PCI Compliance: What Is It And Does It Affect Your Organisation?

Alice Gosine

Alice Gosine

Are you taking secure payments over the phone? In this blog we are outlining the reasons why you need to make sure your organisation is secure. We will cover; 

  • What PCI is and who enforces it?
  • Does it affect your organisation?
  • Why should you be compliant
  • The 12 requirements of PCI
  • PCI DSS levels
  • Achieving PCI Compliance 
  • If you experience a data breach
  • Our partners 

What is PCI and who enforces it?

The payment Card Industry Data security is a set of security standards has been designed to ensure that companies accept, process, store or transmit credit card information in a secure way.

The PCI Security Standards Council (PCI SSC) launched the PCI on September 7, 2006 and was created by Visa, MasterCard, American Express, Discover, and JCB. One thing to note is that it is the payment brands and acquirers, not the PCI council that enforces PCI compliance.

Does PCI DSS affect your organisation?

If you accept, process, store or transmit card data then PCI DSS does affect your organisation. No matter the size of your business, you need to protect your customers and their data from the risk of theft.

Why should you be PCI Compliant?

If you are non-compliant it could mean:

  • Brand damage
  • A ban from accepting card transactions
  • A large fine which can run into hundreds of thousands of pounds and hugely affect your brand.

Don't get caught out

American company Target were caught out for not being PCI compliant in 2013. 

Target had a breach that resulted in up to 40 Million customers had their credit card details stolen within three weeks. 

The data breach led to a settlement of almost $18.5 million, with Target spending over $202 million in legal fees.

The 12 requirements of PCI DSS

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update antivirus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a Security Policy that addresses information security for all personnel

PCI DSS Levels

All organisations will fall into one of the four merchant levels based on transaction volume over a 12-month period. These levels will affect your approach to PCI DSS compliance.

The following are the 4 levels of PCI compliance:

Level 1
A merchant processing over 6m VISA and Mastercard transactions per annum

Level 2
A merchant processing between 1m and 6m VISA and Mastercard transactions per annum

Level 3
A merchant processing between 20k and 1m VISA and Mastercard transactions per annum

Level 4
A merchant processing less than 20k VISA and Mastercard transactions per annum

Achieving PCI DSS compliance 

For a Level 1 organisation, you should take an  assessment that consists of an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor)

Organisations in PCI Levels 2-4 can complete a self-assessment questionnaire (SAQ) instead of an external audit. Level 2 organisations must also complete a Report on Compliance.

If you experience a data breach 

If you experience a data breach as a result of non-compliance with PCI DSS, you could also face investigation from the Information Commissioners Office (ICO) around your organisation’s compliance with the General Data Protection Regulation (GDPR), which has the possibility of resulting in huge fines from up to €20m (approximately £17.5 million) or 4% of turnover, whichever is greater.

Our Partners 

We have compliance partners that offer a range of solutions. Each of them have its own unique set of compliant solutions.

To help you choose the correct solution for your business you can contact us and we’d be happy to help.