PCI DSS compliance

Complying with the latest industry security standards will help safeguard your customers and your business against theft and fraud.

Protecting your business and your customers

The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory requirements designed to safeguard cardholder data. PCI DSS compliance is mandatory for any business that processes card transactions.

We are pleased to announce the launch of our PCI DSS short report to give insights on complex payment regulations.

Download The business benefits of PCI DSS short report (PDF, 13MB)

At Lloyds Bank Cardnet, we’re here to help you make sure your business is compliant.

To complement the short report you can also view our short video.

To complement the short report you can also view our short video.

Benefits of PCI DSS compliance

  • Being PCI DSS compliant means demonstrating that your business is handling cardholder data safely and securely.

    You can keep only the essentials needed for your business such as name, account number or expiry date, provided these are stored in a compliant way.

    You can’t store the following information:

    • Information stored in the magnetic stripe
    • The three-digit number signature strip used for mail/telephone orders or online transactions

  • PCI DSS compliance is based on 12 requirements. The specific requirements that apply to your business depend on how you process credit cards.

    Goals

    PCI DSS Requirements

    Goals

    Build and maintain a secure network

    PCI DSS Requirements

    1. Install and maintain a firewall configuration to protect data
    2. Do not use default passwords for system and other security programs

    Goals

    Protect Cardholder Data

    PCI DSS Requirements

    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data and sensitive information across open public networks

    Goals

    Maintain a vulnerability management program

    PCI DSS Requirements

    5. Use and regularly update anti-virus software
    6. Develop and maintain secure systems and applications

    Goals

    Implement strong access control measures

    PCI DSS Requirements

    7. Restrict access to cardholder data to employees on a need-to-know basis
    8. Assign a unique ID to each person with computer access
    9. Restrict physical access to cardholder data

    Goals

    Regularly monitor and test networks

    PCI DSS Requirements

    10. Track and monitor all access to network resources and cardholder data
    11. Regularly test security systems and processes

    Goals

    Maintain an information security policy

    PCI DSS Requirements

    12. Maintain a policy that addresses information security within your business

    To help you better understand these requirements, we have a dedicated PCI DSS help line you can call on 0330 8080798 (9am to 5pm Monday to Friday).

  • We write to all Cardnet SME merchants when they join us to explain their PCI DSS reporting options and how to use the Cardnet merchant PCI portal.

    The Cardnet merchant PCI portal offers a range of services and options to assist merchants with reporting, attaining and maintaining their compliance with PCI DSS, including a dedicated PCI Helpdesk and online chat facility.

    Merchants may choose to self-upload their compliance documents to the Cardnet PCI portal at no charge, or opt for our assisted or proactive data security services.

  • You need to renew your PCI DSS compliance each year. This is to reflect possible changes to your processes or card acceptance equipment, and changes in the Standard itself as it adapts to new security threats or market requirements. Usually, PCI DSS compliance is far easier in subsequent years and won’t take as long to complete.

    How to renew PCI DSS compliance

     

  • We have a dedicated team to help you become and stay compliant, and to certify your compliance.

    Call on 0330 8080798 (9am to 5pm Monday to Friday) if you have any questions regarding PCI DSS.

  • If your business is processing card payments and you’re not yet compliant with PCI DSS, you are likely to be paying a monthly PCI DSS non-compliance charge. Your card acceptance services and machines could also be revoked.

    Consequences of not being compliant

  • If you have third parties involved in processing or storing card transaction data on your behalf, you need to ensure that they are compliant. Third parties can include software providers, payment service providers, web hosting companies, EPOS and till vendors, to name just a few.

    Here's what you'll need to do:

    Need more information about PCI DSS or security?

    Watch our video guides about PCI DSS

    Check the Security Chapter in the Operating Manual

    Visit the official PCI DSS Council website.

    View the PCI DSS Compliance Factsheet PDF

    Or call our dedicated PCI DSS help line with any questions on 0330 8080798 (9am to 5pm Monday to Friday).

    • Self Assessment Questionnaire (SAQ) — A form that takes merchants through the steps of evaluating their PCI DSS compliance. There are different versions of the SAQ, depending on the type of business and the amount of card payments it accepts per year.
    • Quality Security Assessor (QSA) — A person who is certified by the Payment Card Industry Security Standards Council to formally assess businesses for PCI DSS compliance.
Contact us

Get in touch

Fill out our contact form

 

Contact us

New customer - 

0330 134 7976

Existing customer -

01268 56 7100

New customer - Lines are open 9am to 5pm Monday to Friday
Existing customer - Lines are open 8am to 9pm Monday to Saturday

Case studies

From global events to local businesses, Lloyds Bank Cardnet clients have benefited from our flexible service and modern technology.

View their stories here

Learn the Key Terms

Quality Security Assessor (QSA) - A person who is certified by the Payment Card Industry Security Standards Council to formally assess businesses for PCI DSS compliance.

Self Assessment Questionnaire (SAQ) - A form that takes merchants through the steps of evaluating their PCI DSS compliance. There are different versions of the SAQ, depending on the type of business and the amount of card payments it accepts per year.

Learn more key terms in our glossary

Accepting card payments

Whether you trade face-to-face, over the phone, online or a combination of these, we have the tools and support you need.

Find a payment solution that suits your business

Receive our latest news updates

Give your business an extra edge by signing up to our latest news alert.

Submit

Thank you

Thank you for subscribing to our news alert.

Read our latest articles

Receive our Thought Leadership and Market Updates

Get our top insights to help your business by signing up to our Thought Leadership and Market Updates. From the latest retail trends to payment regulation, our experts will keep you up to speed. Please enter your email below if you would like to receive our Thought Leadership and Market Updates.

Your information will be held by Lloyds Bank plc trading as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at lloydsbankinggroup.com.

Submit

Please scroll down in order to confirm acceptance of our Terms and Conditions

Who looks after your personal information

Your personal information will be held by Cardnet which trades as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at www.lloydsbankinggroup.com

How we use your personal information

We will use your personal information:

  • to provide products and services, manage your relationship with us and comply with any laws or regulations we are subject to (for example the laws that prevent financial crime or the regulatory requirements governing the products we offer).
  • for other purposes including improving our services, exercising our rights in relation to agreements and contracts and identifying products and services that may be of interest.

To support us with the above we analyse information we know about you and how you use our products and services, including some automated decision making. You can find out more about how we do this, and in what circumstances you can ask us to stop, in our full privacy notice.

Who we share your personal information with

Your personal information will be shared within Lloyds Banking Group and other companies that provide services to you or us, so that we and any other companies in our Group can look after your relationship with us. By sharing this information it enables us to better understand our customers’ needs, run accounts and policies, and provide products and services efficiently. This processing may include activities which take place outside of the European Economic Area. If this is the case we will ensure appropriate safeguards are in place to protect your personal information.

You can find out more about how we share your personal information with credit reference agencies below and can access more information about how else we share your information in our full privacy notice.

Where we collect your personal information from

We will collect personal information about you from a number of sources including: information given to us on application forms, when you talk to us in branch, over the phone or through the device you use and when new services are requested. from analysis of how you operate our products and services, including the frequency, nature, location, origin and recipients of any payments. from or through other organisations (for example card associations, credit reference agencies, insurance companies, retailers, comparison websites, social media and fraud prevention agencies). 

In certain circumstances we may also use information about health or criminal convictions but we will only do this where allowed by law or if you give us your consent.

You can find out more about where we collect personal information about you from in our full privacy notice.

Do you have to give us your personal information

We may be required by law, or as a consequence of any contractual relationship we have, to collect certain personal information. Failure to provide this information may prevent or delay us fulfilling these obligations or performing services.

What rights you have over your personal information

The law gives you a number of rights in relation to your personal information including:

  • the right to access the personal information we have about you. This includes information from application forms, statements, correspondence and call recordings.
  • the right to get us to correct personal information that is wrong or incomplete.
  • in certain circumstances, the right to ask us to stop using or delete your personal information.

From 25 May 2018 you will have the right to receive any personal information we have collected from you in an easily re-usable format when it’s processed on certain grounds, such as consent or for contractual reasons. You can also ask us to pass this information on to another organisation.

You can find out more about these rights and how you can exercise them in our full privacy notice.

Other individuals you have financial links with

We may also collect personal information about other individuals who you have a financial link with. This may include people who you have joint accounts or policies with such as your partner/spouse, dependents, beneficiaries or people you have commercial links to, for example other directors or officers of your company. We will collect this information to assess any applications, provide the services requested and to carry out credit reference and fraud prevention checks. You can find out more about how we process personal information about individuals with whom you have a financial link in our full privacy notice.

How we use credit reference agencies

In order to process your application we may supply your personal information to credit reference agencies (CRAs) including how you use our products and services and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We may also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time, information on funds going into the account, the balance on the account and, if you borrow, details of your repayments or whether you repay in full and on time.

CRAs will share your information with other organisations, for example other organisations you ask to provide you with products and services. Your data will also be linked to the data of any joint applicants or other financial associates as explained above.

You can find out more about the identities of the CRAs, and the ways in which they use and share personal information, in our full privacy notice.

How we use fraud prevention agencies

The personal information we have collected from you and anyone you have a financial link with may be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in our full privacy notice.

Our full privacy notice

It is important that you understand how the personal information you give us will be used. Therefore, we strongly advise that you read our full privacy notice, which you can find at https://lloydsbankcardnet.com/privacy/ or you can ask us for a copy.

How you can contact us

If you have any questions or require more information about how we use your personal information please contact us using https://lloydsbankcardnet.com/. You can also call us on 01268 567100. If you feel we have not answered your question Lloyds Banking Group has a Group Data Privacy Officer, who you can contact on 01268 567100 and tell us you want to speak to our Data Privacy Officer.

Version Control

This notice was last updated in April 2018.

Sign up

Thank you

Thank you for subscribing to our news alert.