PCI DSS, what is it and why does it matter?

PCI DSS stands for the Payment Card Industry Data Security Standard. It is a set of technical security requirements designed by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of all organisations that accept, process, store, or transmit credit card information.

Every organisation, business, or body that accepts, processes, stores, or transmits credit card information must carry out a self-assessment (SAQ) or conduct a full audit (ROC) to attest its compliance with PCI DSS annually.

What are the PCI DSS Requirements?

PCI DSS has 12 main requirements, organised into six categories, to ensure cardholder data security.

  1. 1. Build and Maintain a Secure Network and Systems
    • Install and maintain network security controls (e.g., firewalls) to protect cardholder data.
    • Apply secure configurations to all system components to prevent unauthorised access.
  2. 2. Protect Cardholder Data
    • Protect stored cardholder data using encryption and other security measures.
    • Encrypt transmission of cardholder data across open, public networks to prevent interception.
  3. 3. Maintain a Vulnerability Management Program
    • Protect systems and networks from malicious software using anti-virus and anti-malware tools.
    • Develop and maintain secure systems and applications through regular updates and patches.
  4. 4. Implement Strong Access Control Measures
    • Restrict access to cardholder data to only those who need it for their job.
    • Identify and authenticate access to system components to ensure only authorised users can access sensitive data.
    • Restrict physical access to cardholder data to prevent unauthorized physical access.
  5. 5. Regularly Monitor and Test Networks
    • Log and monitor all access to network resources and cardholder data to detect and respond to security incidents.
    • Regularly test security systems and processes to ensure they are effective.
  6. 6. Maintain an Information Security Policy
    • Maintain a policy that addresses information security for all personnel to ensure everyone understands their role in protecting cardholder data.

What are the consequences of non-compliance with PCI DSS?

Failure to comply with PCI DSS can have several severe consequences:

Financial Penalties: Credit card companies can significantly fine non-compliant organisations. Until compliance is achieved, these fines can range from $1,000 to $100,000 per month.

Legal Consequences: Non-compliance can lead to legal action, including lawsuits from affected customers and regulatory bodies.

Loss of Cardholder Trust: A data breach resulting from non-compliance can severely damage your reputation, causing a loss of customer trust and loyalty.

Data Breach Expenses: In a data breach, you may incur costs related to forensic investigations, customer notifications, credit monitoring services, and more.

Additional fines and impacts from applicable laws and regulations, such as GDPR, could also occur. This could mean a fine of €20 million or 4% of Global Revenue, whichever is higher.

Increased Transaction Costs: Credit card companies may increase transaction fees for non-compliant businesses, adding to operational costs.

Loss of Merchant Account: You could lose your ability to process credit card payments, severely impacting your business operations.

Reputational Damage: Negative publicity from a data breach or non-compliance can harm your brand's reputation, making it challenging to attract and retain customers.

How we can help

Ensuring PCI DSS compliance is crucial to protecting your business and your customers' sensitive information. AMR CyberSecurity is an approved PCI Qualified Security Assessor (QSA) Company. With over a decade of experience guiding organisations through PCI DSS obligations, our services include:

Scoping and Gap Assessments

Scoping is the first step in any PCI DSS compliance programme. With a holistic and pragmatic approach, through assessment of an organisation's Payment Channels and Card Data Environment (CDE), our expert team can define scope and identify any gaps in PCI DSS compliance. We provide detailed scope and gap assessment reports, with pragmatic recommendations that allow organisations to make informed decision to effectively remediate and mitigate identified gaps.

SAQ and RoC Pre-Assessment

Preparing for and completing a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC) can be complex, time consuming and stressful for any organisation. To help alleviate this we offer guidance and support to ensure your organisation is well informed and prepared. Pre-assessments can include document review, mock interview sessions, guidance on how to collect and present evidence, or more tailored support.

Full Assessments (RoC & AoC)

Full assessments follow a standardised approach set by the PCI Security Standards Council. Scope, requirements and documentation will be validated as per the PCI DSS and outputs delivered in a Report on Compliance (RoC) and Attestation of Compliance (AoC). Full assessments are required by all Level 1 Merchants and Service Providers and can be contractually required for level 2-4 Merchants and Service Providers.

Registered address
AMR CyberSecurity, 3000a Parkway
Whiteley, Fareham
Hampshire, PO15 7FX
UK
© 2024 AMR CyberSecurity · Registered Company Number: 11551941