PCI DSS
Frequently Asked Questions

What is the PCI DSS?

PCI DSS stands for the Payment Card Industry Data Security Standard and is an information security standard that was developed by an industry body of card brands, including Visa and MasterCard. The PCI DSS is a set of controls that must be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and payment cardholder data from being compromised or stolen.

Watch the “PCI DSS Overview” video below

What payment cards are in scope of the PCI DSS?

The payment cards which are covered by the  PCI DSS are any debit, credit, or pre-paid cards branded with one of the following 5 major payment brands:

• American Express
• Discover
• JCB
• MasterCard
• Visa

Who ‘manages’ the PCI DSS?

The PCI DSS scheme is managed by the Payment Card Industry Security Standards Council (SSC), with its members being made up of the 5 major payment brands.

What are the objectives of the PCI DSS?

The Standard was created to increase controls around cardholder data to facilitate consistent, effective and reliable data security measures, as well as greater accountability across every entity in the payment ecosystem, in order to reduce levels of fraud.

Is the PCI DSS a risk-based standard?

Unlike standards such as ISO 27001, there is no risk assessment and management component to the PCI DSS. It provides a mandatory baseline of 12 technical and operational requirements, which all organisations processing payment cardholder data must comply with.URM has produced a separate video detailing each of the 12 control requirements.

Watch the “12 Compliance Requirements” video below

What does PCI compliance mean?

An entity may be considered PCI DSS compliant, if all the applicable PCI DSS requirements are being met.

It is important to note that the PCI DSS is an ‘all or nothing’ type of standard meaning all of the applicable requirements must be fulfilled. Not fully satisfying just 1 requirement, will result in the entire entity being considered non-compliant.

Does my organisation need to comply with the PCI DSS?

The simple answer is yes if your organisation stores, processes and/or transmits cardholder data or has the ability to impact the security of such data.

Why is PCI DSS compliance important?

By complying with the requirements of the Standard, you can keep cardholder data secure, help minimise costly data breaches and provide assurance to customers that their payment data is safe.

Furthermore, if your organisation is ever involved in a data breach, being PCI DSS compliant will help to minimise any fines and will also reduce the cost of a breach.

What’s the difference between a merchant and service provider?

A merchant is any entity that accepts payment cards bearing the logos of American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or servicesA service provider is an entity which isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.

Clarifying confusion regarding PCI DSS – merchants vs service providers

URM has found that there is significant confusion regarding PCI DSS, e.g. defining status (merchants or service providers), how to validate compliance, how to reduce the burden of compliance and what exactly is expected in terms of implementation. The articles we provide you with below will clarify this.

What Are the Merchant Levels

What Are the Service Provider Levels

What are the levels of merchants and service Providers and what is the significance of the different levels?

There are 4 levels of merchants and 2 levels of service providers.The levels are predominantly determined by the number of payment card transactions by card brand with level 1 representing the highest number of transactions.The level determines the amount of assessment and security validation required to confirm PCI DSS compliance. Level 1 requires assessment by a qualified security assessor or QSA organisation. All other levels can be self certified by completing a self assessment questionnaire, although your organisation may benefit from a QSA verifying your questionnaire.

What is a PCI DSS self assessment questionnaire (SAQ)?

A self assessment questionnaire or SAQ is a way of reporting and demonstrating compliance to the PCI DSS. As you can imagine, there are a number of different ways an entity can accept and process card payments and as such the PCI Security Standards Council has developed different SAQs for different payment channels.

What is a report on compliance (RoC)?

Level 1 merchants and service providers and those who have suffered data breaches, are required to be assessed by a third party QSA organisation. The end product of the assessment is a ROC which is an abbreviation for a Report on Compliance document. This is a very detailed document which assesses the merchant’s or service provider’s compliance with all the relevant PCI DSS’ requirements.

What is an AoC?

The abbreviation AoC refers to the Attestation of Compliance document. This is a form where merchants and service providers ‘attest’ to the results of a PCI DSS assessment. An AoC needs to be completed for either a completed ROC or a completed SAQ.

What is the cardholder data environment or CDE?

When an organisation seeks to comply with the PCI DSS, the scope of the compliance is not the whole entity but the cardholder data environment or CDE as it is often referred to. From a PCI DSS perspective, this includes people, processes and technologies that store, process, and/or transmit cardholder data or sensitive authentication data. One of the first steps in a PCI DSS assessment is to determine the organisation’s CDE.

How do I reduce the burden of achieving PCI DSS compliance?

The most effective method of easing the PCI DSS compliance is by segmenting your network. Every system that stores, processes and/or transmits cardholder data is in scope for PCI DSS. Additionally, every other system that is on the same network segment, is also in scope regardless if its involvement in cardholder data processing. It is important to understand that all PCI DSS requirements must be applied to every in-scope system, hence why network segmentation is so important.

How do you go about choosing the correct SAQ?

This is a complicated question, the answer to which is highly dependent on the unique setup of your organisation.  Each SAQ has a long list of eligibility criteria that you will need to work through to determine if it is applicable and, in some cases, you may be eligible to complete multiple SAQs for the different ways you take payment.  Often, it is safest to work with an expert when selecting an SAQ, as it is not always a straightforward process.

There are a lot of service providers which can store card data for you, which will immediately reduce your scope.  Around a third of the requirements in the PCI DSS relate to card data storage, so outsourcing this function will automatically make them inapplicable to your organisation.

Can you remain PCI DSS compliant if staff are taking payments from home?

Technically yes, but practically it can be tricky.  It’s extremely difficult to secure a home environment to the point that it is safe to take payments from, and you can’t be sure what’s going on within an individual’s home network.

There are technological solutions to this such as DTMF systems, which allow the card data to be processed while circumventing the staff member’s home network entirely.

Do international organisations need their offices in different countries to do their PCI DSS compliance separately?

This comes down to who those offices need to report their compliance to.  Generally speaking, this will be the bank within the country in question.  If the office/offices in each country are separate entities with their own corporate accounts, they will need to report compliance individually. However, if you have a single international account with a single bank, and this is used across all offices globally, you will probably only need to be compliant with that bank.

Is PCI DSS compliance a legal requirement for organisations that take payments?

This is a grey area and depends on where you are in the world.  In the UK, the PCI DSS is not a legally required Standard, however, it is considered due diligence under the Data Protection Act (2018).  The ICO has also fined organisations for non-compliance with the PCI DSS following card data breaches.  In some US states it has been made a legal requirement, although it is not a federal law.

In most cases, PCI DSS compliance is a contractual agreement between your organisation and the bank.  If you fail to meet the requirements of the Standard, the bank can void your contract and stop your organisation from taking card payments.

Can you outsource all payment functions in order to avoid the need to be compliant?

While you can outsource everything to do with PCI DSS, you still need to be compliant as, ultimately,  you’re responsible for ensuring those card transactions are secure.  It is your responsibility to ensure the third parties you outsource to are compliant with the Standard.