United Kingdom
Select regional store:

The PCI DSS (Payment Card Industry Data Security Standard)

What is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

The Standard is the result of collaboration between the major payment brands (American Express, Discover, JCB, Mastercard and Visa), and is administered by the PCI SSC (Payment Card Industry Security Standards Council).

Read the full text of PCI DSS v3.2.1 >>

IT Governance is a PCI QSA (Qualified Security Assessor) company. View our full range of PCI DSS consultancy services >>


Who has to comply with the PCI DSS?

All merchants and service providers that process, transmit or store cardholder data must comply with the PCI DSS.

  • Merchants are entities that accept card payments for goods and/or services. Note that the PCI DSS applies to merchants even if they have subcontracted their payment card processing to a third party.
  • Service providers are businesses that are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.

Some organisations can be both a merchant and a service provider. For instance, an organisation that provides data processing services for other merchants will also be a merchant itself if it accepts card payments from them.

Speak to a PCI DSS expert

Our services can support you at each stage of your organisation’s PCI DSS compliance project. Call our team on 0333 800 7000, or request a call using the form below. Our experts are ready and waiting with practical advice.

Contact us

Benefits of PCI DSS compliance

Payment security is important for every organisation that stores, processes or transmits cardholder data.

According to UK Finance’s Fraud the Facts 2019 report, unauthorised financial fraud losses totalled £844.8 million in 2018, a year-on-year increase of 16%.

A key benefit of the Standard is its level of detail: it provides specific guidance on what to do to protect data, which can be applied to organisations of any size or type that use any method of processing or storing payment card data.


Penalties for non-compliance with the PCI DSS

The PCI DSS is a standard not a law, and is enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.

Each payment brand can fine acquiring banks for PCI DSS compliance violations and acquiring banks can, in turn, withdraw the ability to accept card payments from non-compliant merchants. Compliance obligations for merchants also increase significantly in the event of a breach.

Moreover, the breach or theft of cardholder data is also a breach of the EU GDPR (General Data Protection Regulation). Data breaches risk heavy penalties under the Regulation: up to €20 million or 4% of annual global turnover – whichever is greater.

Learn more about GDPR compliance >>

The 12 PCI DSS requirements

The PCI DSS specifies 12 requirements that are organised into 6 control objectives.

Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management programme

  1. Use and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

Maintain an information security policy

  1. Maintain a policy that addresses information security for employees and contractors.

Find out more about the 12 PCI DSS requirements >>

How to become PCI DSS compliant

Merchants and service providers can demonstrate their compliance with the PCI DSS by successfully completing an audit of their CDE (cardholder data environment) against the applicable requirements of the Standard.

The types of audit are:

The type of audit you must undergo and your exact PCI DSS compliance requirements will vary depending on your merchant or service provider level, which is based on the number of card transactions processed per year.

Generally, the criteria applied will be based on those set by Visa and Mastercard, the predominant payment card brands.

PCI DSS: merchant validation criteria

Level

Criteria

Annual validation criteria

1

Merchants that process more than 6 million transactions per year, or those whose data has previously been compromised.

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

2

Merchants that process 1 million to 6 million transactions per year.

  • RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV.

3

Merchants that process 20,000 to 1 million transactions per year.

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

4

Merchants that process fewer than 20,000 transactions per year.

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

PCI DSS: service provider validation criteria

Level

Criteria

Annual validation criteria

1

Service providers that process, transmit and/or store more than 300,000 transactions per year.

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

2

Service providers that process, transmit and/or store fewer than 300,000 transactions per year.

  • RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV.

Level-1 organisations

Level-1 organisations must have an external audit performed annually by a QSA and submit an RoC to their acquiring banks to prove their compliance.

The QSA will:

  • Validate the scope of the assessment;
  • Review all documentation and technical information provided;
  • Determine whether the Standard has been met;
  • Provide support and guidance during the compliance process;
  • Be onsite for the duration of the assessment as required;
  • Adhere to the PCI DSS assessment procedures;
  • Evaluate compensating controls; and
  • Produce the final RoC.

To find out more about external audits for large organisations, download our free green paper: PCI Audit Success in Nine Essential Steps >>

List of PCI DSS SAQs

Level-2, -3 or -4 organisations can use an SAQ, comprising yes/no questions, to assess their level of cardholder data security. There are nine different questionnaires available.

SAQ

Description

A

Card-not-present merchants, all cardholder data functions fully outsourced.

A-EP

Partially outsourced e-commerce merchants using a third-party website for payment processing.

B

Merchants with only imprint machines or only standalone, dial-out terminals – no electronic cardholder data storage.

B-IP

Merchants with standalone, IP-connected PTS point-of-interaction (POI) terminals – no electronic cardholder data storage.

C-VT

Merchants with web-based virtual payment terminals – no electronic cardholder data storage.

C

Merchants with payment application systems connected to the Internet – no electronic cardholder data storage.

D for Merchants

All other SAQ-eligible merchants not included in the descriptions for SAQ types A to C above.

D for service providers

All service providers defined by a payment brand as eligible to complete an SAQ.

P2PE

Merchants using hardware payment terminals in a PCI SSC-listed P2PE solution only – no electronic cardholder data storage.

To find out more about SAQs, download our free green paper: The PCI DSS and its SAQs >>

Assessing the security of your cardholder data

Many organisations use a three-step process to achieve PCI DSS compliance:

  • PCI DSS Gap Analysis – typically the first step for understanding an organisation’s compliance status. It compares the Standard’s requirements with the organisation’s current arrangements, identifies any compliance gaps and produces a prioritised plan to achieve full PCI DSS compliance.
  • PCI DSS Remediation – actioning the plan based on the gap analysis to reduce the scope of the project where possible and close any remaining compliance gaps.
  • PCI DSS Audit – having finished implementing the action plan, an assessor will review your CDE and controls to ensure and record proof that you are PCI DSS-compliant.
  • Watch our free introductory webinar to the PCI DSS

    For further information and a better understanding of the PCI DSS, why not listen to our free webinar? You will get expert advice from one of our QSAs, who will explain how the PCI DSS applies to your organisation.

    The webinar covers:

    • What the PCI DSS is;
    • An introduction to the 12 requirements;
    • How to define your PCI DSS compliance level;
    • Your PCI validation requirements;
    • Why it is important to comply; and
    • The penalties for non-compliance.

    Watch now

    Discover our range of bestselling PCI DSS products and services

    As a QSA company, IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project.

    Whether you need to conduct a gap analysis, reduce the scope of your CDE, conduct a risk assessment or test the security of your systems and processes for vulnerabilities, we can help.

    View our range of bestselling products and services to find out more about what we can do.

    This website uses cookies. View our cookie policy