PCI DSS compliance explained

Posted by Chris Scott

Most organisations are aware of the importance of the Payment Card Industry Data Security Standard (PCI DSS), a set of regulations introduced to tackle credit card fraud in the early 2000’s. What might not be as clear, however, is exactly what this standard entails and the considerations that organisations need to make in regard to it – an issue exemplified by the drop in PCI DSS compliance over the last twelve months, reported in Verizon research.

What is PCI DSS?

The mistake that some organisations make is seeing PCI DSS as a tick-box exercise, rather than as an ongoing process which requires continual improvement. However, it necessitates careful consideration to ensure that your organisation is – and remains – compliant. Failure to do so can result in hefty fines or a damaged reputation.

Being compliant with PCI DSS means that the people, processes and technologies within your organisation must all be driven by security, creating a secure environment that can handle payment details securely.

Does it apply to me?

As PCI DSS is such a far-reaching standard, it can often be difficult for organisations to know whether it applies to them in the first place.

Put simply, PCI DSS applies to any business that stores, processes or transmits cardholder data. More generally, this means that PCI DSS applies to merchants, payment processors, payment gateways or ecommerce providers. If you handle payment details of any kind, then PCI DSS will apply to you.

It’s also worth noting that PCI DSS is just one of three security standards, each of which has separately defined applications:

1. PCI PTS, which applies to manufacturers and PIN entry devices
2. PCI PA DSS, which applies to software developers and payment applications
3. PCI DSS, which applies to merchants, service providers and secure environments

Even if PCI DSS doesn’t apply to your organisation specifically, being compliant to the standard can still be beneficial since it can help towards compliance with other regulations, including GDPR, and also highlights that your businesses prioritises the safety and security of the data it handles.

What do I need to consider?

PCI DSS is complex. There are many facets to the standard that organisations will need to consider to ensure compliance – from the physical security of cardholder details, to the continuous testing necessary to ensure that systems remain secure.

It’s also essential that security is prioritised when storing, transferring or handling data in order to comply with PCI DSS regulations, and just as vital is making sure that everyone in your organisations is onboard and well versed with exactly what PCI DSS is, as well as what is required to remain compliant with the standard.

It’s worth noting that since cardholder data can be passed from pillar to post in the process of a transaction, tracking exactly who and what has access to this data at any given time is essential under PCI DSS regulations.

PCI DSS spans your entire IT estate, both physically and digitally, so there isn’t a one-size-fits-all solution to the regulation – it may require large scale changes to guarantee compliance, and many organisations often struggle to succeed with this in-house.

With so many things to consider, organisations often don’t have the capacity to effectively tackle PCI DSS singlehandedly. At The Bunker, our team have a decade of experience in guiding companies to full PCI DSS compliance.

We work closely with organisations to ensure that the process of meeting the standard is simple and straightforward, giving peace of mind and compliance guaranteed.

To find out more about PCI DSS, and the impact of non-compliance, as well as the most common challenges we’ve seen and how we can support your compliance journey – download our whitepaper here.