PCIDSS is the set of 12 rules designed to keep consumers’ payment card data secure from hackers. Who decides the rules and who has to comply?
Who sets the standard?
Since 2006 the Payment Card Industry Security Standards Council (PCISSC) has been responsible for the PCI Data Security Standard (PCIDSS). It was founded by five payment card brands: Visa, MasterCard, American Express, JCB International and Discover Financial Services to harmonise their card data security compliance programmes.
Despite the single standard, retailers still report differences in what’s required and ongoing difficulties in interpreting it. Many UK retailers are still not compliant.
Which retailers must comply?
All retailers that process, store or transmit payment card data are covered by the standard, although the level of proof of compliance they must provide depends on how many transactions they process, and the systems used to process them.
Even if a retailer uses a third-party service provider to process card payments, it is still responsible for ensuring they are compliant.
How do you prove compliance?
Larger retailers, which need an external audit of their systems and processes, must use a Qualified Security Assessor (QSA), certified by the council. Many retailers begin working with QSAs much earlier than the audit to ensure the systems and measures they are investing in will meet the requirements.
Retailers that do not require an on-site inspection must still complete a self-assessment questionnaire and they must explain remediation dates and actions for questions that they answer no to. A QSA report or self-assessment questionnaire is normally submitted to the acquiring bank that deals with the retailer’s card processing.
Retailers must also have quarterly network and systems scans, completed by an Approved Scanning Vendor, to prove they are secure against external threats.
What if you don’t comply?
The enforcement of compliance is still handled by the individual card brands. As their relationship is with acquiring banks, these card brands can fine the banks if the banks’ retailer customers are not compliant with the standard.
It is then up to each acquiring bank to decide how and when it will pass on these fines to individual retailers.
Fines are not published in Europe, but in the US Visa said it is levying fines of $25,000 (£16,564) a month to US acquirers for each of their largest retailer customers that were not compliant by the deadline.
Is it as complicated and expensive as it sounds?
Many retailers say it is. And the job’s not done once you achieve compliance, as you must then prove you are maintaining it. And even that is no guarantee of preventing data theft.