Our range of experience, accreditations and customer testimonials demonstrate why we stand out from the crowd. Nettitude is one of the most experienced organisations in the world for PCI Compliance consulting, auditing and pragmatic security solutions.
PCI DSS is a set of requirements for payment account data security, and is vital if you handle any sort of credit card data within your organisation. It’s important to note that changes have recently been made surrounding PCI-DSS. It’s important that you revaluate your current processes to ensure you’re still compliant. Our blog below can help you understand more about the changes. If you have any questions or are interested in PCI-DSS services then contact us today.
Request a free quote
PCI-DSS v3.2 is changing, are you ready?
Being PCI compliant is an integral part of running a business when you deal, in any way, with credit card information. Here is what you need to know….
WHAT IS PCI DSS?
PCI DSS is a set of comprehensive requirements for enhancing payment account data security. The standard was developed by American Express, Visa, MasterCard, Discover and JCB, to help facilitate the broad adoption of consistent data security measures on a global basis. The standard covers both credit card and debit card transactions. It extends across online, bricks and mortar retailers and call-center environments.
WHO SHOULD BECOME PCI COMPLIANT?
PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The standard is intended to help organisations proactively protect customer account data. All organisations that store, process or transmit card data are required to comply with the PCI DSS. Compliance is mandatory for all these organisations, irrespective of their size
The standard is enforced by acquiring banks and many of these institutions are now proactively contacting their merchants-service account holders to ensure that they have embarked on a PCI DSS compliance program. Organisations that are not deemed to be working towards achieving compliance can be fined by the acquiring banks. The approach that is taken will vary from bank to bank, however this frequently includes a fixed charge fine or a per-transaction surcharge up to the point where the merchant achieves compliance. Any organisation that experiences a card data security breach can be fined by their acquiring banks up to £200 per compromised card.
Offending organisations can expect to receive costly fines, easily avoided through achieving compliance. A global banking giant received a £3 million fine from the FSA in July 2009 for breaches in computer security. Whilst the owners of a well-known retailer were fined for the loss of 45 million credit card details is expected to see final costs for the breaches in excess of £800 million.
PCI Services for Merchants
In Nettitude’s experience it is common for merchants to be contacted by their acquirer and told that they need to achieve PCI DSS compliance. These communications tend to go out to clients that have some form of merchant services capability. This will usually be through mail order Telephone Order (MOTO), card not present, or face to face card processing requirements.
Merchants are instructed to complete either Self-Assessment-Questionnaires (SAQ) or Reports on Compliance (ROC). This requirement is determined by the number of transactions that an organisation processes each year.
The matrix below shows the compliance validation requirements by merchant level. These requirements are subtly based upon the geography and the card brand. However, from a high Level perspective, the bandings are as follows.
PCI for Service Providers
Service providers are required to become compliant with the PCI DSS if they deliver services to merchants that process, transmit or store payment card data. In Nettitude’s experience it is rare for service providers to be contacted by their acquirer to become compliant. Instead they receive upwards pressure from their clients to achieve PCI DSS compliance.
The matrix below shows the compliance validation requirements by service provider level. These requirements change subtly, based upon the geography and the card brand. However, from a high level perspective, the bandings are as follows.
Level 2 organisations can choose to certify as a level 1 organisation. Through certifying as a level 1 organisation, the service provider is listed on Visa and MasterCard websites as being a PCI compliant service provider. Organisations that certify as a level 2 are unable to be listed on either the Visa or MasterCard websites.