Are you taking secure payments over the phone? In this blog we are outlining the reasons why you need to make sure your organisation is secure. We will cover;
- What PCI is and who enforces it?
- Does it affect your organisation?
- Why should you be compliant
- The 12 requirements of PCI
- PCI DSS levels
- Achieving PCI Compliance
- If you experience a data breach
- Our partners
What is PCI and who enforces it?
The payment Card Industry Data security is a set of security standards has been designed to ensure that companies accept, process, store or transmit credit card information in a secure way.
The PCI Security Standards Council (PCI SSC) launched the PCI on September 7, 2006 and was created by Visa, MasterCard, American Express, Discover, and JCB. One thing to note is that it is the payment brands and acquirers, not the PCI council that enforces PCI compliance.
Does PCI DSS affect your organisation?
If you accept, process, store or transmit card data then PCI DSS does affect your organisation. No matter the size of your business, you need to protect your customers and their data from the risk of theft.
Why should you be PCI Compliant?
If you are non-compliant it could mean:
- Brand damage
- A ban from accepting card transactions
- A large fine which can run into hundreds of thousands of pounds and hugely affect your brand.
Don't get caught out
American company Target were caught out for not being PCI compliant in 2013.
Target had a breach that resulted in up to 40 Million customers had their credit card details stolen within three weeks.
The data breach led to a settlement of almost $18.5 million, with Target spending over $202 million in legal fees.
The 12 requirements of PCI DSS
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a Security Policy that addresses information security for all personnel
PCI DSS Levels
All organisations will fall into one of the four merchant levels based on transaction volume over a 12-month period. These levels will affect your approach to PCI DSS compliance.
The following are the 4 levels of PCI compliance:
A merchant processing over 6m VISA and Mastercard transactions per annum
A merchant processing between 1m and 6m VISA and Mastercard transactions per annum
A merchant processing between 20k and 1m VISA and Mastercard transactions per annum
A merchant processing less than 20k VISA and Mastercard transactions per annum
Achieving PCI DSS compliance
For a Level 1 organisation, you should take an assessment that consists of an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor)
Organisations in PCI Levels 2-4 can complete a self-assessment questionnaire (SAQ) instead of an external audit. Level 2 organisations must also complete a Report on Compliance.
If you experience a data breach
We have compliance partners that offer a range of solutions. Each of them have its own unique set of compliant solutions.
To help you choose the correct solution for your business you can contact us and we’d be happy to help.