PCI DSS are 6 little letters that seem to scare, confuse and annoy businesses that accept card payments. But it doesn’t have to be this way.
Let’s look at the what, why, who and how of PCI DSS (Payment Card Industry Data Security Standards). We’ll also cover the where and the when in a quick canter through the background and intent of Payment Card Industry (PCI), why it’s important, who has to comply, and how best to do this.
PCI DSS and its purpose
PCI DSS is a common industry framework for protecting sensitive cardholder data such as card account number, expiration date and 3-digit security code against fraud and misuse.
The standards are devised and disseminated by the SSC, the Security Standards Council, (the last 3-letter acronym for now, I promise), whose founding members are the major card brands: Amex, MasterCard, Visa and so on.
There are a number of requirements under the standard. To cut a long story short, the 6 main goals of PCI DSS are as follows:
- build and maintain a secure network
- protect cardholder data
- maintain a vulnerability management programme
- implement strong access control measures
- regularly monitor and test networks
- maintain an information security policy
Who is PCI DSS for?
Simply put: PCI DSS is for everyone who stores, processes or transmits cardholder data.
If you accept card payments, compliance with PCI DSS is usually mandated in the contract with the organisation that provides your card acceptance service such as an acquirer or payment service provider.
PCI DSS applies irrespective of whether you accept a few payments each month or thousands. Whether you accept cards for payment in brick-and-mortar shops, on the internet, in telephone call centres or via mail order. Or whether your business is large or small.
Scope reduction: the gift that keeps on giving
The potential scope of PCI DSS is large. It consists of 12 requirements, which are in turn made up of around 300 statements. Achieving and maintaining each security control naturally comes with an associated cost. This may be in terms of budget, time or effort.
Therefore reducing the number of controls you have to achieve without reducing your security is the smart way forward. We believe in scope reduction as far as possible. Some ways of doing this include:
- outsourcing payments on your e-commerce site to a third party via a hosted payment page reduces your scope from hundreds of controls to about 20 controls.
- encrypting and/or tokenising cardholder data so that it is not passing across your network also reduces scope.
- minimising the number of physical locations where card data is stored, or the number of applications where it can be entered.
- reducing the number of people that can access card data also helps cut scope.
If you can take the payment without the data, why not if it’ll also reduce your scope? You’ll find that it’s quicker, easier and cheaper to achieve and maintain compliance.
Scope reduction is also the gift that keeps on giving as there’s an in-built multiplier effect. Changing your business processes to de-scope activity in year 1, will help save you the costs of managing and maintaining the activity in year 2, year 3 and so on. You’ll also be prioritising security over slavish, tick-box compliance, and be addressing risks pertinent to your business, rather than someone else’s.
PCI DSS as part of protecting your data
Too often people get bogged down in the detail of PCI DSS and lose sight of the bigger data security picture.
In actual fact, there’s little in the PCI DSS that’s specific to card data. Many of the processes and technologies you’d put in place to be compliant with PCI DSS also serve to protect data more generally. Think: blueprints, technical specifications, strategic and marketing plans.
PCI DSS is about achieving and maintaining a healthy approach to securing data – yours and your customers’. It’s about business as usual in every sense: making data security a business as usual activity, and doing business as usual without the upheaval of a data security incident. That’s nothing to be scared, confused or annoyed about.
Blackfoot UK is an information risk, security and compliance specialist. We help our customers to protect their information, but ultimately their brands, reputations and financial health. If your business needs help with PCI DSS contact Blackfoot UK