In 2004, the card schemes including Mastercard and Visa introduced PCI DSS. Everyone that accepts card payments must comply with PCI DSS rules as they help protect your business and your customers’ sensitive information from cybercrime.
PCI Compliance refers to data security standards set out by the Payment Card Industry Data Security Standard (PCI DSS). These standards are in place to ensure that your customer’s card data is handled safely and securely and reduces the change of it being stolen or misused by efraudsters. PCI DSS is required by the card schemes, who will put your business into one of four levels of risk, based on the number of transactions you process annually.
The four levels of PCI compliance for merchants are based on how many transactions you process and are as follows:
Depending on your level, the way in which you approach PCI compliance can vary.
A network vulnerability scan will check your website and payment processing system for vulnerabilities, such as malware and viruses. The scan will also inspect every IP address that is reachable by the public from your website.
You will need to update it any time you make a significant change to your network configuration. If you’ve just updated your firewalls, installed new hardware or fixed previous vulnerabilities, a new scan is probably in order.
Self-Assessment Questionnaires (SAQs) are validation tools that are intended to assist you in self-evaluating your compliance with the PCI DSS. As an eCommerce merchant, you will need to complete one of the following assessments:
If you are a level 1 merchant, the assessment should consist of an external audit performed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). They will perform an evaluation of your business to determine whether the PCI DSS’s requirements are being met.
Your questionnaire will need to be updated on an annual basis or you will be charged with a PCI non-compliance fee.
Under PCI DSS requirements, any company that processes, stores or transmits card information must maintain a secure environment. PCI DSS consists of six main goals, each consisting of a number of requirements.
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for employees and contractors
If a data breach occurs and your business is not PCI compliant, you could be faced with serious fines ranging from £4,000 to £80,000 by your payment provider.
Some payment providers will have tools and processes in place to protect you from non-compliance issues. Pixxles has an in-house Compliance team that will perform a Website Compliance Review to make sure you are compliant with any relevant Card Scheme regulations. We’ll help you fix anything we think might cause problems before you even begin accepting payments with Pixxles. We’ll also check your site regularly afterwards to help keep you off the compliance naughty step.
By making sure you’re compliant, your customer data will be safer, their trust will be intact and you won’t find yourself waking up to any eye-watering fees.