Merchants and service providers that process, transmit or store cardholder data have to comply with the Payment Card Industry Data Security Standard (PCI DSS).
The Verizon 2015 PCI Compliance report found that, of all the data breaches investigated over the last ten years, not a single company has been found compliant with the PCI DSS at the time of the breach. We’ve summarised some of the report’s findings in an infographic.
Resources to help you comply with the PCI DSS
Compliance with the PCI DSS is seen as complicated partly due to the many requirements and sub-requirements that organisations need to meet. There is also some confusion as to which self-assessment questionnaire (SAQ) needs to be completed and whether a vulnerability assessment mechanism is required.
We’ve compiled a list of resources to facilitate compliance.
The PCI DSS requirements
First things first. You cannot approach compliance without understanding the requirements. The official PCI DSS document explains each of the 12 requirements and many sub-requirements in detail, and provides guidance on how to comply.
If you need a quick summary of the requirements, visit the PCI DSS requirements page.
PCI DSS v3.0 & 3.1: What has changed?
If you aren’t new to the PCI DSS and want to gain a quick overview of the recent changes the Standard has undergone, the paper PCI DSS v3.0 & 3.1: What has changed should be useful.
The PCI DSS self-assessment questionnaire (SAQ)
The PCI DSS self-assessment questionnaire (SAQ) is a validation tool for qualifying merchants and service providers that are not required to undergo an on-site data security assessment nor submit a report on compliance (ROC). The purpose of the SAQ is to assist organisations in self-evaluating compliance with the PCI DSS.
The PCI SAQ page will help you identify which SAQ you need to complete, and whether a vulnerability assessment mechanism is required.
All of the latest SAQs can be found on the PCI Security Standard Council’s website.
PCI DSS: Reducing the cardholder data environment
When implementing the PCI DSS, it is important to define the areas of your organisation to which the Standard will apply. Reducing the cardholder data environment (CDE) can reduce the cost of implementation, but doing so can be a complex and challenging task.
The green paper PCI DSS: Reducing the cardholder data environment will help you reduce the CDE, thereby minimising compliance costs and resources.
PCI DSS documentation
Documentation (in the form of policies, procedures, checklists and supporting forms) is an integral part of a PCI DSS compliance programme. It must support all applicable PCI requirements and provide practical operational guidelines for anyone working with payment card data.
PCI DSS case study
When embarking on a new project, it’s always helpful to learn about other people’s experiences and how they have dealt with it. A case study will provide further insight into the matter and may also give you some extra tips for your project.
Read the Appletree Communications case study to learn how they tackled PCI DSS compliance.
Help with PCI compliance
Finally, if you find yourselves overwhelmed fulfilling the PCI DSS requirements, we advise that you get help from an experienced PCI DSS service provider to ensure you are compliant.
Alternatively, email firstname.lastname@example.org or call us on +44 (0)20 3633 2144 to discuss your requirements.