PCI DSS stands for the Payment Card Industry Data Security Standard and is an information security standard that was developed by an industry body of card brands, including Visa and MasterCard.

The PCI DSS is a set of controls that must be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and payment cardholder data from being compromised or stolen.

Watch the “PCI DSS Overview” video below

What payment cards are in scope of the PCI DSS?

The payment cards which are covered by the PCI DSS are any debit, credit, or pre-paid cards branded with one of the following 5 major payment brands:

American Express
Discover
JCB
MasterCard
Visa

Who ‘manages’ the PCI DSS?

The PCI DSS scheme is managed by the Payment Card Industry Security Standards Council (SSC), with its members being made up of the 5 major payment brands.

What are the objectives of the PCI DSS?

The Standard was created to increase controls around cardholder data to facilitate consistent, effective and reliable data security measures, as well as greater accountability across every entity in the payment ecosystem, in order to reduce levels of fraud.

Is the PCI DSS a risk-based standard?

Unlike standards such as ISO 27001, there is no risk assessment and management component to the PCI DSS. It provides a mandatory baseline of 12 technical and operational requirements, which all organisations processing payment cardholder data must comply with.URM has produced a separate video detailing each of the 12 control requirements.

Watch the “12 Compliance Requirements” video below

What does PCI compliance mean?

An entity may be considered PCI DSS compliant, if all the applicable PCI DSS requirements are being met.

It is important to note that the PCI DSS is an ‘all or nothing’ type of standard meaning all of the applicable requirements must be fulfilled. Not fully satisfying just 1 requirement, will result in the entire entity being considered non-compliant.

Does my organisation need to comply with the PCI DSS?

The simple answer is yes if your organisation stores, processes and/or transmits cardholder data or has the ability to impact the security of such data.

Why is PCI DSS compliance important?

By complying with the requirements of the Standard, you can keep cardholder data secure, help minimise costly data breaches and provide assurance to customers that their payment data is safe.

Furthermore, if your organisation is ever involved in a data breach, being PCI DSS compliant will help to minimise any fines and will also reduce the cost of a breach.

What’s the difference between a merchant and service provider?

A merchant is any entity that accepts payment cards bearing the logos of American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services

A service provider is an entity which isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.

Clarifying confusion regarding PCI DSS – merchants vs
service providers

URM has found that there is significant confusion regarding PCI DSS, e.g. defining status (merchants or service providers), how to validate compliance, how to reduce the burden of compliance and what exactly is expected in terms of implementation. The articles we provide you with below will clarify this.

What Are the Merchant Levels What Are the Service Provider Levels

What are the levels of merchants and service Providers and
what is the significance of the different levels?

There are 4 levels of merchants and 2 levels of service providers.

The levels are predominantly determined by the number of payment card transactions by card brand with level 1 representing the highest number of transactions.

The level determines the amount of assessment and security validation required to confirm PCI DSS compliance. Level 1 requires assessment by a qualified security assessor or QSA organisation. All other levels can be self certified by completing a self assessment questionnaire, although your organisation may benefit from a QSA verifying your questionnaire.

What is a PCI DSS self assessment questionnaire (SAQ)?

A self assessment questionnaire or SAQ is a way of reporting and demonstrating compliance to the PCI DSS. As you can imagine, there are a number of different ways an entity can accept and process card payments and as such the PCI Security Standards Council has developed different SAQs for different payment channels

What is a report on compliance (RoC)?

Level 1 merchants and service providers and those who have suffered data breaches, are required to be assessed by a third party QSA organisation. The end product of the assessment is a ROC which is an abbreviation for a Report on Compliance document. This is a very detailed document which assesses the merchant’s or service provider’s compliance with all the relevant PCI DSS’ requirements.

What is an AoC?

The abbreviation AoC refers to the Attestation of Compliance document. This is a form where merchants and service providers ‘attest’ to the results of a PCI DSS assessment. An AoC needs to be completed for either a completed ROC or a completed SAQ.

What is the cardholder data environment or CDE?

When an organisation seeks to comply with the PCI DSS, the scope of the compliance is not the whole entity but the cardholder data environment or CDE as it is often referred to. From a PCI DSS perspective, this includes people, processes and technologies that store, process, and/or transmit cardholder data or sensitive authentication data. One of the first steps in a PCI DSS assessment is to determine the organisation’s CDE.

How do I reduce the burden of achieving PCI DSS compliance?

The most effective method of easing the PCI DSS compliance is by segmenting your network. Every system that stores, processes and/or transmits cardholder data is in scope for PCI DSS. Additionally, every other system that is on the same network segment, is also in scope regardless if its involvement in cardholder data processing. It is important to understand that all PCI DSS requirements must be applied to every in-scope system, hence why network segmentation is so important.

PCI DSS overview

the 12 compliance requirements

URM is one of the UK's most trusted training providers in the areas of information security and governance. Check our training program.

Find out more

related BLog

Governance, Risk Management and Compliance

Information Security

PCI DSS

PCI DSS v4 – Changes at a Glance

Latest update:

2 Sep

2022

After several years wait, and to surprisingly little fanfare, the Payment Card Industry Security Standards Council (PCI SSC) released the new version of the PCI Data Security Standard (DSS) ...

Information Security

updateD:

24/8/2022

PCI SSC Remote Assessment Guidelines and Procedures

The PCI SCC has recently released a new remote assessment guidelines and procedures. Here we address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.

Information Security

updateD:

9/8/2022

5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability of the Standard. Even veterans of PCI DSS compliance...

Information Security

updateD:

9/8/2022

PCI DSS: Pros and Cons of Outsourcing

In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and...

URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.