Compliance Management
PCI DSS
PCI DSS is a set of requirements for payment account data security and is vital if you handle any sort of credit card data within your organization. It’s important to note that changes have recently been made surrounding PCI-DSS. It’s important that you revaluate your current processes to ensure you’re still compliant. Our blog below can help you understand more about the changes. If you have any questions or are interested in PCI-DSS services, then contact us today.
Our range of experience, accreditations, and customer testimonials demonstrate why we stand out from the crowd. Core-Infosec is one of the most experienced organizations in the world for PCI Compliance consulting, auditing and pragmatic security solutions.
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognised information security standard designed specifically to apply to organizations that handle credit card data.
- The PCI DSS was created with one simple goal – to ensure that businesses can process credit and debit card payments securely, protecting businesses and consumers and reducing the likelihood of card fraud.
- PCI QSAs (Qualified Security Assessors) are individuals that are certified to assess merchants and service providers against the standard and provide a formal report on compliance (ROC).
Who Should Comply With PCI DSS?
Any organization that processes card data must comply with PCI DSS. Merchants are usually businesses taking payment for a service they sell, such as a retailer or call centre.
Depending on how a merchant processes card payments, and how many transactions they process per year, requirements for demonstrating compliance with PCI DSS will vary.
PCI DSS can also apply to organizations that provide services to businesses that handle credit card data, such as data centres and managed service providers.
This is true even if the service provider itself does not process card payments, nor have access to credit card information. As well as supporting their own customer’s PCI DSS compliance, service providers can differentiate themselves from their competition by becoming compliant with PCI DSS.
Why is PCI Compliance Important?
According to UK Finance, an organization that represents more than 250 firms across the industry, 56% of all financial fraud in 2018 related to payment card fraud, with losses totalling over £670 million in the UK alone. Complying with the PCI DSS allows your organization to demonstrate your commitment to maintaining a secure environment to your bank and your customers.
Your organization can reduce the risk of a breach of credit card data by:
- Implementing PCI DSS controls appropriate to how you store, process, and transmit cardholder data.
- Engaging a QSA to independently validate your compliance.
- Maintaining PCI DSS requirements as “business as usual”.
What Are The Penalties For Non-compliance With The PCI DSS?
Any organization that handles credit card data but fails to comply with PCI DSS is at risk of a number of financial and reputational consequences.
- Non-compliance fees – a regular fine from your bank for failing to be compliant.
- Reputational damage in the event of a breach.
- Inability to process payments.
- GDPR and DPA related fines in the event of a breach.
- Fines from your bank in the event of a breach.
To help reduce risk and avoid penalties as a result of a breach or non-compliance, organizations must understand how they store, process, and transmit credit card data, and ensure that all applicable requirements of PCI DSS are in place.
What Are The 12 Requirements For PCI DSS?
The PCI DSS is divided into 12 sections, each containing a series of specific requirements. In total there are over 300 individual requirements, and depending on how you process card payments, some or all of these will apply to your organization.
Control objectives
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain Information Security Policy
Requirements
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel