What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory requirements designed to safeguard cardholder data. PCI DSS compliance is mandatory for any business that processes credit and debit card transactions and vital for companies that want to keep their customers’ data secure.
Each transaction your business processes will involve sensitive cardholder information. This data must be processed, stored and transmitted securely to protect your customers and your business from the increasing threat of fraud.
Benefits of PCI DSS compliance
The global standard
PCI DSS consists of 12 high-level requirements across six categories. Some or all the 12 may be applicable to you depending on the nature of your business, and whether you store card data or not.
Compliance with PCI DSS is mandated by all the Card Schemes (including Visa® and Mastercard®) and applies to all businesses that accept credit and debit cards. A global forum – the PCI Security Standards Council – oversees the standard. The council released the latest update (version 4.0) on 31/3/22. PCI DSS v3.2.1 remains valid until 31/3/24.
Using third-party service providers
In addition to becoming compliant yourself, if you use a third party to store, process or transmit payment card data on your behalf, you should also consider the following:
- Clearly identify the services and system components included in the scope of the service provider’s annual onsite PCI DSS assessment.
- Identify the specific PCI DSS requirements covered by the service provider, and any requirements that are the responsibility of their customers, to include in their own PCI DSS reviews.
- Provide evidence that the checks covered the services of relevance to the customer and that the necessary PCI DSS requirements were determined to be in place if a third party undergoes their own PCI DSS assessment.
Any contract you have with a third party should require the other party to comply with PCI DSS. If a third party does not provide evidence of compliance, then that company’s relevant systems or processes may need to form part of your own compliance annual review. This could lead to remediation if vulnerabilities are discovered.
Third parties include:
- Software providers
- Payment service providers
- Web-hosting companies
- Electronic point of sale (EPoS) solutions
- Till vendors
Using a hosted payment solution
If you decide to use a Hosted Payment Page (HPP) to process e-commerce transactions, the most secure approach is to outsource your card data to a payment service provider. This allows you to keep the data totally segregated from your e-commerce environment at all times.
Even with this arrangement, you should use ‘penetration testing’ which can verify that the data doesn’t enter your business’s environment, giving you peace of mind that your customers’ data is safe.