Author
Andrea Tappe
The Payment Card Industry Data Security Standard (PCI DSS) applies to all businesses which accept card payments (via debit or credit card).
When you sign a merchant agreement with a bank (or a payment service provider, such as PayPal) to accept payment cards, you also agree to comply with the PCI DSS standards – and accept liability for heavy penalties if you don’t! Your merchant agreement may also include clauses which allow your bank to:
- terminate services if you are not compliant
- request an external audit (at your expense!) to confirm compliance.
What is PCI DSS?
The major card companies (Visa, Mastercard, AMEX, Discover and JCB) have always had security policies which they expect their merchants to adhere to. In 2004, the five companies decided to combine their standards to form a single, international standard administered by the Security Standards Council (SCC) which would apply to all organisations that accepted card payments.[1] If you accept card payments, that includes your organisation!
The purpose of PCI DSS is to protect cardholders’ financial information by setting a minimum security standard that all merchants must meet or exceed. The standard is set by experts, and is designed to minimise the risk of data theft in most scenarios.
Historically, the SSC has not taken an active part in enforcing compliance. However, recent high profile data breaches have led the SSC to take a more active role, directing service providers to be more proactive in following up audit results and taking action against non-compliant businesses.
For more information about PCI DSS levels and processes, see What is PCI DSS and why should I care?
Level |
Audit Type [1] |
1 | External QSA |
2 | May Choose |
3 | Self-assess |
4 | Self-assess |
How are PCI DSS audits conducted?
The business’ level determines how audits will be conducted. Businesses may choose to publish the audit results, for example on their company website, or may keep them confidential.
Your payment services provider may request a copy of your SAQ (or may ask you to complete a SAQ via their online portal) at any time as proof of your PCI DSS compliance. Keep your completed SAQs securely in case they are requested.
Level 3 or 4 businesses
If your business is a Level 3 or 4 business, you will usually be allowed to self-assess. To complete a self-assessment:
- Download ‘Understanding the SAQs’ from the PCI DSS website.
- Identify the SAQ which your business needs to complete.
- Download and complete the appropriate SAQ.
Exception
If a card provider (for example, VISA or MasterCard) decide that your business presents an unusual risk, they may direct you to hire a QSA to complete your annual audits. This would normally occur following a security breach – failure to comply with the request would generally lead to your merchant services agreement being revoked, leaving your business unable to accept card payments.
Level 2 businesses
A level 2 business may choose to self- assess or may hire a QSA to complete the annual audit on their behalf. The process will be as above – the business identifies and completes the appropriate SAQ, which is retained as a record of compliance.
Level 1 businesses
A level 1 business must be audited by a QSA every year. The QSA will complete the appropriate SAQ and lodge it with the appropriate parties (usually your bank and the payment service provider).
How rigorous is the audit process?
Following a number of high profile breaches[2], the SSC has become more rigorous about enforcing compliance. In practical terms, this has meant that many organisations which have been self-assessing have been asked to undergo (at their own expense) a formal audit by a QSA. Most Level 1 organisations have undergone an intense scrutiny over the past two years – the focus appears to moving to Level 2 and Level 3 organisations. It is expected that this intense focus will continue until the card providers are comfortable that the risk has been reduced to manageable levels.
What if I don’t comply with all the requirements?
If your organisation does not meet a requirement, you will usually be given some time to resolve the issue.
However, if your organisation continues not to meet the PCI DSS requirements, your payment card service provider may decide that your organisation is too high a risk. They may terminate their contract with you, effectively preventing you from accepting card payments.
To avoid this, we recommend:
- Seeking professional help to establish a structure that is compliant and straightforward to maintain. This may be more cost effective than you think.
- Frequent reviews of your systems and processes to ensure ongoing compliance. It is not unknown for an organisation to become non-compliant as the result of a poorly implemented system change, for example.
- Strong change management processes to mitigate the risk of your business accidentally becoming non-compliant following a badly thought out change.
- Consider going above and beyond – implement a higher standard of security where possible to minimise your risk of a breach.
- https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard accessed 29/7/2016
- For examples of recent breaches, see: