The Payment Card Industry Data Security Standard (which has been helpfully abbreviated to PCI-DSS) has now been around just under 13 years. In that time, attacks have become increasingly sophisticated, and the number of devices falling within the scope of PCI-DSS has increased exponentially.
In this article, we’ll take a look at some common myths surrounding PCI-DSS to ensure that your business makes the grade. With the new v3.2 standard imminent, now is an important time to make sure your business meets the new security grade.
Can you get a one-off certification to show you are PCI-DSS compliant?
PCI DSS is not a single, annual certification. It is all about ensuring that every single card transaction, and all the cardholder data associated with it, is entirely secure.
The idea of a ‘one stop shop’ for data security overlooks the whole purpose of the requirements: to ensure comprehensive security for every transaction processed. PCI-DSS approval is a continuous process, and never guaranteed by meeting the annual self-assessment criteria.
Does PCI-DSS guarantee cardholder security?
Attacks are increasingly sophisticated and there is now a huge surface area (of devices) prone to attack. Your PCI-DSS assessment will indicate that your business is compliant, and secure, at that exact moment in time, and therefore does not guarantee cardholder security.
Your organisation should treat PCI compliance as a continuous process of assessment and re-adjustment. PCI-DSS v3.2 becomes the new standard as of 1st February 2018, and has been published as best practice since last year. Pursuing a security strategy of best practice rather than compliance is more likely to prevent an attack, and will mean you won’t be in a constant state of catch-up with regulations.
Is FCA compliance more important than PCI-DSS?
There is some belief that, since the requirements of the Financial Conduct Authority and PCI DSS seem to be in conflict, it is not necessary, or even possible, for a business to satisfy both sets of regulations. This is not the case!
The conflict appears to arise because the PCI DSS requirements forbid any merchant from storing any sensitive payment data after authorisation, while the FCA standards require merchants to keep a record of a detailed record of all transactions on hand for potential future reference. This poses a particular problem for telephone-based transactions: the FCA would appear to require phone conversations to be recorded while the PCI DSS would absolutely forbid that.
Both standards can be met by ensuring your business has secure telephone payment platforms in customer contact centres. With these, customers are securely connected over the telephone to using their devices to entire their cards securely with direct approval to their bank at the point of payment: both PCI DSS and FCA standards are met as your call centre agents don't receive any secure information. This gives customers peace of mind knowing they no longer have to provide their card details to an agent. If you deal with transactions over telephone, be sure to have this kind of a system in place.
Who determines fines in the case of a cardholder data breach?
Although card companies are of major importance in determining the regulations of PCI DSS, they ultimately only deal with acquiring banks. As a result, any fines you receive for security breaches will come from acquiring banks. It will be the acquiring banks that’ll pursue your business, as it is their level of risk that your breaches have affected. A fine for a small merchant is usually around £15,000, on top of reimbursing all investigative costs.
Does PCI-DSS compliance solely require technological security?
While ensuring all your payment processing technology is secure is one part of PCI DSS, it will not in itself guarantee security. The 12 steps of PCI DSS compliance require continuous attitude shifts within your business, to ensure that every transaction processed is protected against whatever new approaches data criminals might try out.
Can your organisation carry out a PCI DSS audit internally?
Unfortunately, there are some non-qualified security advisors that claim to be able to guarantee a PCI DSS audit. A full list of Qualified Security Assessors for PCI DSS is available on the PCI standards website: if someone contacting you is not on that list, do not waste your time and money on them.
Can you outsource your PCI-DSS compliance responsibilities?
Some companies do offer to maintain your PCI DSS compliance for you. Those that are accredited by PCI DSS itself (a list of these can be found on the PCI DSS website) will be legally responsible for any subsequent data breaches, and will have to pay any resultant fines.
It is important to remember, however, that if a customer knows that their data was made vulnerable while using your services, they are unlikely to trust that it was no fault of your own. Blame can stick, whatever legal status, so it is worth having a sense of the PCI DSS in order to be sure whether or not you are up to standard.
Does PCI-DSS require too much of organisations?
No aspect of PCI DSS is arbitrary, and most of its steps are already common best practice for data security. The flexibility and rigour of the standard can actually work to make life a lot easier for merchants and data processors, as it removes any guess work about how they could improve their security: follow the guidelines and you will know that you are operating securely.
After how many card transactions should an organisation become concerned about PCI?
Any business that accepts card payments needs to be compliant with PC: just one transaction is all it takes. If you process any card payments, you are responsible for the security of the cardholder’s data. Make sure you are up PCI DSS guidelines, whatever the scale of your operation, or your risk fines and data breaches.
Does a self-assessment qualification make your organisation compliant?
PCI DSS compliance is a continuous process, and a successful SAQ only represents your operations at one point in time. Anything can change the moment that an SAQ is completed. To avoid fines and vulnerability, it is important to see PCI DSS as something to always be working towards, not a yearly ticking-off exercise.
PCI-DSS is a fundamental component of modern business. Any organisation that takes card transactions may receive harsh fines if a breach is to occur, and noncompliance is found. We’ll be reviewing the impact of PCI-DSS on the digital telecoms transformations we undertake, and discussing how the technologies we choose can influence our ability to comply with PCI-DSS standards.
To get your free tickets to The Digital Telecoms Transformation Forum, hosted at BT Centre in Central London, register now!