PCI DSS (Payment Card Industry Data Security Standard)
What is the PCI DSS?
The Payment Card Industry Data Security Standard (‘PCI DSS’) is a framework set out for organisations that store, transmit or process cardholder data, designed to help keep that information secure.
The PCI DSS requires that merchants and service providers:
- Build and maintain a secure IT network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
The PCI DSS applies to any type of media on which card data can be stored, including items such as back-up media, data on the Cloud, USB storage devices, hard drives, receipts and printed card information.
In addition, organisations holding electronic or paper records containing the full card number must store the information securely according to the Standard’s requirements.
The PCI Data Security Standard combines twelve requirements and their corresponding testing procedures.
Why should I comply with the PCI DSS?
If an organisation fails to comply with the requirements of the Standard they are liable to receive fines from their acquiring bank. The size of fines varies by brand, but broadly they fall into two groups:
- Non-compliance fines – these are ongoing fines that your bank can levy if you are not in compliance with the PCI DSS.
- Data breach fines – these are (generally) one-off fines that are issued in the event of a data breach.
Failure to comply can lead to other penalties, including:
- Costly forensic investigations and audits.
- Increased fines in the case of further non-compliance/breaches.
- Withdrawal of payment card services.
- Reputation damage with your customers
- Loss of business.
How to comply with the PCI DSS
Self-assessment Questionnaires (SAQ)
Compliance with the PCI DSS must be demonstrated through either a self-assessment questionnaire (SAQ), or a Report on Compliance (ROC). Criteria for whether either an ROC or SAQ is required are defined by the applicable payment brand, and depend on various factors, such as annual transaction volume and type of transactions.
Merchants/Service providers | Annual on-site audit | Self-assessment questionnaire (SAQ) | Quarterly* external vulnerability scan | Quarterly* internal vulnerability scan | Annual** penetration test | Quarterly WLAN analysis |
ROC | X | X | X | X | X | |
SAQ D for Merchants | X | X | X | X | X | |
SAQ D for Service Providers | X | X | X | X | X | |
SAQ C | X | X | X | X | X | |
SAQ C-VT | X | |||||
SAQ P2PE-HW | X | X | ||||
SAQ B-IP | X | |||||
SAQ B | X | |||||
SAQ A-EP | X | X | X | X | X | |
SAQ A | X |
* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, a webserver added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
Gossary of key PCI DSS terms
- PCI DSS: Payment Card Industry Data Security Standard
- PCI SCC: Payment Card Industry Security Standards Council – the group that develops the Standard.
- PCI QSA: Qualified security assessors –organisations that have been qualified by the PCI SSC to have their employees assess compliance to the PCI DSS.
- PCI SAQ: Self-assessment questionnaires –tools for merchants to use to self-evaluate their compliance with the PCI DSS.
- PCI ASV: Approved scanning vendor –organisations that are approved by the PCI SCC to perform vulnerability scans of merchants’ and service providers’ systems.
- Merchant: In the context of PCI DSS, a merchant is any entity that accepts payment cards bearing the logos of any of the five members of PCI SCC (Visa, MasterCard, JCB, American Express or Discover).
- Acquiring bank: The organisation that provides a merchant with their payment card systems.
- Payment brands: The companies that provide the payment cards (Visa, MasterCard, JCB, American Express or Discover).
- Service provider: An organisation involved in the processing, storage or transmission of payment card information that is not a payment brand or a merchant.