as and who has access to it.

You need to consider every payment channel you use and the data flow for each one.  This will determine your scope, with the aim being to keep the scope as tight and contained as possible.  You also need to understand, as above, the annual volume (number) of transactions you take.  This will determine which controls in the Standard you must comply with i.e., which controls you need to implement, and whether you can complete a self-assessment questionnaire (SAQ) or if you need to undertake an external assessment.  So, once you understand your payment card data flow, your scope and which controls in the Standard you need to comply with, what is next?  We would recommend that you conduct a gap analysis, so you can understand where you comply and where you need to make improvements.

Remember, whilst the controls are mandatory, there are a number of ways of achieving them and you need to be pragmatic about how you do that –you still have a business to run!!  Once the necessary improvements have been made, you can now invite the external assessor in or complete the SAQ.

It’s important not to treat PCI compliance as a project or a one-off requirement, but as an ongoing journey – you need to obtain and maintain compliance.  Whether your assessment is by an external specialist, or you complete an SAQ, it is an ongoing annual process.  The assessment is a snapshot at a point in time or at specific points through the year for time sensitive tasks; however, the obligation to your clients and those who trust you to process their card data is continuous, and you must ensure you maintain compliance, keep their confidence and protect your reputation.

Thumbnail of the Blog Illustration
Information Security
Published on
Top 5 common pitfalls of PCI DSS compliance

As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we are often asked by organisations which process card payments....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
How can URM help you to achieve PCI compliance and what is our approach?

In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Preparing For a PCI DSS v4.0 Assessment

URM is sharing its experiences on how the changes to the PCI DSS v4 affect the assessment process and how organisations can best prepare for the differences.

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.