With the PCI DSS community meetings just around the corner (6th October 2014), it feels like a good time to run over some of the top tips and misconceptions about this often misunderstood standard.
Do I need to be PCI Compliant?
The first question seems an obvious one, and to some maybe it is. For those who aren't sure, there is a hard and fast rule to this one: if you signed up for a merchant ID number with one of the many banks or merchant ID services out there, then yes you do need to be PCI compliant. The PCI Standards Council’s official word on this is as follows:
“All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.”
Is the PCI compliance a legal necessity?
The answer to this is, surprisingly, no. There is a common misconception that PCI DSS is a legal requirement, whereas in reality it is contractual standard that is applied and enforced around the globe.
However, there is a caveat here: it's worth remembering that with cardholder data, personal information is often in tow. This combination of the two data types can quickly make a simple card transaction not only fall into the contractual standard of PCI but also in to the legal requirements of the Data Protection Act that is followed in many countries – including the UK.
Can I self-assess or do I need an Audit?
This depends on both the number of card transactions you are processing per year and also which cards are being processed as each card brand have their own requirements. Note that it doesn’t depend on the individual or sum value of the transactions.
Visa is the most commonly used card in the UK so we’ll use them as an example: Visa shows on its website that only Level 1 Merchants need to have an annual Audit, while the other levels can complete and return an SAQ relevant to their company. To be a Level 1 Merchant, you need to perform over 6,000,000 transactions per year.
More information can be found direct from Visa.
Which SAQ (Self-Assessment Questionnaire) do I need to complete?
Where to start? The SAQ process differs depending on the type of company you are and just how you are transmitting, storing or processing cardholder information. With so many possible options the best idea is to head over to the PCI Standards Council website. Their most recent document on “Understanding the SAQs for PCI DSS V3.0” contains everything you need to know and will outline exactly which SAQ you need to fill in.
As a quick word of advice here: it is of utmost importance that this form is filled in to the very best of your knowledge and only with factual information. If you are not sure about the answer to a question, you can normally get advice from the company who supplied you with your merchant ID, or from a company that specialises in PCI compliance.
So once I have my PCI compliance signed off, that’s it right?
Many companies see PCI as an annual box-ticking exercise that it has to go through once a year in order to maintain its level of compliance. This is something of a false economy: it will make re-certification harder and increases the risks of a data breach. True compliance comes as a way of thinking; a best practice exercise to be undertaken daily by all members of a company, not just those who come into contact with cardholder information.
PCI Compliance is an ongoing, auditable trail that happens throughout the year and is designed so auditors can make sure a company is s managing all possible risks when it comes to storing, transmitting and processing cardholder information.
Because of this, it is important that those within the company tasked with managing the company’s compliance are always vigilant when it comes to security and are not just being reactive if and when a breach does occur.
Hopefully the above information has helped you towards the first steps to PCI compliance. As with every compliance model it is constantly changing and evolving so the best bet is to keep yourself up to date with the latest news and guidelines over at https://www.pcisecuritystandards.org.
If you would like to talk it through with someone, send us an email to email@example.com or call us on 01438 532 300 and we will do our best to help you reach compliance.