What Does it Mean to be PCI Compliant?

The payment card industry data security standard, or PCI DSS, is 20 years old in December of this year. Over the last two decades, it’s amazing – although not entirely surprising – how many urban myths, legends, and misunderstandings have grown up around the standard and around what it means to be PCI compliant.

We go back to basics to look at two key questions:

• Who must comply with PCI DSS?

• How can you keep your customers’ data and business safe?

Who Must Comply with PCI DSS? 

PCI DSS is a global standard that applies to any business of any size that stores, processes, or transmits cardholder data.

That’s a short sentence with a long list of implications. Let’s unpack them.

The standard is global so it applies to businesses wherever in the world they’re based.

And that’s any business. It doesn’t matter what you sell – products or services – or your industry sector. Aviation, construction, entertainment, financial services, healthcare, hospitality, retail and so on. They’re all within the scope of PCI DSS. 

Don’t get hung up on the word ‘business’ either. PCI applies even if you’re not engaged in commercial business, such as a non-profit organization, charity, educational institution, or government agency.

There are also a whole range of businesses behind the scenes, that may also store, process or transmit cardholder data. They’re in scope, too. 

That’s service providers, third-party organizations that handle payment card data on behalf of merchants or other service providers. Or financial institutions like banks, credit card companies, and other financial institutions involved in the payment card ecosystem.

Size doesn’t matter. PCI DSS still applies, irrespective of sales, turnover, number of employees or any other metric used to measure business size. And whether you accept one or one million card payments annually. 

What you do to validate your compliance may differ depending on how many card transactions you process a year. But small businesses are not out of the scope of PCI DSS just because they’re small.

You just have to accept cards to be in scope. That’s in physical stores, online through a website or mobile app, mail order, telephone order – however you trade.

When it comes to “cardholder data”, it’s the data that’s significant. And the fact that you’re storing, processing, or transmitting it, rather than the nature of your customers or cardholders. They could be consumers, other businesses, large corporations, multinationals, or even government departments.

Your customers could be using a Visa card, Mastercard, Amex card, or JCB card. This could be a credit, debit, prepaid, or commercial card. It could exist as a physical plastic card or a digital version on a mobile device – any type of payment card. All the major card brands are signed up to PCI DSS. And if you accept those cards, PCI DSS applies to your business.

Your customers cannot consent to you storing, processing, or transmitting their card data. Or indemnify you for its loss, theft, and so on. Adherence to PCI DSS requirements is a contractual matter between your business and the organization that provides your card acceptance facility.

How Can You Keep Your Customers’ Data and Business Safe?

The first step in keeping your customers’ data safe is understanding the threats out there. The four most common ones are:

• Web app attacks – hackers exploit holes in your website to harvest personal and sensitive data, including cardholder data.

• Malware – malicious software that criminals use to gain control of computers to access and steal data.

• Skimming – copying card data to make counterfeit cards to steal money or buy things to sell for profit.

• Unauthorized access – sneaking into computers or card terminals to steal card data.

Next, put in place controls that can protect your customers’ data and business against these threats. Here are some examples:

• Firewalls – install and maintain software that controls data flow in and out of your network and computers.

• Passwords – a string of characters that allows access to a computer system or service. Don’t use vendor-supplied default passwords or those that are easy to guess.

• Logins – username and/or password for gaining access to a computer, database, or system. Assign a unique ID to each person with computer access.

• Encryption – software that protects data by making it unreadable. Encrypt cardholder data across open, public networks at a minimum.

• Tokenization – swapping sensitive data for a token that stands for this in various business processes to protect data when it is being processed, transmitted, or stored.

• Anti-virus – designed to detect and destroy computer viruses. Use and regularly update anti-virus software.

• Patches – software updates that fix mistakes in coding to help develop and maintain secure systems and applications. Used only tested products and suppliers.

• Data fencing – restricts access to data to people who don’t need to know it and systems that don’t need to connect to it.

• Secure card machines – fix or attach physical card terminals to prevent them from being taken away or lost. Deploy remote monitoring to send alerts if terminals are unplugged or tampered with.

• Access tracking – tracks and monitors all access to network resources and cardholder data.

• Policies – A written-down course of action or set of principles that your organization stands behind. Write and maintain a data security policy for all staff.

• Testing – test all the above regularly, make improvements, monitor, and test again in a continuous cycle.
  

  
  

These examples are based on the twelve PCI DSS requirements against which business must validate their compliance. This helps protect not only your customers’ data but also your business, your reputation, your ability to trade and keep trading, and, ultimately, your bottom line. This is what it means to be PCI DSS compliant.