PCI DSS – The Payment Card Data Security Standard – What is it?

The PCI DSS, also known as PCI, was developed by the founding payment brands of the PCI Security Standards Council (SSC) - MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB. The SSC's founding members, along with UnionPay as a strategic member, continue to maintain and update the standard.

In simple terms, PCI is a standardized set of controls that must be implemented in security policies, technologies, and ongoing processes to safeguard payment systems and prevent the compromise or theft of payment cardholder data.

PCI applies to debit, credit, or pre-paid cards branded with the logos of the six participating card brands: American Express, Discover, JCB, MasterCard, Visa International, and UnionPay.

Unlike risk-based standards like ISO 27001, PCI mandates specific controls that must be followed. The controls you need to comply with and whether you require an external assessor or can self-assess through a questionnaire depend on how you accept payments and the volume of transactions, not their value.

If you process, store, transmit, or have the ability to impact the security of cardholder data, PCI compliance is required. Even if you outsource payment card handling, you are still responsible for ensuring that your outsourcers and third parties are PCI compliant. Non-compliance with the standard can lead to penalties, including the severe consequence of losing the ability to accept payment cards. Penalties may also include monthly fines until compliance is achieved and increased payment card transaction fees.

Moreover, a data breach typically results in reputational damage and loss of trust with cardholders. If the breach involves personally identifiable information (PII), the organization may face investigations and fines from the Information Commissioner's Office (ICO).

So, where does your PCI compliance journey start?

The initial step in achieving PCI DSS compliance is gaining a comprehensive understanding of the flow of your payment card data within your organization. This entails identifying where payment card information enters your organization, where it is transmitted, who it is shared with, the systems and components it interacts with, where it is stored, the format in which it is stored, and the individuals who have access to it.

It is crucial to assess the data flow for each payment channel you utilize, as this will determine the scope of your compliance efforts. The objective is to maintain a focused and limited scope. Additionally, it is important to ascertain the annual volume of transactions you process. This information will determine the specific controls outlined in the PCI standard that you must adhere to, as well as whether you can complete a self-assessment questionnaire (SAQ) or if an external assessment is necessary.

Once you have a clear understanding of your payment card data flow, scope, and required controls, the next recommended step is to conduct a gap analysis. This analysis will help you identify areas where you already comply with the standard and areas that require improvements.

While the controls are mandatory, there are multiple approaches to achieving compliance, and it is essential to be practical and considerate of your business operations. Once the necessary improvements have been made, you can proceed with inviting an external assessor or completing the SAQ.

It is vital to recognize that PCI compliance should not be treated as a one-time project or requirement but as an ongoing journey. Compliance needs to be obtained and maintained consistently. Whether you undergo assessments by external specialists or complete an SAQ, compliance is an annual and continuous process. While assessments provide a snapshot of compliance at specific points in time or for time-sensitive tasks, your obligation to your clients and their trust in you to secure their card data is continuous. It is imperative to ensure ongoing compliance, maintain their confidence, and protect your reputation.