In 2018 many UK companies suffered payment card breaches: British Airways, Dixons Carphone. These events allow us to realise how important it is to comply with the PCI DSS (Payment Card Industry Data Security Standard).
What is the PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) was created to ensure that all organisations that accept, process, store and transmit credit card information meet a minimum level of security. The PCI DSS is administered by the PCI SSC (Payment Card Industry Security Standards Council), which was launched in 2006 to manage the Standard’s ongoing evolution.
How does it work?
To comply with the PCI DSS, your organisation must:
- Ensure customers’ payment card data is collected and transmitted securely;
- Store all data securely; and
- Validate its compliance annually by way of an RoC (Report on Compliance) or SAQ (self-assessment questionnaire) to show that the required security controls are in place.
Some businesses require the direct handling of sensitive credit card data when accepting payments. These organisations may be required to meet each one of the PCI DSS’s security controls, and would need to purchase, implement and maintain security software and hardware.
If your organisation doesn’t need to handle sensitive payment card data, it shouldn’t. By avoiding handling the data, your organisation will only have to confirm 22 straightforward security controls, such as using strong passwords.
If your organisation handles or stores payment card data, you need to define the scope of its CDE (cardholder data environment). The PCI DSS considers the CDE as the people, processes and technologies that store, process or transmit card data.
What are the 12 requirements?
The PCI DSS specifies 12 requirements that all organisations must meet in order to protect payment card data and comply with the Standard:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Requirement 12.6 of the Standard requires organisations to “Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures”.
Our interactive e-learning course introduces employees to the Payment Card Industry Data Security Standard (PCI DSS), and provides clear and simple explanations of its key requirements.