Understanding PCI DSS and how it applies to you
The Payment Card Industry Data Security Standard (PCI DSS) was established in 2004 by the major credit card companies to ensure that all card payments are processed securely to protect sensitive data and ultimately reduce fraud.
Any business or organisation that accepts, handles, stores or transmits credit card details needs to comply with the security standards, irrespective of their size or the volume of transactions processed.
Why is PCI DSS important to me?
With examples of high profile security breaches becoming increasingly commonplace, PCI DSS has never been more critical for companies wishing to take payments over the phone. Compliance strengthens your corporate security and gives your customers added peace of mind, but it is not simply about building a security wall around corporate areas such as databases and networks. Real PCI compliance means changing the culture of your business and building in security at every level, across all members of staff.
What are the risks of non-compliance?
You face substantial fines, levied by each credit card company, in the event of any data hacking, breaches in data protection, computer misuse or any form of data loss containing credit card details. You may also be held responsible for ongoing legal costs to cover any identity fraud caused, as well as punitive damages should it be proven that the breach originated from your business. Then there is the potential damage to your reputation and brand image to consider.
How do PCI DSS and GDPR compare?
The biggest, and most important, difference between the two sets of regulations is that PCI DSS is significantly more prescriptive. While GDPR delivers guidance on what needs protecting without detailing a rigid action plan, PCI DSS outlines exactly what is required and a clear methodology for achieving this.
Who is liable?
Never assume that a service provider or reseller has or is using a PCI compliant solution, because it is your responsibility to conduct due diligence to ensure all PCI DSS controls are met. Many providers claim to be compliant, but this is not always the case, so it is prudent to obtain a copy of their certificate of compliance and ensure they have been audited by a PCI-DSS approved QSA.
Does PCI apply to us if we do not store card details?
Even if your business or organisation does not store credit card details you could still be subject to an attack, causing breaches in PCI compliance; meaning stored personal data must also adhere to certain PCI requirements. However, by outsourcing your entire payment application requirements to an external PCI-approved service provider such as Callstream, it is possible to remove the threat of any breaches.
Are we compliant if we use PCI FAS-approved equipment?
Many organisations are investing high levels of capital expenditure into PCI DSS-approved hardware and software to address the requirement to be compliant. Although this is helpful for certain requirements, you still have to meet all of the controls in order to pass the audit.