PCI DSS Compliance

PCI DSS stands for The Payment Card Industry Data Security Standard (PCI DSS) and was created by Visa®, MasterCard®, JBC®, Discover® and American Express® and is made up of 12 requirements designed to secure business systems that store, process or transmit card holder data. It was developed to protect consumers and merchants against security breaches. Today PCI DSS is issued and updated by the Security Standards Council (PCI SSC).

The official PCI Security Standards Council Site details information about PCI Compliance, Assessors and Solutions, Training and Qualification. The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

For customers to transact with an organisation either via a contact centre or online they need to be confident that their payment cards will not be compromised, their personal details are secure, and their identities cannot be stolen. PCI DSS compliance means that merchants and service providers meet their obligations to ensure customer payments are secure.

PCI DSS is mandatory worldwide. It applies to any organisation, without regard to size, value, or number of transactions, if that organisation collects, transmits, maintains, or transfers card data. Anyone who transacts with one of the major credit card companies such as Visa, Mastercard, American Express or Discover, must comply with the data security standard. In other words, if credit card information touches your secure network at any point, you must comply with these PCI standards.

The PCI DSS regulation applies to card payments over all channels, including in store and online.

Every contact centre that accepts credit and debit card payments over the telephone needs to be PCI DSS (Payment Card Industry Data Security Standard) compliant. PCI DSS requirements cover a great many areas and touches almost every aspect of an organisation’s operations.

Even if your contact centre does not record telephone calls, it does not make you compliant – you will only have met a single requirement out of hundreds. Manual ‘pause and resume’ on calls is also not compliant. Download Encoded’s booklet – The Truth about PCI DSS in Contact Centres for more information.

PCI DSS prohibits the recording or storing of any CAV2, CVC2, CVV2 or CID codes after authorisation even if the recording is encrypted. The standard states, “It is a violation of PCI DSS to store any sensitive authentication data, including card validation codes and values, after authorisation even if encrypted.”

Failure to meet PCI compliance and protect customer data adequately can result in financial penalties and charges, damage to a business’ reputation and loss of customer trust, as well as potential stolen customer funds or identity. You may also be subject to fraud losses, diminished sales, reputational damage, possible legal costs, settlements and judgements.

To be PCI compliant, organisations have to demonstrate that they have reached a level of security awareness and competence to a point where the risk of losing debit and credit card data is regarded as less than that of a non-PCI compliant organisation.

Becoming compliant means taking measures regularly. No one size fits all – every organisation is set up differently and therefore needs to be assessed on an individual basis and depending on the kinds of security risks that the business faces.

To be PCI compliant your organisation must demonstrate that they have reached a level of security awareness and competence to a point where the risk of losing debit and credit card data is regarded as less than that of a non-PCI compliant organisation.

There are four PCI compliance levels, which are determined by the number of transactions an organisation handles each year.

• Level 1: Merchants that process over 6 million card transactions annually.
• Level 2: Merchants that process 1 to 6 million transactions annually.
• Level 3: Merchants that process 20,000 to 1 million transactions annually.
• Level 4: Merchants that process fewer than 20,000 transactions annually.

Level 1 Merchants are required to complete quarterly network scans by an ASV (approved scanning vendor), and are required to undergo an annual ROC (Report on Compliance) completed by a QSA (Qualified Security Assessor).

To become compliant there is a PCI checklist of 12 requirements, consisting of 258 controls, which must be implemented and the cost of this to a business can vary significantly. To many, the costs involved can be prohibitive but there is money to be saved by undertaking a programme of reducing the scope of the cardholder data environment (or de-scoping). The 12 high level requirements fall into the six categories below:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.

The type of audit you must undergo, and your exact PCI DSS requirements will vary depending on your merchant or service provider level.

To truly understand the best practices for each of the 258 boxes that should be ticked takes a real specialist; however, looking at the key vulnerabilities, namely staff and the choice of third-party payments supplier, will result in large reductions in both PCI DSS scope.

The SCC publishes the latest details and documents on PCI DSS compliance on its website, including reference guides, policy templates and forms and FAQs.

Merchants and service providers can demonstrate their compliance with the PCI DSS by completing an audit of their CDE (cardholder data environment) against the applicable requirements of the Standard. The types of audit are:

• An RoC (Report on Compliance) completed by a PCI QSA (Qualified Security Assessor) organisation such as IT Governance or by an ISA (Internal Security Assessor).
• An Self-assessment Questionnaire (SAQ) signed by an officer of the organisation. There are nine types of SAQ designed to meet different types of merchant and service provider’s requirements.
• An external vulnerability scan conducted by an ASV (Approved Scanning Vendor).

The type of audit you must undergo, and your exact PCI DSS compliance requirements will vary depending on your merchant or service provider level, based on the number of card transactions processed per year.

To implement the PCI standard you must start with scoping your organisation. This process involves identifying all system components that are located within or connected to the cardholder data environment (comprised of people, processes, and technology that handle cardholder data or sensitive authentication data).

Scoping is an annual process and must occur prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all applicable system components are included in scope for the PCI Data Security Standard.

De-scoping is the process to reduce the number of requirements (tick-boxes) for PCI compliance. This can be achieved by passing the responsibility of handling card data to a third party. As the merchant account agreement is between the merchant and the acquirer, the responsibility for PCI compliance cannot be entirely removed, however the amount of time and work required demonstrating compliance can be dramatically reduced.

There is no such thing as a PCI DSS compliant product. Only companies and other legal entities can be PCI compliant, not products or software. Products are often incorrectly marketed as PCI DSS compliant. To advertise this claim is to miss the point that PCI DSS is trying to achieve, ie to maintain a unified security standard to which merchants must adhere.

Only select suppliers that appear on the VISA Merchant Agent Website List. Not all payment solution providers are created equal. Contact centres typically use multiple technologies so it is becoming increasing important to understand just who does what and who needs to be PCI compliant. The Website list details Level 1 and level 2 Service Providers (refer to What is the difference between a Level 1 and Level 2 Service Provider?).

The amount of time and work required demonstrating compliance can be dramatically reduced when working with a third-party payment solution provider. However, the responsibility for PCI compliance cannot be entirely removed. PCI DSS covers the entire trading environment, which means all third-party partners and vendors that handle card data on their behalf or supply services where card data is transmitted, must also comply before full PCI DSS compliance is achieved.

When a merchant uses a validated third party to capture the payment information from their own website, the actual process of data capture bypasses their systems. In this way, they need not hold client data in-house and thus alleviate some of the risk and obligations associated with PCI compliance.

One of the latest versions of PCI DSS introduced a new requirement for service providers to supply a “Responsibility Matrix” which defines who is responsible for each of the 300+ PCI controls; namely the client, the supplier or both.

Every organisation is set up differently and therefore needs to be assessed on an individual basis. What you’ll need to do to become compliant is dependent on the kinds of security risks that your business faces.

Many small- and medium-sized businesses can prove their compliance with PCI DSS by filling out a Self-Assessment Questionnaire (SAQ). You can also choose to have your payment environment assessed by an accredited Qualified Security Assessor, but this usually applies to larger organisations due to the costs and volume of transactions involved.

Known by the acronym SAQ, a Self-Assessment Questionnaire is a form that organisations must complete to confirm compliance with each requirement of the PCI DSS necessary.

A Self-assessment Questionnaire (SAQ) is signed by an officer of the organisation. There are nine types of SAQ designed to meet different types of merchant and service provider’s requirements.

Recurring payments can help to reduce the scope and cost of PCI DSS compliance audits. Once an initial transaction is verified the card used becomes trusted and any repeat uses will not require details to be taken again. On average 40% of customers will opt to have their card details stored for future use. However, there may not always be funds available on the stored card and therefore payments can be declined.

Tokenisation, recurring and stored card payment solutions mean that organisations with contact centres can vastly reduce the scope of their PCI audits. Tokens can only be used through specific payment gateways and if they are stolen or written down then the token is completely useless to anyone outside the payment environment.

Some third-party payment solution providers (such as Encoded) have a tokenisation feature to enable card holders to validate and amend stored cards when something goes wrong; avoiding fines, fees and interest charges by self-managing the details held on file.

The best way to minimise future costs as the standard evolves is to minimise exposure to the primary risk areas such as staff and infrastructure. Invest in training and education on the PCI DSS standard in order to have the talent in house and work with payment organisations that are themselves Level 1 PCI DSS compliant.