Posted inPCI DSS compliance
What do you need to prove you can handle card payments securely — a black belt, a Michelin star, an OBE or maybe even the Nobel prize for security? The correct answer is PCI DSS. But what does this security standard really mean?
Taking card payments can be a risky business for merchants, whether transactions take place via the web, using mobile apps or over the phone with contact centre agents.
CNP crime cost the UK £432 million in 2016 and is estimated to double that to reach £608 million by 2021, according to the National Audit Office. And, Financial Fraud Action UK stated that in 2016 card fraud accounted for 75% of all financial fraud in the UK.
The industry is hitting back — and PCI DSS is one of its most powerful weapons. But the mention of PCI DSS often prompts a series of questions. So let's answer them, one by one.
PCI DSS top #10 questions and answers
Question #1: What is PCI DSS?
A: PCI DSS (the Payment Card Industry Data Security Standard) is a security standard for organisations to follow if they store, transmit or process cardholder data (CHD) and/or sensitive authentication data (SAD). PCI DSS is intended to protect sensitive cardholder data and prevent fraud. The standard is managed by the Payment Card Industry Security Standards Council, which includes American Express, MasterCard, Visa Inc and other card providers.
Question # 2: What are the penalties for non-compliance?
A: Non-compliance often comes to light when there's a data breach. Payment brands can issue fines that can run into hundreds of thousands of pounds. Companies may also face increased transaction fees or even be prevented from accepting payments by card. They may also have to pay for a forensic investigation into the causes of any compromise. A breach can also be followed by bad publicity, a damaged reputation, costly compensation to customers and lost business.
Question #3: What are PCI DSS compliance levels?
A: Merchants and payment service providers fit into different compliance levels, depending on the number of credit card transactions they handle. Level One is for those processing over six million transactions per year. Level Four applies to merchant processing fewer than 20,000 e-commerce transactions and all other merchants processing up to 1 million transactions per year— regardless of the acceptance channel (not just e-commerce).
Question #4. How do organisations satisfy PCI DSS requirements?
A: All organisations need to complete an Attestation of Compliance (AOC) form and have a quarterly network scan by an Approved Scanning Vendor (ASV). In addition, Level One organisations must have an annual on-site assessment — called a Report on Compliance (ROC) — completed by an independent Qualified Security Assessor (QSA). All others must submit an annual Self-Assessment Questionnaire (SAQ).
Question #5: If our software is PA-DSS certified, does that mean we're compliant already?
A: Any Payment Application - Data Security Standard (PA-DSS) certified software may help you with security and compliance, but it will never absolve you from your overall PCI DSS responsibility. The rest of your contact centre environment needs to be compliant. Only software applications or products are included in the PA-DSS list – it doesn’t include services.
Question #6: What is the PCI DSS Attestation of Compliance?
A: The Attestation is a statement signed by an officer of your company — usually the Chief Financial Officer or Head of Compliance. It certifies that all relevant PCI requirements have been met by your organisation. There are different versions of the Attestation, depending on the scope of your business.
Question #7: Can we complete our own Self-Assessment Questionnaire (SAQ)?
A: Level One merchants and Service Providers need an assessment by an independent QSA to validate their compliance. Other organisations complete the correct SAQ version for their business — and can do this themselves. There are different SAQs for different types of organisations, ranging from companies with payment application systems to those who outsource all their cardholder data-related activities to a PCI DSS payment service provider. Those who outsource may only need to complete a simple two-page SAQ.
Question #8: How can I find a QSA?
A: Qualified Security Assessor companies have been approved by the PCI Security Standards Council to validate an organisation's compliance with PCI DSS. The Council manages a searchable database of companies and assessors.
Question #9: As a Level One merchant, how can we make PCI DSS compliance simpler?
A: If you are currently capturing, storing, processing or transmitting card data, then the burden of applying levels of security to meet PCI DSS standards will weigh heavily on you. Achieving compliance yourself can be demanding, complex and costly —distracting you from your core business. The most pragmatic and secure approach is to outsource activities to a trusted payment Service Provider. With the right solutions you can prevent any card data from entering your contact centre and systems - removing your environment from the scope of PCI DSS.
Question #10: Does outsourcing mean we can forget about PCI DSS completely?
A: Not completely. The quarterly network scan and annual Attestation of Compliance still needs to take place. Also, even though a payment service provider will be looking after transactions on your behalf, your company is still ultimately responsible for data security. That's why choosing a provider with the right experience and credentials is essential.
Delve deeper by getting your free copy of our ebook The Definitive Guide to PCI DSS compliance. It's everything you wanted to know about PCI DSS compliance and secure payments but were too afraid to ask.
Latest Blog Items
Tuesday, 21 January 2020 PCI DSS compliance – can you see the hidden threatsTitanic differences in de-scoping vendors
Tuesday, 14 January 2020 Challenge #4: Customers get stuck serving themselvesIf your customers hit problems that stop them from purchasing online or completing important information, can you step in heroically — and save the day? Every company needs a lifeguard.
Monday, 06 January 2020 The Contact Centre of the Future - part 1 - CustomersWhat will the Contact Centre of the Future look like? In a five-part series, Ashley Burton, Head of Product at Eckoh, explores the radical changes ahead – starting with a new breed of customer that's emerging.