PCI DSS, what is it and why does it matter?

PCI DSS stands for the Payment Card Industry Data Security Standard. It is a set of technical security requirements designed by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of all organisations that accept, process, store, or transmit credit card information.

Every organisation, business, or body that accepts, processes, stores, or transmits credit card information must carry out a self-assessment (SAQ) or conduct a full audit (ROC) to attest its compliance with PCI DSS annually.

What are the PCI DSS Requirements?

PCI DSS has 12 main requirements, organised into six categories, to ensure cardholder data security.

  1. 1. Build and Maintain a Secure Network and Systems
    • Install and maintain network security controls (e.g., firewalls) to protect cardholder data.
    • Apply secure configurations to all system components to prevent unauthorised access.
  2. 2. Protect Cardholder Data
    • Protect stored cardholder data using encryption and other security measures.
    • Encrypt transmission of cardholder data across open, public networks to prevent interception.
  3. 3. Maintain a Vulnerability Management Program
    • Protect systems and networks from malicious software using anti-virus and anti-malware tools.
    • Develop and maintain secure systems and applications through regular updates and patches.
  4. 4. Implement Strong Access Control Measures
    • Restrict access to cardholder data to only those who need it for their job.
    • Identify and authenticate access to system components to ensure only authorised users can access sensitive data.
    • Restrict physical access to cardholder data to prevent unauthorized physical access.
  5. 5. Regularly Monitor and Test Networks
    • Log and monitor all access to network resources and cardholder data to detect and respond to security incidents.
    • Regularly test security systems and processes to ensure they are effective.
  6. 6. Maintain an Information Security Policy
    • Maintain a policy that addresses information security for all personnel to ensure everyone understands their role in protecting cardholder data.

What are the consequences of non-compliance with PCI DSS?

Failure to comply with PCI DSS can have several severe consequences:

Financial Penalties: Credit card companies can significantly fine non-compliant organisations. Until compliance is achieved, these fines can range from $1,000 to $100,000 per month.

Legal Consequences: Non-compliance can lead to legal action, including lawsuits from affected customers and regulatory bodies.

Loss of Cardholder Trust: A data breach resulting from non-compliance can severely damage your reputation, causing a loss of customer trust and loyalty.

Data Breach Expenses: In a data breach, you may incur costs related to forensic investigations, customer notifications, credit monitoring services, and more.

Additional fines and impacts from applicable laws and regulations, such as GDPR, could also occur. This could mean a fine of €20 million or 4% of Global Revenue, whichever is higher.

Increased Transaction Costs: Credit card companies may increase transaction fees for non-compliant businesses, adding to operational costs.

Loss of Merchant Account: You could lose your ability to process credit card payments, severely impacting your business operations.

Reputational Damage: Negative publicity from a data breach or non-compliance can harm your brand's reputation, making it challenging to attract and retain customers.

How we can help

Ensuring PCI DSS compliance is crucial to protecting your business and your customers' sensitive information. AMR CyberSecurity is an approved PCI Qualified Security Assessor (QSA) Company. With over a decade of experience guiding organisations through PCI DSS obligations, our services include:

Pre-Assessment

Preparing for and completing a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC) can be complex, time-consuming, and stressful for any organisation. To help ease this, AMR CyberSecurity offers guidance and support to ensure your organisation is well-informed and prepared. Bespoke pre-assessments can include scope validation, document review, interview sessions, and advice on collecting and presenting evidence, with detailed management summary reports delivered to support any remediation planning as required.

Full Assessments (SAQ & AoC)

A Self-Assessment Questionnaire (SAQ) can be confusing for any organisation, especially for those supporting multiple payment channels. Although organisations can often complete a SAQ themselves, this can lead to misinterpretation and may not be something your organisation has the internal expertise to correctly complete. SAQs are required by all Level 2-4 Merchants and Level 2 Service Providers. The type of SAQ will then be determined by your organisation's payment channels and scope. AMR CyberSecurity can assist your organisation in completing any SAQ type, and our Qualified Security Assessors (QSAs) can explain and complete the SAQ on your behalf with formal sign-off of the Attestation of Compliance (AoC) on achieving compliance.

Full Assessments (RoC & AoC)

Full assessments follow a standardised approach set by the PCI Security Standards Council which are required by all Level 1 Merchants and Service Providers and can be contractually required for Level 2 Merchants and Service Providers. The approach is similar to SAQ's, but typically additional requirements may be in scope and any assessment must be carried out by a PCI QSA. Scope validation, system testing and governance documentation will be validated as per the PCI DSS, and outputs will be delivered in a Report on Compliance (RoC) and supporting signed off AOC.

Registered address
AMR CyberSecurity, 3000a Parkway
Whiteley, Fareham
Hampshire, PO15 7FX
UK
© 2024 AMR CyberSecurity · Registered Company Number: 11551941