Data security

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory requirements designed to safeguard cardholder data. PCI DSS compliance is mandatory for any business that processes credit and debit card transactions and vital for companies that want to keep their customers’ data secure.

Each transaction your business processes will involve sensitive cardholder information. This data must be processed, stored and transmitted securely to protect your customers and your business from the increasing threat of fraud.

Benefits of PCI DSS compliance

Build trust

Achieving PCI DSS compliance shows your company is dedicated to keeping your customers’ valuable information safe and secure and out of the hands of fraudsters.

Protect reputation

Complying with PCI DSS requirements means avoiding a wide range of financial and reputational costs that can arise from non-compliance.

Meet customer expectations

As customers become increasingly aware of how important it is to know their financial and personal data is safe, you are less likely to lose them to a competitor if they know their data is your priority.

The global standard

PCI DSS consists of 12 high-level requirements across six categories. Some or all the 12 may be applicable to you depending on the nature of your business, and whether you store card data or not.

Compliance with PCI DSS is mandated by all the Card Schemes (including Visa® and Mastercard®) and applies to all businesses that accept credit and debit cards. A global forum – the PCI Security Standards Council – oversees the standard. The council released the latest update (version 4.0) on 31/3/22. PCI DSS v3.2.1 remains valid until 31/3/24.

How to become compliant

Businesses need to validate their compliance on an annual basis and are expected to maintain compliance at all times.

For small or medium-sized businesses you must either complete a PCI DSS Self-assessment Questionnaire (SAQ) or have a Formal Onsite Assessment by a Qualified Security Assessor(QSA) to demonstrate compliance.

For larger or more complex businesses, the PCI Security Standards Council website provides a list of approved QSAs who can work with you to ensure that your business is PCI DSS compliant.

If you are a small or medium-sized business, we require you to report your PCI DSS compliance using the Cardnet Merchant PCI Portal. There are three options:

1. Self-assessment:

Complete your own Self-Assessment Questionnaire (SAQ) via the PCI Council website at  www.pcisecuritystandards.org then upload your compliant SAQ or third-party certificate from a QSA onto our PCI DSS online portal www.lloydsbankcardnetpcidss.com Cardnet does not charge a fee for this.

Instructions on how to access the portal will be provided once your Cardnet account has been opened.

2. Assisted online reporting service:

Manage, report and maintain your compliance using our online service at www.lloydsbankcardnetpcidss.com. It provides assistance and information to help you to understand which requirements are appropriate to your business and guides you through your Self-Assessment Questionnaire (SAQ) step by step.

It’s an ongoing service with a monthly management fee of £5.00 + VAT and offers

  • Access to the PCI Helpline and online chat
  • Task and revalidation reminders
  • Information Security Policy template
  • ‘Security Measures for Your Business’ checklist
  • Access to security information and advice
  • Inclusive Approved Scanning Vendor (ASV) vulnerability scans

3. Compliance Plus service:

Let Cardnet’s Compliance Plus concierge service look after your PCI DSS compliance and payment security requirements for you. The service includes a range of cyber security tools, as well as software patching and update guidance so your organisation stays secure.

A monthly management fee of £13.00 + VAT delivers the following benefits:

  • AQ completion and submission
  • Information Security Policy template
  • ‘Security Measures for Your Business’ checklist
  • Inclusive Approved Scanning Vendor (ASV) vulnerability scans
  • Running device level vulnerability scans and remediation support
  • Guidance to ensure your software is up to date
  • Software patches
  • Cyber security software and monitoring
  • Creation and maintenance of incident response plans
  • Updating and management of documents on the PCI portal

To apply or discuss option two and three above, please call 0330 8080798 (9am to 5pm Monday to Friday).

" "

Using third-party service providers

In addition to becoming compliant yourself, if you use a third party to store, process or transmit payment card data on your behalf, you should also consider the following:

  • Clearly identify the services and system components included in the scope of the service provider’s annual onsite PCI DSS assessment.
  • Identify the specific PCI DSS requirements covered by the service provider, and any requirements that are the responsibility of their customers, to include in their own PCI DSS reviews.
  • Provide evidence that the checks covered the services of relevance to the customer and that the necessary PCI DSS requirements were determined to be in place if a third party undergoes their own PCI DSS assessment.

Any contract you have with a third party should require the other party to comply with PCI DSS. If a third party does not provide evidence of compliance, then that company’s relevant systems or processes may need to form part of your own compliance annual review. This could lead to remediation if vulnerabilities are discovered.

Third parties include:

  • Software providers
  • Payment service providers
  • Web-hosting companies
  • Electronic point of sale (EPoS) solutions
  • Till vendors
" "

Using a hosted payment solution

If you decide to use a Hosted Payment Page (HPP) to process e-commerce transactions, the most secure approach is to outsource your card data to a payment service provider. This allows you to keep the data totally segregated from your e-commerce environment at all times. 

Even with this arrangement, you should use ‘penetration testing’ which can verify that the data doesn’t enter your business’s environment, giving you peace of mind that your customers’ data is safe.

Here to help

Call our dedicated PCI DSS helpline with any questions on 03308 080798 (9am to 5pm Monday to Friday).

Call 0330 808 0798

Frequently asked questions

What does PCI DSS mean for my business?

Being PCI DSS compliant means demonstrating that your business is handling cardholder data safely and securely. You can keep only the essentials needed for your business such as name, account number or expiry date, provided these are stored in a compliant way.

You can’t store the following information:

  • Information stored in the magnetic stripe
  • The three-digit number signature strip used for mail/telephone orders or online transactions
  • PCI DSS compliance is based on 12 requirements. The specific requirements that apply to your business depend on how you process credit cards.

    PCI DSS Requirements

    Goals

    PCI DSS Requirements

    Goals

    Build and maintain a secure network

    PCI DSS Requirements

    1. Install and maintain a firewall configuration to protect data

    2. Do not use default passwords for system and other security programs

    Goals

    Protect Cardholder Data

    PCI DSS Requirements

    3. Protect stored cardholder data

    4. Encrypt transmission of cardholder data and sensitive information across open public networks

    Goals

    Maintain a vulnerability management program

    PCI DSS Requirements

    5. Use and regularly update anti-virus software

    6. Develop and maintain secure systems and applications

    Goals

    Implement strong access control measures

    PCI DSS Requirements

    7. Restrict access to cardholder data to employees on a need-to-know basis

    8. Assign a unique ID to each person with computer access

    9. Restrict physical access to cardholder data

    Goals

    Regularly monitor and test networks

    PCI DSS Requirements

    10. Track and monitor all access to network resources and cardholder data

    11. Regularly test security systems and processes

    Goals

    Maintain an information security policy

    PCI DSS Requirements

    12. Maintain a policy that addresses information security within your business

    To help you better understand these requirements, we have a dedicated PCI DSS help line you can call on 0330 808 0798 (9am to 5pm Monday to Friday).

  • We write to all Cardnet merchants when they join us to explain their PCI DSS reporting options and how to use the Cardnet merchant PCI portal. The Cardnet merchant PCI portal offers a range of services and options to assist merchants with reporting, attaining and maintaining their compliance with PCI DSS, including a dedicated PCI Helpdesk and online chat facility.

    Merchants may choose to self-upload their compliance documents to the Cardnet PCI portal at no charge or opt for our assisted online reporting service or our Compliance Plus service.

  • You need to renew your PCI DSS compliance each year or at any time you change how you process card payments. This is to reflect possible changes to your processes or card acceptance equipment, and changes in the Standard itself as it adapts to new security threats or market requirements. Usually, PCI DSS compliance is far easier in subsequent years and won’t take as long to complete.

  • We have a dedicated team to help you become and stay compliant.

    Call on 0330 808 0798 (9am to 5pm Monday to Friday) if you have any questions regarding PCI DSS.

  • If your business is processing card payments and you’re not yet compliant with PCI DSS, you are likely to be paying a monthly PCI DSS non-compliance charge. Your card acceptance services and machines could also be revoked.

  • If you have third parties involved in processing or storing card transaction data on your behalf, you need to ensure that they are compliant. Third parties can include software providers, payment service providers, web hosting companies, EPOS and till vendors, to name just a few.

  • Being PCI DSS compliant means demonstrating that your business is handling cardholder data safely and securely. You can keep only the essentials needed for your business such as name, account number or expiry date, provided these are stored in a compliant way.

    You can’t store the following information:

    • Information stored in the magnetic stripe
    • The three-digit number signature strip used for mail/telephone orders or online transactions
  • PCI DSS compliance is based on 12 requirements. The specific requirements that apply to your business depend on how you process credit cards.

    PCI DSS Requirements

    Goals

    PCI DSS Requirements

    Goals

    Build and maintain a secure network

    PCI DSS Requirements

    1. Install and maintain a firewall configuration to protect data

    2. Do not use default passwords for system and other security programs

    Goals

    Protect Cardholder Data

    PCI DSS Requirements

    3. Protect stored cardholder data

    4. Encrypt transmission of cardholder data and sensitive information across open public networks

    Goals

    Maintain a vulnerability management program

    PCI DSS Requirements

    5. Use and regularly update anti-virus software

    6. Develop and maintain secure systems and applications

    Goals

    Implement strong access control measures

    PCI DSS Requirements

    7. Restrict access to cardholder data to employees on a need-to-know basis

    8. Assign a unique ID to each person with computer access

    9. Restrict physical access to cardholder data

    Goals

    Regularly monitor and test networks

    PCI DSS Requirements

    10. Track and monitor all access to network resources and cardholder data

    11. Regularly test security systems and processes

    Goals

    Maintain an information security policy

    PCI DSS Requirements

    12. Maintain a policy that addresses information security within your business

    To help you better understand these requirements, we have a dedicated PCI DSS help line you can call on 0330 808 0798 (9am to 5pm Monday to Friday).

  • We write to all Cardnet merchants when they join us to explain their PCI DSS reporting options and how to use the Cardnet merchant PCI portal. The Cardnet merchant PCI portal offers a range of services and options to assist merchants with reporting, attaining and maintaining their compliance with PCI DSS, including a dedicated PCI Helpdesk and online chat facility.

    Merchants may choose to self-upload their compliance documents to the Cardnet PCI portal at no charge or opt for our assisted online reporting service or our Compliance Plus service.

  • You need to renew your PCI DSS compliance each year or at any time you change how you process card payments. This is to reflect possible changes to your processes or card acceptance equipment, and changes in the Standard itself as it adapts to new security threats or market requirements. Usually, PCI DSS compliance is far easier in subsequent years and won’t take as long to complete.

  • We have a dedicated team to help you become and stay compliant.

    Call on 0330 808 0798 (9am to 5pm Monday to Friday) if you have any questions regarding PCI DSS.

  • If your business is processing card payments and you’re not yet compliant with PCI DSS, you are likely to be paying a monthly PCI DSS non-compliance charge. Your card acceptance services and machines could also be revoked.

  • If you have third parties involved in processing or storing card transaction data on your behalf, you need to ensure that they are compliant. Third parties can include software providers, payment service providers, web hosting companies, EPOS and till vendors, to name just a few.

Glossary

To understand more about PCI DSS or what happens when processing card payments, it helps to learn the common terms used by the card payment industry.

Key terms explained

How do you want to take payments?

Mobile card reader illustration

Card readers

For businesses that need to take payments face to face at the till, at a table or away from their premises.
 

Card readers
Online transaction illustration

Online

For businesses who rely on taking payments through their website or other digital channels, including pay by link.

Online payments
Over the phone transaction illustration

Over the phone

For businesses who need a secure way to take payments when a cardholder is not present.

Over-the-phone payments

Important legal information

Cardnet® is a registered trademark of Lloyds Bank plc.

We may monitor or record calls to make sure we have carried out your instructions correctly and to help improve the quality of our service.

Please remember we cannot guarantee the security of messages sent by email.

Lloyds Bank plc and Bank of Scotland plc (member of Lloyds Banking Group) are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

Authorisation can be checked on the Financial Services Register at www.fca.org.uk