The Payment Card Industry Data Security Standards (PCI DSS)
Compliance with these standards is now compulsory for all merchants who accept payment cards in offering goods and services. You must be PCIDSS compliant if you handle, process or store payment card details either on computers or on paper.
Merchants also need to verify that compliance is in operation through any third parties involved in their transactions.
There can be some serious financial penalties for data security breaches and where card information is compromised as a result of non-conformance with PCIDSS. Compliance is also subject to renewal on an annual basis.
However merchants do not need to feel anxious because the compliance process is straightforward and there is help and advice available in determining:
- Levels of compliance
- How to become compliant
There are 4 Merchant levels of compliance, the level ascribed to a merchant is determined by the number of card transactions you accept per annum, per card scheme, and what channel you use to accept those transactions
The basic Standards cover areas such as Security management of data, policies and procedures. Common sense underpins the standards, and the PCIDSS is not a new construct. It’s based on existing ISO standards, which is essentially best practice, i.e. for compliance, you need to demonstrate that you have processes in place that:
- Store card data securely
- Limit access (internally and externally) to the data
- Review, test and maintain security on a regular basis
- Reflect a policy you have documented on your security processes and procedures
We recommend that you ask the advice of your acquiring bank (the organisation providing your merchant account) and that you visit The PCI Security Standards Council website.
You will also need the help and guidance of a qualified security assessor (QSA). One such organisation that has helped some WVFDTA members achieve compliance, and at low cost, is Security Metrics, 0844 561 1662.