PCI DSS – The Payment Card Data Security Standard – What is it?
So, let’s take a step back and define what is the Payment Card Industry Data Security is. Often referred to as PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB.
In a nutshell, it is a set of controls, defined in a Standard, that MUST be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and payment cardholder data being compromised or stolen.
The payment cards which are in scope of PCI are any debit, credit, or pre-paid cards branded with one of the above five card association/brand logos that participate in the PCI SSC, i.e. American Express, Discover, JCB, MasterCard, and Visa International.
Unlike risk-based standards, such as ISO 27001, the in-scope controls are mandated or compulsory. Which controls you need to comply with, and whether you need to be assessed by an external specialist assessor or can ‘self assess’ via a questionnaire*, is determined by how you accept payments and the volume, not value, of transactions.
As such, if you process, store or transmit cardholder data or could affect the security of cardholder data as it is processed, stored or transmitted, PCI applies to you. And even if you have totally outsourced payment card handling, you still have a responsibility to ensure that your outsourcers/third parties are PCI compliant. Non-compliance to the Standard can result in a number of penalties being imposed, including the ultimate sanction of losing the facility to take payment via payment cards. Sanctions can also include monthly penalties until compliance is achieved and increased payment card transaction fees.
Additionally, any data breach will typically lead to the organisation suffering a loss of reputation and goodwill with cardholders. If the data breach also involves personally identifiable information (PII), the organisation may also, be investigated and fined by the Information Commissioner’s Office (ICO).
So, where does your PCI Compliance journey start?
The first step is understanding the flow of your payment card data by that we mean where payment card information comes into your organisation, where it goes, who it is shared with, what systems and components it touches, where it is stored, what form it is stored as and who has access to it.
You need to consider every payment channel you use and the data flow for each one. This will determine your scope with the aim being to keep the scope as tight and contained as possible. You also need to understand, as above, the annual volume (number) of transactions you take. This will determine which controls in the Standard you must comply with i.e. which controls you need to implement, and whether you can complete a self-assessment questionnaire (SAQ)** or you need to undertake an external assessment. Once you understand your payment card data flow, your scope and which controls in the Standard you need to comply with, what is next? We would recommend that you conduct a gap analysis. You need to understand where you comply and where you need to make improvements.
Remember, whilst the controls are mandatory, there are a number of ways of achieving them and you need to be pragmatic about how you do that –you still have a business to run!! Once the necessary improvements have been made, you can now invite the external assessor in or complete the SAQ**.
It’s important not to treat PCI compliance as a project or a one-off requirement but as an ongoing journey – you need to obtain and maintain compliance. Whether your assessment is by an external specialist or you complete an SAQ**, it is an ongoing annual process. The assessment is a snapshot at a point in time or at specific points through the year for time sensitive tasks ; however the obligation to your clients and those who trust you to process their card data is continuous, and you must ensure you maintain compliance, keep their confidence and protect your reputation.
*One change that was made with the introduction of v4.0 of the Standard on 31 March 2022 was the introduction of ‘Customised Validations’ where organisations can effectively meet the intent of any given requirement with a control that they design and implement. For more information see PCI DSS v4.0 changes at glance.
**It is expected that the PCI SSC will replace self-assessment questionnaires (SAQs) with merchant assessment forms (MAFs) during 2022. There will naturally be a grace period before SAQs are completely retired.