PCI DSS Compliance Guide
What is the PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard and is an information security standard that was developed by an industry body of card brands, including Visa and MasterCard. In essence, PCI DSS is a set of controls that must be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and payment cardholder data from being compromised or stolen.
What Payment Cards are in Scope of the PCI DSS?
The payment cards which are covered by the PCI DSS are any debit, credit, or pre-paid cards branded with one of the following 5 major payment brands:
- American Express
Who ‘Manages’ the PCI DSS?
The PCI DSS scheme is managed by the Payment Card Industry Security Standards Council (SSC), with its members being made up of the 5 major payment brands.
What are the objectives of the PCI DSS?
The Standard was created to increase controls around cardholder data to facilitate consistent, effective and reliable data security measures, as well as greater accountability across every entity in the payment ecosystem, in order to reduce levels of fraud.
Is the PCI DSS a Risk-Based Standard?
Unlike standards such as ISO 27001, there is no risk assessment and management component to the PCI DSS. It provides a mandatory baseline of 12 technical and operational requirements, which all organisations processing payment cardholder data must comply with.
URM has produced a separate video detailing each of the 12 control requirements
What does PCI Compliance mean?
An entity may be considered PCI DSS compliant, if all the applicable PCI DSS requirements are being met.
It is important to note that the PCI DSS is an ‘all or nothing’ type of standard meaning all of the applicable requirements must be fulfilled. Not fully satisfying just 1 requirement, will result in the entire entity being considered non-compliant.
Does my organisation need to comply with the PCI DSS?
The simple answer is yes if your organisation stores, processes and/or transmits cardholder data or has the ability to impact the security of such data.
Why is PCI DSS Compliance important?
By complying with the requirements of the Standard, you can keep cardholder data secure, help minimise costly data breaches and provide assurance to customers that their payment data is safe.
Furthermore, if your organisation is ever involved in a data breach, being PCI DSS compliant will help to minimise any fines and will also reduce the cost of a breach
What’s the difference between a merchant and service provider?
A merchant is any entity that accepts payment cards bearing the logos of American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services
A service provider is an entity which isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business.
Clarifying Confusion Regarding PCI DSS – Merchants vs Service Providers
URM has found that there is significant confusion regarding PCI DSS, e.g. defining status (merchants or service providers), how to validate compliance, how to reduce the burden of compliance and what exactly is expected in terms of implementation. The articles we provide you with below will clarify this. They are divided in Part 1 and Part 2.
What are the levels of merchants and service providers and what is the significance of the different levels?
There are 4 levels of merchants and 2 levels of service providers.
The levels are predominantly determined by the number of payment card transactions by card brand with level 1 representing the highest number of transactions.
The level determines the amount of assessment and security validation required to confirm PCI DSS compliance. Level 1 requires assessment by a qualified security assessor or QSA organisation. All other levels can be self certified by completing a self assessment questionnaire, although your organisation may benefit from a QSA verifying your questionnaire.
What is a PCI DSS self assessment questionnaire (SAQ)?
A self assessment questionnaire or SAQ is a way of reporting and demonstrating compliance to the PCI DSS. As you can imagine, there are a number of different ways an entity can accept and process card payments and as such the PCI Security Standards Council has developed different SAQs for different payment channels.
What is a Report on Compliance (RoC)?
Level 1 merchants and service providers and those who have suffered data breaches, are required to be assessed by a third party QSA organisation. The end product of the assessment is a ROC which is an abbreviation for a Report on Compliance document. This is a very detailed document which assesses the merchant’s or service provider’s compliance with all the relevant PCI DSS’ requirements.
What is an AoC?
The abbreviation AoC refers to the Attestation of Compliance document. This is a form where merchants and service providers ‘attest’ to the results of a PCI DSS assessment. An AoC needs to be completed for either a completed ROC or a completed SAQ.
What is the Cardholder Data Environment or CDE?
When an organisation seeks to comply with the PCI DSS, the scope of the compliance is not the whole entity but the cardholder data environment or CDE as it is often referred to. From a PCI DSS perspective, this includes people, processes and technologies that store, process, and/or transmit cardholder data or sensitive authentication data. One of the first steps in a PCI DSS assessment is to determine the organisation’s CDE.
How do I reduce the burden of achieving PCI DSS compliance?
The most effective method of easing the PCI DSS compliance is by segmenting your network. Every system that stores, processes and/or transmits cardholder data is in scope for PCI DSS. Additionally, every other system that is on the same network segment, is also in scope regardless if its involvement in cardholder data processing. It is important to understand that all PCI DSS requirements must be applied to every in-scope system, hence why network segmentation is so important.
MORE ABOUT URM CONSULTING AND HOW IT COULD
SUPPORT YOUR PCI DSS COMPLIANCE JOURNEY
URM’s team of PCI Qualified Security Assessors and consultants
are some of the most experienced and proficient in the UK.
Always adopting a pragmatic and tailored approach, our team can
assist you with all aspects of PCI DSS compliance from conducting
a gap analysis, helping you reduce your CDE scope, to assisting
you complete a SAQ or conduct a full QSA-led RoC assessment
More about PCI DSS
Our office is open 08:00 – 17:30 Monday to Friday.