If your organisation accepts, processes, stores or transmits card payments, the chances are you’ve heard of the Payment Card Industry Data Security Standard (or PCI DSS or PCIDSS as it is commonly known), but what is PCI DSS?

It’s your responsibility to ensure that your customers’ payment data, such as sensitive card numbers and other forms of “Sensitive Authentication Data” (SAD) are safeguarded, free from exposure from contact centre agents, fraudulent attacks (internal and external) and other security breaches. By achieving PCI compliance and adhering to the comprehensive requirements of PCI DSS your organisation can be confident that you are improving the safety of your customer’s data and the way payments are processed.

In addition to this, with the introduction of the General Data Protection Regulation (GDPR) that covers strict guidelines on how personal information is stored and transmitted. Companies experiencing data breaches are facing fines from the Information Commissioners Office (ICO) of up €20m (approximately £17.5 million) or 4% of turnover, whichever is greater. Therefore, it is crucial that organisations adopt best practice on data security across their entire corporate infrastructure and processes, not just for accepting payments.

If you accept, process, store or transmit card data then PCI DSS affects your organisation. Cardholder data is continuously at risk of theft from hackers that are on the lookout for a way to exploit weaknesses in your organisation. So, no matter the size of your business, PCI DSS is there to protect your customers and their data, assisting in the prevention of a data breach which could have a huge impact.

The security standard started in December 15, 2004 by Visa, Mastercard, American Express, Discover and JCB who formed the Payment Card Industry Security Council (PCI SSC) in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI).

The PCI SCC continues to administer the guidelines with a focus on improving payment account security throughout the transaction process. However, it is the payment brands and acquirers, not the PCI council, that are responsible for enforcing compliance and are able to issue fines and restrictions on your ability to accept card payments.

The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

• Cardholder name
• Expiration date
• Service code

Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.

To be PCI compliant, there are a set of 12 requirements set by the PCI Security Standards Council (PCI SSC) that are designed to ensure the highest level of protection for any data that is being used throughout the transaction process of a payment. This can be manually or electronically, but if organisations adhere to these requirements, they will dramatically improve their security against malicious attacks towards their organisation, including any internal risks.

There are specific reporting requirements based on your organisation’s merchant level, determined by the number of transactions made over a year.

Merchant Level 1: On-site assessment by a Qualified Security Assessor (QSA)

Merchant Levels 2–4: Self assessment via the Self-Assessment Questionnaires (SAQ)

You must also have a quarterly network scan by an Approved Scan Vendor and an attestation of Compliance Form.

All organisations will fall into one of the four merchant levels based on transaction volume over a 12-month period.

The following are the 4 levels of PCI compliance:

Level 1
A merchant processing over 6m VISA and MasterCard transactions p/a

Level 2
A merchant processing between 1m and 6m VISA and MasterCard transactions p/a

Level 3
A merchant processing between 20k and 1m VISA and MasterCard transactions p/a

Level 4
A merchant processing less than 20k VISA and MasterCard transactions p/a

Aliquam cursus vitae nulla non rhoncus. Nunc condimentum erat nec dictum tempus. Suspendisse aliquam erat hendrerit vehicula vestibulum.

Aliquam cursus vitae nulla non rhoncus. Nunc condimentum erat nec dictum tempus. Suspendisse aliquam erat hendrerit vehicula vestibulum.

Aliquam cursus vitae nulla non rhoncus. Nunc condimentum erat nec dictum tempus. Suspendisse aliquam erat hendrerit vehicula vestibulum.

Aliquam cursus vitae nulla non rhoncus. Nunc condimentum erat nec dictum tempus. Suspendisse aliquam erat hendrerit vehicula vestibulum.

Aliquam cursus vitae nulla non rhoncus. Nunc condimentum erat nec dictum tempus. Suspendisse aliquam erat hendrerit vehicula vestibulum.

Aliquam cursus vitae nulla non rhoncus. Nunc condimentum erat nec dictum tempus. Suspendisse aliquam erat hendrerit vehicula vestibulum.