What is PCI – Payment Card Industry (PCI) Data Security Standard (DSS)?
PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process or transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006.
Companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).
With examples of high profile security breaches increasingly common in the media, complying with the PCI standards has never been more important for companies wishing to take payments over the phone.
Is it Law?
Essentially, PCI compliance, whilst not a legally required obligation, is an obligation that all credit card companies now insist upon. Should there be a breach in your security in whatever format, that results in a fraudulent use or loss of credit card details, and your company is not PCI compliant, there will be several impacts:
- You will be required to pay compensation
- Credit card companies may impose a significant fine upon you
- You will potentially losethe ability to accept credit cards.
Online payments vs. over the phone
Whilst online transactions are relatively secure, transactions over the phone are potentially very insecure. Examples are:
- The person handling the call writes the credit card details down for later processing.
- Recordings of sales calls where credit card details are given are made and not secure.
At the end of the day, any system where a human being is listening to credit card details being given over the phone is based on a level of trust. A PCI compliant system takes the need for trust out of the equation.
The solution? PCI compliance software
AdMeter work with one of the only 3 Level 1 accredited suppliers of PCI phone based solution and our systems fully integrate.
If you think you need a PCI solution, or just want to explore the subject in more detail, please contact us via email (
support@admeter.co.uk) or telephone, and we will be happy to answer your queries, and where appropriate put you in direct contact with our PCI partner.
Some PCI compliance myths
Please find below a list of common myths often raised during discussions with organisations taking and or processing card payments.
Myth: I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
Fact: This is a common misunderstanding, small merchants handling small numbers of transactions per year believe they are either exempt from compliance or believe they only need to be level self certified. If you are a merchant and are set up to take/process cards transactions by any mechanism- then you need to be complaint. In addition all transaction types count towards a cumulative total to determine what level of compliance a merchant or organisation needs to adhere to.
Myth: PCI only applies to e-commerce companies.
Fact: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.
Myth: You only have to be PCI compliant with the majority of criteria.
Fact: The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not PCI compliant. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements is failing to meet a basic standard for handling cardholder information. All companies that handling/storing this type of data should be aiming to exceed the standard. It’s not just a security standard is also good business practice.
Myth: I only need to protect my credit card data, not debit card related data.
Fact: Incorrect - both are required. Many debit cards are dual-purpose ‘signature debit’, which can be used on debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards.
Myth: I can wait until my business grows.
Fact: Incorrect - the PCI standard applies to all sizes of businesses and waiting could be costly. Should you be compromised and not be PCI compliant, the fines and the compensation requirements by the banks (it typically costs between £50 and £90 to replace one card) could be substantial.
Myth: I can just answer ‘yes’ to all the criteria on the Self-Assessment Questionnaire (SAQ).
Fact: The Self-Assessment Questionnaire (SAQ) is a mechanism for getting the information about the level of your compliance to your merchant bank. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been PCI compliant, the matter would be taken very seriously. You would be risking your whole business by answering ‘yes’ to the questions, when there is no factual basis for the answers.
Myth: I can wait until my bank asks me to be PCI compliant.
Fact: The dates for merchants to be PCI compliant are long gone. You are responsible for making sure you are in compliance. Waiting until the bank asks you could be very costly indeed. If you receive a random investigation/audit and are deemed as negligent you could be fined without a breach.
Myth: As a merchant I did not sign anything to say I would be complaint; therefore, I don’t need to be.
Fact: The PCI standard forms part of the operating regulations and rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.
Myth: As a merchant, I’m entitled to store any data.
Fact: Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of law and legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:
1. Unencrypted credit card number
2. CVV or CVV2
3. Pin blocks
4. PIN numbers
5. Track 1 or 2 data
Any of the above found in databases, log files, audit trails, backup’s etc can result in serious consequences for the merchant, especially if a compromise has taken place.
Myth: One vendor and product will make us compliant.
Fact: Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a ‘silver bullet’ might lead some to believe that the point product provides ‘compliance’, when it’s really implementing just one or a few pieces of the standard. The PCI Security Standards Council urges merchants and processors to avoid focusing on point products for PCI security and compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the ‘big picture’ related to the intent of PCI DSS requirements.
Myth: Outsourcing card processing makes us compliant.
Fact: Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it, process charge backs and refunds. You must also ensure that provider applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.
Myth: PCI compliance is an IT project.
Fact: The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a ‘project’ with a beginning and end – it’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise are financial and reputational, so they affect the whole organisation. Be sure your business addresses policies and procedures as they apply to the entire card payment acceptance and processing workflow.
Myth: PCI will make us secure.
Fact: Successful completion of a system scan or assessment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
Myth: PCI is unreasonable; it requires too much.
Fact: Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option using compensating controls to meet some requirements. The standard provides significant detail, which benefits merchants and processors by not leaving them to wonder, ‘Where do I go from here?’ This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information.
Myth: PCI requires us to hire a Qualified Security Assessor (QSA).
Fact: Because most large merchants have complex IT environments, many hire a QSA to glean their specialised value for on-site security assessments required by PCI DSS. The QSA also makes it easier to develop and get approval. However, PCI DSS provides the option of doing an internal assessment with an officer sign-off if your acquirer and/or merchant bank agrees. Mid-sized and smaller merchants may use the Self-Assessment Questionnaire (SAQ) found on the PCI SSC website to assess themselves providing they fall under that category and criteria.
Myth: PCI makes us store cardholder data.
Fact: Both PCI DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors. There is no need, nor is it allowed, to store data from the magnetic stripe on the back of a payment card.
If merchants or processors have a business reason to store front-card information, such as name and account number, PCI DSS requires this data to be encrypted or made otherwise unreadable.
Myth: PCI is too hard.
Fact: Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without security or a large IT department. However, PCI DSS mostly calls for a good standard of security which should be in place within your organisation anyway. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take to protect sensitive data and continuity of operations.
When people say PCI is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in share price and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.
So now you know what PCI Compliance is...
