Credit cards have been integral to the rapid growth of the e-commerce space, and the internet in general. It all began in 1994 when Dan Kohn sold a Sting CD to a friend and recorded the first-ever online credit card transaction.
Several years later, toward the latter half of the decade, Larry Page and Sergey Brin used a credit card to fund the launch of Google, and today, these cards account for over 300 million annual transactions in the UK alone.
The Payment Card Industry Security Standards Council (PCI SSC) is in the DNA of every single one of those payments. Created by card networks in the mid-2000s, this independent body maintains a set of security standards that must be followed by every company that accepts online card payments.
In the following guide, we’ll discuss security & compliance with regard to the PCI, including:
- What is PCI compliance?
- What are PCI security standards?
- What data is protected by PCI DSS?
- Is PCI part of GDPR?
- What comes under PCI compliance?
Why Understanding PCI DSS can be complex
Before the PCI was formed, credit card networks operated their own standards, and while those networks are still responsible for enforcement, the PCI ensures that everyone is reading from the same rule book. This simplifies the process, but in the eyes of a new e-commerce business, PCI is anything but simple.
The requirements set by this organisation are known as PCI DSS, which stands for Payment Card Industry Data Security Standards. They relate to everything from firewall management and antivirus software to data storage.
It’s important for all companies that accept payments to understand these requirements and to remain PCI compliant.
One of the easiest ways to do this is to work with PCI compliant payment processing solutions, such as Pixxles.
We meet the strict demands of PCI DSS and use a variety of security protocols to protect payments and safeguard user data. These include fraud prevention tools, a 3D Secure plugin, and fully encrypted payment processing.
Overview of PCI DSS
The goal of the PCI DSS is to protect consumers and create safer transactions. The three main tenets revolve around:
- The proper handling of card data: All cardholder data must be encrypted when it is transmitted across open public networks. That way, if the data is intercepted, it cannot be misused. “Cardholder data” refers to any personally identifiable information relating to a cardholder (including name and expiry date) and doesn’t just refer to the card number.
- Annual validation: PCI compliance must be validated every year to ensure the organisation continues to meet these exacting standards. Therefore, a PCI compliance certificate is valid for just one year from the date of issue.
- Secure data storage: There are very strict requirements concerning data storage and these vary by organisation type. For instance, developers must not store cardholder data on a server that is connected to the internet while merchants must install and maintain firewalls while restricting access on a need-to-know basis.
Guide to PCI compliance
We’ve discussed the basic rules regarding PCI compliance, but it’s not as simple as using secure servers and limiting access. The 12 compliance requirements provide more detailed instructions on how merchants, developers, and card processing solutions can protect their customers.
- Install a firewall: Network connections should be checked and tested, untrusted and unsecured networks should be blocked, and the firewall must be maintained to ensure continued security.
- Use secure passwords: All vendor-supplied passwords should be switched to secure, original passwords.
- Protect stored data: Create and enact policies regarding the safe storage and disposal of data.
- Encrypt user data across open networks: Unprotected and unencrypted user data should never be sent across unsecured networks, such as messaging applications and email.
- Use updated anti-virus software: Install dedicated anti-virus software and make sure it is properly maintained and capable of functioning as required.
- Create and maintain secure systems and applications: Develop processes designed to detect and fix vulnerabilities while maintaining a safer environment for everyone.
- Restrict access to cardholder data: Creating user roles and assigning privileges will help to ensure that only those who need to know have access to sensitive data.
- Assign unique IDs to individuals with access: Unique IDs make it easier to authenticate users and monitor their actions within an organisation.
- Restrict physical entry: Ensure there is a way to track individuals who have access to sensitive areas of the business while restricting access to others.
- Track and monitor access to network resources: Record the details of all users who access a network, thus highlighting suspicious activity and preventing major data breaches.
- Test security systems regularly: Vulnerability scans should be performed on a quarterly basis. Other tests may also be required to keep systems operational and secure.
- Address information security: Publish in-house policies relating to the proper usage of certain technologies while addressing roles and responsibilities.
How can Pixxles help?
The easiest way for an e-commerce company to remain PCI compliant is to work with a payment processing solution that does all of the work.
That’s where we come in.
Pixxles is a dedicated and direct payment processing solution that is authorised by the Financial Conduct Authority (FCA). We provide a secure, fast, and manageable solution for businesses of all sizes and offer complete transparency and outstanding value (check our payment processing pricing page to learn more).
Our in-house compliance team will perform a compliance review to ensure you meet card scheme rules while our risk management team provides real-time transaction monitoring to reduce the risk of fraud and mitigate chargebacks.
Not only are we experts in security and compliance, but our features and services can also drive your business growth. You can accept over 100 currencies, use our Virtual Terminal to receive phone and mail orders, take advantage of advanced invoicing options, and benefit from easy integration across a variety of platforms.
Your business and customers are always in safe hands with Pixxles. See our Why Pixxles guide to learn more.
PCI DSS FAQs
What data must be protected according to PCI DSS?
PCI DSS refers to cardholder data, which includes all identifying information associated with a debit/credit card holder, including the primary account number, cardholder name, and expiration date.
Is PCI part of GDPR?
GDPR is not the same as PCI. The former is an international data privacy law that deals with all personal data, including contact details. The latter is a data security standard that relates to cardholder data. A modern e-commerce business should operate with both PCI and GDPR standards in mind.
What comes under PCI compliance?
PCI compliance covers technical and operational standards that relate to the secure storage and transmission of credit card data.
When was PCI DSS introduced?
PCI DSS 1.0 was released in December 2004 as a combined effort from the organisation’s founding members—Discover Financial Services, Visa, Mastercard, JCB International, and American Express. It was greatly improved in 2006 with the release of version 1.1 and the creation of the PCI SSC, a group tasked with overseeing the regulations.
Does PCI DSS change?
Yes, PCI DSS has changed several times over the years with the introduction of new standards. These standards are designed to accommodate the changing landscape of online security. For instance, version 3.2.1 (released in May 2018) introduced elements relating to multi-factor authentication, which is now standard on all secure websites.