The Payment Card Industry Data Security Standard (PCI DSS) is a list of international security guidelines. They are designed to ensure that any organisation that stores, processes or transmits customer payment card details, does so in accordance with global best practice.
When do companies need to comply?
According to the PCI Data Security Standards Council, all organisations that store, process or transmit customer credit cards must be compliant with V1.2.1 of the standard by 30th September 2010. Failure to register or demonstrate compliance by this date may incur fines and could lead to an organisation being unable to process credit cards until compliance has been proved.
In addition, by October 2010, all merchants that use point of sale (POS) systems must have moved to chip and PIN devices and systems and can no longer use magnetic stripe and customer signatures for verification of identity.
Who does PCI DSS apply to?
Any company that takes, stores, or transmits customer payment card details has to comply with the Payment Card Industry Data Security Standard. The Payment Card Industry includes payment card association schemes run by Visa, MasterCard, American Express, JCB, Diners Club and China UnionPay.
Compliance with the standard is particularly important for online retailers for example, because they have few other methods of receiving payment from their customers. Therefore, if an online merchant had their ability to process payment cards revoked by the payment card industry, then this would have a serious impact on their business continuity.
The Standard is tiered to cater for larger and smaller companies, according to the volume of transactions that they handle each year:
|Payment card transactions per year|
|More than 6 million|
|1 million – 6 million|
|20,000 – 1 million|
|Fewer than 20,000|
Companies bound by PCI DSS compliance deal with their payment card “acquirer”: a bank that accepts or “acquires” payment card transactions, e.g. Barclaycard, to prove compliance in the handling of payment card details. Merchants that process American Express transactions have to deal directly with American Express to prove their compliance.
Level 1 merchants must have their PCI DSS compliance approved by an external party, known as a Qualified Security Assessor (QSA). Companies dealing with smaller numbers of transactions are able to fill out a self assessment questionnaire. However, if a level 4 merchant suffers a security breach that exposes their customers’ credit card details, they will be moved up to level 1, making PCI DSS compliance much more expensive for that company in the future.
Breaking it down
Companies are currently bound by Version 1.2.1 of the PCI DSS standard (August 2009). There are 214 requirements in all, though these can be summarised into 12 core requirements as follows:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data on a business need-to-know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
Compliance in the Cloud
Where organisations are using managed service providers (e.g. for hosted services such as; email, storage, archiving and back-up ), they are advised to ensure that their provider’s services also adhere to the PCI DSS standard. Particular requirements of the Standard include guarding physical access to stored card details, in other words your server; database and back-ups should be in a locked room. If you are using a service provider to store your customers’ electronic payment card details, you must ensure that (at the very minimum) the service provider protects its own building with perimeter fencing, CCTV surveillance and door entry control systems such as swipe card access controls.
For electronic payment card details stored by your business, PCI DSS states that you must restrict access to records “on a business need –to-know basis”. In other words, if an employee doesn’t need to see customer payment card details, then they should not be able to gain access to them. The Standard also makes it compulsory for merchants to use encryption, truncation and masking of credit card details. This would prevent them from being compromised if they were to be intercepted during transmission over email to a bank, for example.
Confusion in the Cloud
When considering using managed services, merchants should consult their QSA to understand whether this will affect their PCI DSS compliance. However, QSAs we have spoken to confirmed that they required further guidance on PCI DSS compliance in the cloud. Importantly, some QSAs believed that a merchant can be compliant if its data centre service is not, for example. However, this is not the view of Barclaycard, which insists that if the hosted services are not PCI DSS compliant then neither is the merchant.
Many of the level 4 merchant companies (processing fewer than 20,000 credit card transactions per year) have complained that the payment card acquirers and payment card industry have not communicated the PCI DSS requirements and deadline clearly enough. The small to medium sized organisations that Star has spoken to have reported that even where they have consulted a QSA, they have been given conflicting advice.
It must be stressed that while cloud computing service providers will take the utmost care to protect customer data in the cloud and usually employ information security experts that SMBs cannot afford in-house, the responsibility for complying with PCI DSS rests with the merchant that initially takes the customers’ payment card details.
My advice to SMBs on PCI DSS compliance is as follows. First of all, look at the 12 core requirements of the PCI DSS to find out where you stand and what you still need to do to secure your company’s electronic storage, processing and transmission of customer credit card data. Then speak to your acquirer, e.g. Barclaycard, to find out what additional precautions you need to take to gain compliance, either via self assessment, or QSA (depending on the number of transactions that you process annually).
If you are using cloud computing services, ensure that your third party provider is also compliant with the PCI Standards. Remember that compliance is an ongoing process that will need to adapt as new technologies come into play and new threats emerge that could put your customers’ payment card data at risk. Ultimately, compliance with the PCI DSS standard is all about reassuring your customers that you are looking after their data, so it is the best interests of your business to address this.