Businesses that store card information for customers making future payments are ripe targets for hackers. Phishing schemes targeting individuals produce the odd return but targeting a database holding potentially millions of cardholders’ information is a much more tempting prospect. To properly protect this sensitive information, the Payment Card Industry (formed of major card networks like Visa and MasterCard) created a set of regulations that any organisation that processes card payments must conform to, regardless of whether details are retained or not. Those regulations are called the Payment Card Industry Data Security Standard, or PCI DSS.
What is PCI DSS?
The PCI DSS is a set of requirements that your organisation must have to be considered a secure place to store sensitive cardholder information like credit card numbers. The requirements are updated regularly to keep pace with evolving threats and technology. The most recent, PCI DSS 4.0, was released in March 2022.
PCI DSS compliance is not an optional certification for businesses. Without the protection of the security measures in the standard, you could leave your customers’ information open to attack from anyone. If you do suffer a breach of information and the PCI discovers you were not up to standard, you can face fines into the hundreds of thousands of pounds, and your accounts with card networks could be terminated, cutting off your ability to receive card payments.
The stamp of PCI DSS shows your customers and partners that you take data security seriously and that your business can be trusted with their most sensitive information.
What are the requirements for PCI DSS?
The PCI DSS has twelve main requirements organised into six broad categories known as control objectives. These control objectives are:
1. Build and maintain a secure network and systems
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
For the full list of requirements and how to achieve each one, see our PCI DSS Checklist.
What are the levels of PCI DSS compliance?
The PCI DSS requirements aren’t applied in the same way to every business. Different scales of business have different methods of assessment to ensure their compliance with the standard. There are four levels of compliance:
· Level Four
o Fewer than 20,000 Visa, MasterCard or Discover transactions per year
· Level Three
o 20,001 – 1,000,000 Visa, MasterCard or Discover transactions per year
o Fewer than 50,000 American Express transactions per year
· Level Two
o 1,000,001 – 6,000,000 Visa, MasterCard or Discover transactions per year
o 50,001 – 2,500,000 American Express transactions per year
· Level One
o More than 6,000,000 Visa, MasterCard or Discover transactions per year
o More than 2,500,000 American Express transactions per year
Levels 2-4 can maintain their compliance through annual self-assessments and quarterly network scans. Level Two organisations must also submit a Report on Compliance from an external Qualified Security Assessor (QSA) to demonstrate their compliance.
Level One organisations must undergo a complete external audit annually by a QSA who will perform an on-site evaluation including reviewing documentation and technical information.
OmniCyber Security can assist any business with achieving PCI DSS compliance. We can offer anything from QSA services for larger businesses to initial advice for start-ups looking to become compliant for the first time. We are a PCI Approved Scanning Vendor and offer unlimited scans throughout the year for your organisation, so you can be comfortable in your security between compliance reports.
Contact OmniCyber today to discuss the PCI DSS needs of your organisation with our expert team.