What is PCI DSS / PCI Compliance?
At Gala Technology we are regularly asked about PCI DSS – What does it stand for? What does it mean for my business? How can we comply? What are the costs?
As a multi-award-winning organisation PCI-DSS solution provider, we would like to think that we are well placed to advise you on all the above questions and more.
Hopefully, this short guide will give you an understanding of some of the terminologies and requirements, but should you need to dive deeper, please do not hesitate to reach out directly.
For more information please call our PCI Compliance experts on :
01709 911 661
What does PCI DSS stand for?
PCI DSS is an acronym which stands for (the) Payment Card Industry Data Security Standard.
What is the purpose of PCI DSS?
PCI DSS is a set of requirements for protecting payment account data security. These standards were developed by the PCI Security Standards Council (PCI SSC), an organisation founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, to facilitate industry-wide adoption of consistent data security measures on a global basis.
Simply put it means that everyone involved in the payment process, whether that be the merchant or a Third Party Service Provider (TPSP) has a requirement to ensure that the Cardholders sensitive information is kept safe and secure.
Sounds simple enough, right? But PCI compliance can pose a major challenge to organisations if they’re not equipped with the proper knowledge and tools.
Does my business need to be PCI DSS compliant?
If you process, store or transmit card payments, then the simple answer is yes, your business MUST be PCI DSS compliant.
PCI DSS compliance is a contractual obligation, generally between a Merchant and their Acquiring Bank. It applies to ALL entities that store, process and or transmit payment card data, irrespective of the quantity of payments processed. PCI DSS also applies to Third Party Service Providers, who support entities that may have outsourced the payment handling process. Outsourcing does not release an entity from their obligation to be certified as compliant. The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO), and e-commerce.
Acquiring banks are responsible for enforcing the PCI compliance itself, not the PCI Security Standards Council and whilst most merchant service providers will help to support the merchant to PCI DSS compliance for a monthly fee, if you do not evidence compliance on an annual basis, you can be charged additional fees, potentially running into hundreds or thousands of pounds.
Gala Technology can help your organisation find the right acquiring partner, tools and solutions to combat the risk and cost of non-compliance. You may find our guide on acquirers or merchant service charges useful.
What happens if my business is not PCI DSS compliant?
If you do not comply with the security requirements of card associations or the PCI Security Standards Council, then you, your business, and your customers are at severe risk of payment card compromise, which can be catastrophic. Data breaches are becoming more and more frequent, and the reputational damage they can cause to a business can be irreparable. You will also be liable for the cost of the required forensic investigations, fraudulent purchases and the cost of re-issuing cards. You may also lose your card acceptance privileges.
In addition, as mentioned above, if you do not evidence PCI compliance on an annual basis to your acquiring partner, you can also incur additional merchant service charges costly the business hundreds or thousands of pounds.
What are the penalties for data breaches?
Data breaches are known by varying names. Visa refer to them as Account Data Compromise (ADC), whereas Mastercard call them Operational Reimbursement (OR) and Fraud Reimbursement (FR). Penalties vary by card schemes and by the state of compliance at the point of breach.
Visa Europe, for example, suggest that a 3000€ penalty would apply for each ADC, which could be followed by a PFI (PCI Forensic Investigation) for Level 1-3 merchants, or for Level 4 merchants who process more than ten thousand Visa cards. Each card then deemed at risk (PAN and CVV2 details) then carries a penalty of 18€
Example : 30,000 card details breached.
Case Fee : 3000€
ADC Penalties : 30,000 x 18€ = 540,000€
Total : 543,000€
There are hidden costs associated with an Account Data Compromise event too, including the cost of a full compliance report by engaging a QSA (Qualified Security Assessor) that meets specific information security education requirements, and has taken the appropriate training from the PCI Security Standards Council, as well as the further migration and development costs to outsourced solutions.
It should also be noted than information such as the Primary Account Number (PAN) also known as the ‘long card number’ on the front of the payment card can be classed as Personal Identifiable Information (PII) under GDPR, which means that your business can be hit twice with costly penalties for breach.
What are the requirements of PCI DSS?
There are six categories to consider when making your business PCI Compliant, which are staggered over twelve individual steps. The twelve steps to achieving PCI Compliance are:
Secure Your Network:
1. Protect your system with firewalls
2. Configure passwords and settings
Secure Cardholder Data:
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Regularly update and patch systems
7. Restrict access to cardholder data to business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to workplace and cardholder data
Network Monitoring and Testing:
10. Implement logging and log management
11. Conduct vulnerability scans and penetration tests
12. Documentation and risk assessment.
You can also review our helpful guide which goes through these requirements in more depth here.
What are the PCI DSS compliance levels?
PCI DSS Compliance is divided into four levels, based on the annual number of credit or debit card transactions that a business might process. The classification level determines what an organisation needs to do in order to remain PCI DSS compliant.
Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorised PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.
What is a PCI DSS Self-Assessment Questionnaire (SAQ)?
A PCI Self-Assessment Questionnaire (SAQ) is a merchant’s statement of PCI compliance. It is your evidence to show that you're taking the security measures needed to keep cardholder data secure at your business.
Each SAQ includes a list of security standards that businesses must review, follow and adhere too. PCI SAQs do vary in length. For example, the Self-Assessment Questionnaire known as SAQ A is the shortest, containing only 22 questions. The longest, SAQ D, contains an incredible 329 questions.
Which PCI DSS SAQ does my business need to complete?
There are 9 different SAQs a merchant can choose from. This will ultimately be determined by how your business processes and handles cardholder data.
For example, if all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A-EP. If you process credit cards through the Internet and you also store customer credit card data you will probably fall into the SAQ D category.
SAQ-A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
SAQ-A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
SAQ-B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data transmission, processing, or storage. Not for e-commerce environments.
SAQ-B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce environments.
SAQ-C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce environments.
SAQ-C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
SAQ-P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
SAQ-D (merchants) is for merchants that do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.
SAQ-D (service providers) is for service providers deemed eligible to complete an SAQ.
Further information regarding SAQ’s can be found here:
How can Gala Technology help with your PCI DSS compliance?
The PCI DSS considers any person, employee, technology or system that comes into contact with sensitive card data as 'in-scope'. To reduce the amount of applicable PCI controls that must be implemented, businesses are advised by the PCI SSC to reduce whom and what comes into contact with cardholder data, called 'Descoping'.
Gala Technology have a range of award-winning payment solutions which can ‘descope’ your merchant environment, to aid your business, your employees and your customers safe from a data breach.
In fact, the PCI SSC actually issued some guidance in November 2018, which featured our digital approach as they confirmed that “Criminals are increasingly looking to exploit CNP channels such as mail order/telephone order and e-commerce. Telephone-based payments represent an area of opportunity for fraud as this method of payment exposes account data in the clear and must be given full consideration in any security strategy and PCI DSS compliance program." PCI SSC 2018
By descoping your environment, we help your organisation adhere to the advice from the PCI SSC by limiting the amount of card data within your environment, reducing the risk and simplifying your SAQ requirements. The majority of the merchants who use Gala Technology solutions are able to complete SAQ-A, which is just 22 questions long, enabling your business to evidence PCI DSS compliance and cracking on with other aspects of your business.
We also have extensive partnerships with experts on all the subject matter above, should you require any support in evidencing your PCI compliance.
How does SOTpay help with PCI Compliance?
Our cloud-based technology does not require any additional hardware or amendments to existing telephony ornetwork set up and is Acquirer and Payment gateway agnostic. Totally eliminating the need for capital expenditure, SOTpay can support businesses of all shapes and sizes in any sector.
SOTpay eliminates the risk of fraud related chargebacks for businesses, by authenticating MOTO andOmni channel CNP transactions and processes the payment in a PCI compliant manner, converting a risky ‘non-secure’ transaction into a ‘secure, authenticated, compliant’transaction in the eyes of the acquiring partner, the merchant can see significant savings in theirMerchant Service Charge's. We have seen businesses save in excess of £40,000 per annum,following the deployment of SOTpay.
SOTpay enables you to send out an electronic payment request in real time, via email, SMS, web chat or electronic invoices.
The flexibility of the SOTpay technology enables the merchant to accept secure and compliant transactions across numerous channels, boosting business by allowing cardholders to complete transactions in their desired channel of engagement. For example, if someone is engaging with the business on Facebook, SOTpay allows the business to take payment within the Facebook Messenger environment.
By preventing cardholder data in its entirety from entering the merchant environment, SOTpay makes achieving andmaintaining PCI DSS compliance easier and more manageable for your business. With liability for fraud related chargebacks eliminated the merchant can also deliver to an alternative delivery address, instead of just to the registered cardholder’s address.
As a disruptive payment technology, the PCI SSC updated their Global ‘Protecting Telephone Payments’ guidelines to include our innovative approach, which gave us tremendous credibility within the acquiring industry. We have subsequently become partners to some of the largest payment organisations in the world, helping to protect and support their merchants against the challenges that business face.
Our innovation has recently seen us pick up the following international accolades.