What is the PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to increase controls around cardholder data to reduce payment card fraud.
The Standard is administered by the PCI SSC (Payment Card Industry Security Standards Council).
Who needs to comply with the PCI DSS?
The PCI DSS applies to any organisation (regardless of size or number of transactions) that accepts, stores, transmits or processes cardholder data.
- If you are a merchant, the PCI DSS applies to you. Even if you have subcontracted all PCI DSS activities to a third party, you are still responsible for ensuring all contracted parties comply with the Standard.
- If you are a service provider, including a software developer, the PCI DSS applies to you if you process, transmit or store cardholder data, or your activities affect the security of the cardholder data as it is being processed, transmitted or stored.
Why is PCI DSS compliance important?
Payment security is important for every merchant, financial institution or other organisation that stores, processes or transmits cardholder data.
According to UK Finance's Fraud the Facts 2019 report, unauthorised financial fraud losses totalled £844.8 million in 2018, an increase of 16% compared to 2017.
The cardholder data that you store can be stolen from many places, including:
- Compromised card readers;
- Filed paper records;
- Cardholder data stored in databases;
- Rogue access to your organisation’s wireless or wired network; and
- Concealed cameras recording the entry of authentication data.
If implemented correctly, the PCI DSS can help organisations secure cardholder data. It provides a baseline set of security requirements that lets organisations know what action they should take.
A key benefit of the Standard is the detailed action plan it provides – this can be applied to organisations of any size or type that use any method of processing or storing payment card data.
To find out more about the PCI DSS and why PCI DSS compliance is important, download our free brochure: The PCI DSS: Challenge or Opportunity?
Penalties for non-compliance with the PCI DSS
The breach or theft of cardholder data affects consumer confidence that results in the loss of business. Any merchant that breaches the PCI DSS could face serious consequences, including fines, litigation and reputational damage. The implications can be far-reaching and include:
- Fraud losses;
- Loss of customer confidence;
- Diminished sales;
- Cost of reissuing new payment cards;
- Higher subsequent costs of compliance;
- Legal costs, settlements and judgements;
- Fines and penalties;
- Termination of ability to accept payment cards; and
- Lost jobs.
Payment data – a target for attack
Payment card data is the prime target in attacks against commercial environments.
Indeed, the 2019 Trustwave Global Security Report identified that threat actors targeted payment card data in most incidents, with CNP (card-not-present) data making up nearly 25% of events, and card-track (magnetic stripe) data comprising 11%.
Criminal hackers want your cardholder data. By obtaining the PAN (primary account number) and sensitive authentication data, an attacker can impersonate the cardholder, use the card, and steal the cardholder’s identity. Following guidance in the PCI DSS helps keep your cyber defences primed against attacks aimed at stealing cardholder data.
The 12 PCI DSS requirements
The PCI DSS specifies 12 requirements that are organised into 6 control objectives.
Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management programme
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an information security policy
- Maintain a policy that addresses information security for employees and contractors.
The exact PCI DSS compliance requirements vary depending on the number of card transactions processed annually by your organisation.
To find out more about the PCI DSS requirements, read our dedicated information page>>
Assessing the security of your cardholder data
Many organisations use a three-step process to achieve PCI DSS compliance:
- PCI DSS Gap Analysis – typically the first step for understanding an organisation’s compliance status. It compares the Standard’s requirements against the organisation’s current arrangements, identifies any compliance gaps and produces a prioritised plan to achieve full PCI DSS compliance.
- PCI DSS Remediation – actioning the plan based on the gap analysis to reduce the scope of the project where possible and close any remaining compliance gaps.
- PCI DSS Audit – having finished implementing the action plan, an assessor will review your CDE (cardholder data environment) and controls to ensure and evidence you are PCI DSS-compliant.
For organisations that process more than 6 million card transactions annually
Large organisations must have an external audit performed annually by a QSA (Qualified Security Assessor) and submit an RoC (Report on Compliance) to their acquiring banks to prove their compliance.
The QSA will:
- Validate the scope of the assessment;
- Review all documentation and technical information provided;
- Determine whether the Standard has been met;
- Provide support and guidance during the compliance process;
- Be onsite for the duration of the assessment as required;
- Adhere to the PCI DSS assessment procedures;
- Evaluate compensating controls; and
- Produce the final RoC.
To find out more about external audits for large organisations, download our free green paper: PCI Audit Success in
Nine Essential Steps >>
For organisations that process fewer than 6 million card transactions annually
Most small merchants can use an SAQ (self-assessment questionnaire), consisting of yes–no questions, to assess their level of cardholder data security.
There are nine different questionnaires available to meet different merchant environments; most organisations would not need to complete all nine.
Regardless of how many transactions you process, you must also run internal and external network vulnerability scans at least quarterly and after any significant changes in the network.
To find out more about the SAQ for smaller organisations, download our free green paper: The PCI DSS and its SAQs >>
Watch our free introductory webinar to the PCI DSS
For further information and a better understanding of the PCI DSS, why not listen to our free webinar? You will get expert advice from our QSA, who will explain how the PCI DSS applies to your organisation.
The webinar covers:
- What the PCI DSS is;
- An introduction to the 12 requirements;
- How to define your PCI DSS compliance level;
- Your PCI validation requirements;
- Why it is important to comply; and
- The penalties for non-compliance.
Discover our range of bestselling PCI DSS products and services
IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project. Whether you need to conduct a gap analysis, reduce the scope of your CDE, conduct a risk assessment or test the security of your systems and processes for vulnerabilities, we can help.
View our range of bestselling products and services to find out more about what we can do.