PCI DSS

PCI DSS is a set of requirements for payment account data security, and is vital if you handle any sort of credit card data within your organisation. It’s important to note that changes have recently been made surrounding PCI-DSS. It’s important that you revaluate your current processes to ensure you’re still compliant. Our blog below can help you understand more about the changes. If you have any questions or are interested in PCI-DSS services then contact us today.

Our range of experience, accreditations and customer testimonials demonstrate why we stand out from the crowd. Nettitude is one of the most experienced organisations in the world for PCI Compliance consulting, auditing and pragmatic security solutions.

Request a free quote

PCI (QSA, PAQSA, ASV) - ISO

WHAT IS PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognised information security standard designed specifically to apply to organisations that handle credit card data.

  • The PCI DSS was created with one simple goal – to ensure that businesses are able to process credit and debit card payments securely, protecting businesses and consumers and reducing the likelihood of card fraud.
  • PCI QSAs (Qualified Security Assessors) are individuals that are certified to assess merchants and service providers against the standard, and provide a formal report on compliance (ROC).

WHO SHOULD COMPLY WITH PCI DSS?

Any organisation that processes card data must comply with PCI DSS. Merchants are usually businesses taking payment for a service they sell, such as a retailer or call centre.

Depending on how a merchant processes card payments, and how many transactions they process per year, requirements for demonstrating compliance with PCI DSS will vary.

PCI DSS can also apply to organisations that provide services to businesses that handle credit card data, such as data centres and managed service providers.

This is true even if the service provider itself does not process card payments, nor have access to credit card information. As well as supporting their own customer’s PCI DSS compliance, service providers can differentiate themselves from their competition by becoming compliant with PCI DSS.

Why is PCI compliance important?

According to UK Finance, an organisation that represents more than 250 firms across the industry, 56% of all financial fraud in 2018 related to payment card fraud, with losses totalling over £670 million in the UK alone. Complying with the PCI DSS allows your organisation to demonstrate your commitment to maintaining a secure environment to your bank and your customers.

Your organisation can reduce the risk of a breach of credit card data by:

  • Implementing PCI DSS controls appropriate to how you store, process, and transmit cardholder data
  • Engaging a QSA to independently validate your compliance
  • Maintaining PCI DSS requirements as “business as usual”

What are the penalties for non-compliance with the PCI DSS?

Any organisation that handles credit card data but fails to comply with PCI DSS is at risk of a number of financial and reputational consequences.

  • Non-compliance fees – a regular fine from your bank for failing to be compliant
  • Reputational damage in the event of a breach
  • Inability to process payments
  • GDPR and DPA related fines in the event of a breach
  • Fines from your bank in the event of a breach

To help reduce risk and avoid penalties as a result of a breach or non-compliance, organisations must understand how they store, process, and transmit credit card data, and ensure that all applicable requirements of PCI DSS are in place.

What are the 12 requirements for PCI DSS?

The PCI DSS is divided into 12 sections, each containing a series of specific requirements. In total there are over 300 individual requirements, and depending on how you process card payments, some or all of these will apply to your organisation.

Control Objectives Requirements
Build and Maintain a Secure Network and Systems
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  1. Protect all systems against malware and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain Information Security Policy
  1. Maintain a policy that addresses information security for all personnel

The challenge of PCI DSS compliance

PCI DSS can be seen as complex and overwhelming, and just another compliance regime that must be followed, but that’s not how we view it here at Nettitude. Many merchants view PCI DSS compliance as burdensome and convoluted, and struggle to interpret the 300+ requirements and understand how they must be implemented. The world of PCI DSS is full of acronyms, opinions, and myths – and getting a straight answer to an apparently simple question often feels like an uphill struggle.

The solution

Nettitude don’t just want to be your QSA, we want to be your PCI DSS partner. We take a refreshing approach to PCI DSS compliance, going beyond simply auditing your organisation. We’re consultants, we hate complexity, and we strive to simplify and deliver pragmatic solutions. What does this mean? This means a Nettitude consultant will work with you to understand your organisation, focusing on why you take payments in the first place, and ensuring your PCI DSS strategy is one that supports the business. We’ll take you on a journey to become compliant, and can support you at every step along the way, starting off with a gap analysis to understand your current position and scope. We have more than 10 years’ experience of helping our customers reduce their PCI DSS scope and simplifying what remains, and because we don’t take a yes/no “tick box” approach to compliance, we’ll help find the right solution for your organisation.

Becoming PCI DSS compliant: What, How, when?

The ultimate aim is of course to become compliant, and be able to report your compliance status, but how? It’s easiest to think about the how and the what as two independent factors. Requirements for demonstrating compliance with PCI DSS vary depending on how you process card payments, and how many transactions are processed per year. Your transaction volume determines how you report your status, and the methods used for processing payments define what you need to comply with in the first place.

What: The PCI DSS has 300+ requirements, but the good news is that they might not all apply to your organisation. In fact, part of the scope reduction process that Nettitude can take you through is to try and minimise the number of requirements that are applicable to you. A Nettitude QSA will help you to determine what your scope is, and which requirements are applicable – we’re even happy to help you discuss this with your acquiring bank.

How: There are three main ways of demonstrating your compliance with PCI DSS.

On-site assessment and Report on Compliance (ROC) Validated Self-Assessment Self-Assessment
What you get
  • On-site QSA assessment
  • Detailed report on compliance
  • Attestation of compliance
  • On-site QSA review
  • Self-assessment questionnaire (SAQ) and attestation of compliance counter-signed by a QSA
  • No QSA sign-off
  • Organisation completes self-assessment questionnaire (SAQ) and attestation of compliance
Why this approach?
  • Mandated by your bank if processing >6 million transactions
  • Experienced a breach
  • Requested by bank
  • Service provider demonstrating compliance to their clients
  • High level of independent assurance
  • Full assessment not mandated by bank if processing <6 million transactions
  • Moderate level of independent assurance
  • Low transaction volume
  • No independent assurance

The table above provides a brief overview of how an organisation can demonstrate their compliance with PCI DSS. Your QSA can help you to determine what your mandated reporting requirements are, but it is important to note that any organisation can opt to complete an on-site assessment regardless of their transaction volume.

When: Compliance with PCI DSS is not a new requirement, and so if your organisation processes credit card transactions then you need to be compliant right now. In reality, the push for achieving compliance is often triggered by a request from an acquiring bank (for a merchant), or a customer (for a service provider). Banks will often set deadlines, which you should discuss with your QSA during the gap analysis process.

When a ROC or SAQ is completed, whether by a QSA or a self-assessment, it is valid for one year. The assessment must be repeated again before the expiry date in order to ensure there’s no lapse in compliance. Maintaining compliance between the two assessments is crucial, and Nettitude offer a business as usual support package to assist with this. If a significant change occurs at any point between assessments, it may also be necessary to assess immediately, even if the full year has not passed. Again, a Nettitude QSA can help you determine if a change is likely to require this.

Why choose Nettitude as your PCI DSS compliance partner

Nettitude has been a registered QSA company for over 10 years. Our QSAs (Qualified Security Assessors – responsible for assessing your compliance) have extensive experience working with clients across many sectors, from retail to construction, and from finance to transportation. Our team of QSAs are so much more than just auditors, and provide consultancy to our customers across a number of disciplines including PCI DSS. We have a rich technical background, and so can help your organisation bridge the gap between technology, business, and compliance. We have a reputation with our clients for taking a pragmatic and realistic approach to PCI DSS, and our history of delivering PCI DSS assessments for some of the UK’s largest retailers and service providers means we have likely faced many of the challenges your organisation must overcome before.

Our team of QSAs can help you with every step of the journey, including

  • Conducting a PCI DSS Gap Analysis
  • PCI DSS Workshops & Support
  • Reviewing and creating PCI DSS Policies & Procedures
  • Completing your PCI DSS ASV Services
  • Conducting PCI DSS Assessments/Audits
  • Helping support your ongoing PCI DSS Maintenance

Already compliant with PCI DSS?

If your organisation is, or has previously been, compliant with PCI DSS then we can still help you. As well as helping our clients achieve their initial compliance, we offer ongoing business as usual support. Organisations invest significant time, effort, and money into achieving compliance – and maintaining a close relationship with a QSA partner helps to protect that investment.

If you’re thinking about partnering with a new QSA company for your next assessment, get in touch, and one of our team can talk in more detail about how we can help.