We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page

PCI DSS

PCI DSS is a set of requirements for payment account data security and is vital if you handle any credit card data within your organization.

Our range of experience, accreditations and clients testimonials demonstrate why we stand out from the crowd. LRQA Nettitude is one of the most experienced organizations in the world for PCI Compliance consulting, auditing and pragmatic security solutions.

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognised information security standard designed specifically to apply to organizations that handle credit card data.

  • The PCI DSS was created with one simple goal – to ensure that businesses process credit and debit card payments securely, protecting them and their customers, and reducing the likelihood of card fraud.
  • PCI QSAs (Qualified Security Assessors) are individuals who are certified to assess merchants and service providers against the standard and provide a formal report on compliance (ROC).

Who should comply with PCI DSS?

Any organization that processes card data must comply with PCI DSS. Merchants are usually businesses taking payment for a service they sell, such as a retailer or call center. Depending on how a merchant processes card payments, and how many transactions they process per year, requirements for demonstrating compliance with PCI DSS will vary.

PCI DSS can also apply to organizations that provide services to businesses that handle credit card data, such as data centers and managed service providers. This is true even if the service provider itself does not process card payments, nor have access to credit card information. As well as supporting their own customer’s PCI DSS compliance, service providers can differentiate themselves from their competition by becoming compliant with PCI DSS.

Why is PCI compliance important?

The United States is responsible for more than a third of the total global losses to payment card fraud, making it the most card fraud-prone country in the world. This is according to a 2020 Nilson Report, one of the most respected sources of news and analysis of the global card and mobile payment industry. It is estimated that the US saw $11 billion worth of losses during that period. Complying with the PCI DSS allows your organization to demonstrate your commitment to maintaining a secure environment to your bank and your customers.

Your organization can reduce the risk of a breach of credit card data by:

  • Implementing PCI DSS controls appropriate to how you store, process, and transmit cardholder data.
  • Engaging a QSA to independently validate your compliance.
  • Maintaining PCI DSS requirements as “business as usual”.

What are the penalties for non-compliance with the PCI DSS?

Any organization that handles credit card data, but fails to comply with PCI DSS is at risk of a number of financial and reputational consequences including:

    • Non-compliance fees – a regular fine from your bank for failing to be compliant.
    • Reputational damage in the event of a breach.
    • Inability to process payments.
    • Fines from your bank in the event of a breach.

    To help reduce risk and avoid penalties as a result of a breach or non-compliance, organizations must understand how they store, process, and transmit credit card data, and ensure that all applicable requirements of PCI DSS are in place.

    PCI DSS requirements

    The PCI DSS requirements are divided into 12 sections, each containing a series of specific requirements. In total there are over 300 individual requirements, and depending on how you process card payments, some or all of these will apply to your organization.

    Control objectives Requirements
    Build and Maintain a Secure Network and Systems
    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters
    Protect Cardholder Data
    1. Protect stored cardholder data
    2. Encrypt transmission of cardholder data across open, public networks
    Maintain a Vulnerability Management Program
    1. Protect all systems against malware and regularly update anti-virus software or programs
    2. Develop and maintain secure systems and applications
    Implement Strong Access Control Measures
    1. Restrict access to cardholder data by business need to know
    2. Identify and authenticate access to system components
    3. Restrict physical access to cardholder data
    Regularly Monitor and Test Networks
    1. Track and monitor all access to network resources and cardholder data
    2. Regularly test security systems and processes
    Maintain Information Security Policy
    1. Maintain a policy that addresses information security for all personnel

    The challenge of PCI DSS compliance

    PCI DSS can be seen as complex and overwhelming, and just another compliance regime that must be followed, but that’s not how we view it here at LRQA Nettitude. Many merchants view PCI DSS compliance as burdensome and convoluted and struggle to interpret the 300+ requirements and understand how they must be implemented. The world of PCI DSS is full of acronyms, opinions, and myths – and getting a straight answer to a simple question often feels like an uphill struggle.

    The solution

    LRQA Nettitude is not just your QSA, we are your PCI DSS partner. We go beyond simply auditing your organization. This means an LRQA Nettitude consultant will work with you to understand your organization, focussing on why you take payments in the first place, and ensuring your PCI DSS strategy supports your organisation.

    We’ll take you on a journey to become compliant and can support you at every step along the way, starting with a gap analysis to understand your current position and scope. We have more than 10 years’ experience in helping our customers reduce their PCI DSS scope and simplify what remains, and because we do not take a ‘tick box’ approach to compliance, we’ll help find the right solution for your organization.

    Becoming PCI DSS compliant: what, how, when?

    The ultimate aim is, of course, to become compliant, and be able to report your compliance status, but how? It’s easiest to think about the how and the what as two independent factors. Requirements for demonstrating compliance with PCI DSS vary depending on how you process card payments, and how many transactions are processed per year. Your transaction volume determines how you report your status, and the methods used for processing payments define what you need to comply with in the first place.

    What: The PCI DSS has 300+ requirements, but the good news is that they might not all apply to your organization. In fact, part of the scope reduction process that LRQA Nettitude can take you through is to try and minimize the number of requirements that are applicable to you. A LRQA Nettitude QSA will help you to determine what your scope is, and which requirements are applicable – we’re even happy to help you discuss this with your acquiring bank.

    How: There are three main ways of demonstrating your compliance with PCI DSS.

    On-site assessment and report on compliance (ROC) Validated self-assessment Self-assessment
    What you get
    • On-site QSA assessment
    • Detailed report on compliance
    • Attestation of compliance
    • On-site QSA review
    • Self-assessment questionnaire (SAQ) and attestation of compliance counter-signed by a QSA
    • No QSA sign-off
    • Organization completes self-assessment questionnaire (SAQ) and attestation of compliance
    Why this approach?
    • Mandated by your bank if processing >6 million transactions
    • Experienced a breach
    • Requested by bank
    • Service provider demonstrating compliance to their clients
    • High level of independent assurance
    • Full assessment not mandated by a bank if processing <6 million transactions
    • Moderate level of independent assurance
    • Low transaction volume
    • No independent assurance

    The table above provides a brief overview of how an organization can demonstrate their compliance with PCI DSS. Your QSA can help you to determine what you’re mandated reporting requirements are, but it is important to note that any organization can opt to complete an on-site assessment regardless of their transaction volume.

    When: Compliance with PCI DSS is not a new requirement, and so if your organization processes credit card transactions then you need to be compliant right now. In reality, the push for achieving compliance is often triggered by a request from an acquiring bank (for a merchant), or a customer (for a service provider). Banks will often set deadlines, which you should discuss with your QSA during the gap analysis process.

    When a ROC or SAQ is completed, whether by a QSA or a self-assessment, it is valid for one year. The assessment must be repeated before the expiry date to ensure there’s no lapse in compliance. Maintaining compliance between the two assessments is crucial, and LRQA Nettitude offers a business-as-usual support package to assist with this. If a significant change occurs at any point between assessments, it may also be necessary to assess immediately, even if the full year has not passed. Again, an LRQA Nettitude QSA can help you determine if a change is likely to require this.

    Why choose LRQA Nettitude as your PCI DSS compliance partner?

    LRQA Nettitude has been a registered QSA company for over 10 years. Our QSAs (Qualified Security Assessors – responsible for assessing your compliance) have extensive experience working with clients across many sectors, from retail to construction, and from finance to transportation. Our team of QSAs are so much more than just auditors and provide consultancy to our customers across a number of disciplines including PCI DSS.

    We have a rich technical background, and so can help your organization bridge the gap between technology, business, and compliance. We have a reputation with our clients for taking a pragmatic and realistic approach to PCI DSS, and our history of delivering PCI DSS assessments for some of the UK’s largest retailers and service providers means we have likely faced many of the challenges your organization must overcome before.

    Our team of QSAs can help you with every step of the journey, including:

    • Conducting a PCI DSS gap analysis
    • PCI DSS workshops and support
    • Reviewing and creating PCI DSS policies and procedures
    • Completing your PCI DSS ASV services
    • Conducting PCI DSS assessments/audits
    • Helping support your ongoing PCI DSS maintenance

    Already compliant with PCI DSS?

    If your organization is, or has previously been, compliant with PCI DSS then we can still help you. As well as helping our clients achieve their initial compliance, we offer ongoing business-as-usual support. Organizations invest significant time, effort, and money into achieving compliance, and maintaining a close relationship with a QSA partner helps to protect that investment.

    If you are considering partnering with a new QSA company for your next assessment, get in touch, and one of our team can talk in more detail about how we can help.

    Protect your Organization with LRQA Nettitude’s Award-Winning Cybersecurity Services

    Speak to one of our cybersecurity experts now…