If you’re a business that handles credit or debit card payments, you’ll need to know about card compliance and PCI DSS. So what is PCI DSS, and what does it stand for?
The Payment Card Industry Data Security Standard (PCI DSS) makes sure that business payment environments (like the card payment solutions your customers use to make transactions) are as secure as they can be.
To do this it sets out 12 requirements. These 12 requirements are split into three stages called Assess, Remediate and Report.
Sound complicated? Don’t worry — we’ll talk you through each stage in plain English and if you still need some help we can offer you over-the-phone guidance to complete your PCI compliance.
This stage is about uncovering any areas of card payment technology that might be a risk to cardholder data security. It explains how your systems could be vulnerable and how cardholder data could be illegally accessed, breaking down how data is transferred during a transaction.
It also tells you everything you need to do to make sure your card payment solutions are secure — from checking your card machines are up to date, to making sure the software you use to process card payments meets the security requirements.
This stage also explains third-party liability — which means any other person or business who gets involved in your card payment process has to ensure they meet PCI standards too. It’s up to you to confirm that each third party meets the requirements.
To make sure your business is compliant with PCI standards, you must fill out a self-assessment questionnaire. This questionnaire has been specially designed for businesses and service providers who don’t have on-site assessments.
You can get help with self-assessment from two kinds of independent experts — either a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV). The QSA and ASV have different responsibilities — the ASV uses software tools to scan for vulnerabilities in your card payment technology, while the QSA makes sure you meet PCI standards — checking that your business meets the requirements set out by the PCI DSS.
The Remediate stage is where you’ll start fixing the risks to your business and making sure data isn’t vulnerable to hackers. As an example, this can mean fixing problems with software code to make sure hackers can’t get hold of card payment data. There are a few steps to make sure you do this effectively.
First of all, you should scan your business network to find vulnerabilities, rank them and then prioritise which ones need to be fixed first. After they’ve been solved, you should go back and re-scan to make sure there are still no obvious ways to access cardholder data.
The Report stage is all about producing regular reports for the acquiring bank to prove you meet PCI standards. It’s important that you share a quarterly scan report, and if you’re a firm with a large flow, you should have an on-site assessment once a year with a PCI SSC-approved QSA (Qualified Security Assessor). If you’re a business with small transaction flows, you should share a report once a year to indicate that you’re complying with the PCI standards set out.
If you’re not sure how you should report, discuss the issue with your acquirer who will be able to help you create a plan.
A quick re-cap
The Assess phase looks at your business’s IT assets and business processes, with a close eye on how you process card payments. It also looks at IT vulnerabilities that could expose the cardholder data you capture.
Remediate looks at fixing any vulnerabilities in your systems that have been found during the Assess phase that could expose card payment data. This is when you’ll prioritise these problems in order of the risk they pose and fix them in order of priority.
And finally, Report looks at the business records required by PCI DSS so you can validate the problems you’ve fixed during the Remediate phase. In this phase, you’ll also share your compliance reports with the acquiring bank, as well as global payment brands.