× Globe

We notice that you’re on our UK site, the version that serves your region is the US Eckoh site.

Go to US site. Stay on UK site

Important COVID-19 update Read More

Blog

The latest thinking from Eckoh

Top 10 facts about PCI Compliance that you need to know
Tuesday, 26 September 2017

What do you need to prove you can handle card payments securely — a black belt, a Michelin star, an OBE or maybe even the Nobel prize for security? The correct answer is PCI DSS. But what does this security standard really mean?

Ten facts PCI 900

Taking card payments can be a risky business for merchants, whether transactions take place via the web, using mobile apps or over the phone with contact centre agents.

CNP crime cost the UK £432 million in 2016 and is estimated to double that to reach £608 million by 2021, according to the National Audit Office. And, Financial Fraud Action UK stated that in 2016 card fraud accounted for 75% of all financial fraud in the UK.

The industry is hitting back — and PCI DSS is one of its most powerful weapons. But the mention of PCI DSS often prompts a series of questions. So let's answer them, one by one.

PCI DSS top #10 questions and answers

Question #1: What is PCI DSS?

A: PCI DSS (the Payment Card Industry Data Security Standard) is a security standard for organisations to follow if they store, transmit or process cardholder data (CHD) and/or sensitive authentication data (SAD). PCI DSS is intended to protect sensitive cardholder data and prevent fraud. The standard is managed by the Payment Card Industry Security Standards Council, which includes American Express, MasterCard, Visa Inc and other card providers.

Question # 2: What are the penalties for non-compliance?

A: Non-compliance often comes to light when there's a data breach. Payment brands can issue fines that can run into hundreds of thousands of pounds. Companies may also face increased transaction fees or even be prevented from accepting payments by card. They may also have to pay for a forensic investigation into the causes of any compromise. A breach can also be followed by bad publicity, a damaged reputation, costly compensation to customers and lost business.

Question #3: What are PCI DSS compliance levels?

A: Merchants and payment service providers fit into different compliance levels, depending on the number of credit card transactions they handle. Level One is for those processing over six million transactions per year. Level Four applies to merchant processing fewer than 20,000 e-commerce transactions and all other merchants processing up to 1 million transactions per year— regardless of the acceptance channel (not just e-commerce).

Question #4. How do organisations satisfy PCI DSS requirements?

A: All organisations need to complete an Attestation of Compliance (AOC) form and have a quarterly network scan by an Approved Scanning Vendor (ASV). In addition, Level One organisations must have an annual on-site assessment — called a Report on Compliance (ROC) — completed by an independent Qualified Security Assessor (QSA). All others must submit an annual Self-Assessment Questionnaire (SAQ).

Question #5: If our software is PA-DSS certified, does that mean we're compliant already?

A: Any Payment Application - Data Security Standard (PA-DSS) certified software may help you with security and compliance, but it will never absolve you from your overall PCI DSS responsibility. The rest of your contact centre environment needs to be compliant. Only software applications or products are included in the PA-DSS list – it doesn’t include services.

Question #6: What is the PCI DSS Attestation of Compliance?

A: The Attestation is a statement signed by an officer of your company — usually the Chief Financial Officer or Head of Compliance. It certifies that all relevant PCI requirements have been met by your organisation. There are different versions of the Attestation, depending on the scope of your business.

Question #7: Can we complete our own Self-Assessment Questionnaire (SAQ)?

A: Level One merchants and Service Providers need an assessment by an independent QSA to validate their compliance. Other organisations complete the correct SAQ version for their business — and can do this themselves. There are different SAQs for different types of organisations, ranging from companies with payment application systems to those who outsource all their cardholder data-related activities to a PCI DSS payment service provider. Those who outsource may only need to complete a simple two-page SAQ.

Question #8: How can I find a QSA?

A: Qualified Security Assessor companies have been approved by the PCI Security Standards Council to validate an organisation's compliance with PCI DSS. The Council manages a searchable database of companies and assessors.

Question #9: As a Level One merchant, how can we make PCI DSS compliance simpler?

A: If you are currently capturing, storing, processing or transmitting card data, then the burden of applying levels of security to meet PCI DSS standards will weigh heavily on you. Achieving compliance yourself can be demanding, complex and costly —distracting you from your core business. The most pragmatic and secure approach is to outsource activities to a trusted payment Service Provider. With the right solutions you can prevent any card data from entering your contact centre and systems - removing your environment from the scope of PCI DSS.

Question #10: Does outsourcing mean we can forget about PCI DSS completely?

A: Not completely. The quarterly network scan and annual Attestation of Compliance still needs to take place. Also, even though a payment service provider will be looking after transactions on your behalf, your company is still ultimately responsible for data security. That's why choosing a provider with the right experience and credentials is essential.


Delve deeper by getting your free copy of our ebook The Definitive Guide to PCI DSS compliance. It's everything you wanted to know about PCI DSS compliance and secure payments but were too afraid to ask.

If you'd like to know more about secure payments then get in touch.

About the Author

Tony Porter

Tony Porter

Head of Global Marketing

Tony has over 30 years’ experience in sales, marketing and business development and currently leads these activities for Eckoh in both the UK and US markets and across all sectors. Tony’s role focuses on helping contact centres to improve their customer engagement, making them convenient and secure for consumers to use. He understands the challenges organisations face around PCI DSS compliance and how to make the Omnichannel contact centre experience a satisfying reality. He is a regular speaker at events on topics such as PCI DSS, GDPR, contact centre technology, IVR solutions, self-service, secure payments, marketing and business development.

Connect with us on LinkedIn

Latest Blog Items

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Find out the critical next steps to ensuring security for your remote workers involving your people, processes and technology. #contactcentres #securepayments #eckoh bit.ly/2D7QLLx
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Eckoh had an excellent performance in the year, with double digit revenue and profit growth as well as record order levels for a second year running. #contactcentres #paymentsecurity bit.ly/30NSO0U
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Find out about the 5 lessons learned from COVID-19 for contact centre resilience. bit.ly/3cPDxz3

  • icon facebook
  • icon twitter
  • icon linkedin
  • icon youtube