PCI DSS Compliance Payment Card Industry Data Security StandardsPCI DSS Compliance
Payment Card Industry Data Security Standards and how they effect your on-line business.
Ensure that your new ecommerce website and internal card payment structures and processes are PCI DSS compliant or face fines of over £250,000.
All websites that offer the facility to accept payment via credit and charge cards are required to meet the latest Payment Card Industry and Payment Application Data Security Standards. These standards are requirements detailed in merchant account agreements and there are no exceptions to the rules.
PCI DSS compliance was introduced due to the increasing threat of data theft, with millions of stolen customer card records, the card payment industry were forced to take action. To secure customer data and confidence, card payment companies joined forces to create the PCI DSS standard.WHAT IS PCI DSS?
Payment Card Industry Data Security Standards (PCI DSS) is a set of 12 comprehensive requirements designed to secure and protect customer payment account data. These rules need to be adhered to by all online merchants, and are constantly in review and as such can alter.
The 12 PCI DSS Requirements are:BUILD AND MAINTAIN A SECURE NETWORK
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parametersPROTECT CARDHOLDER DATA
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networksMAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applicationsIMPLEMENT STRONG ACCESS CONTROL MEASURES
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder dataREGULARLY MONITOR AND TEST NETWORKS
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processesMAINTAIN AN INFORMATION SECURITY POLICY
Requirement 12: Maintain a policy that addresses information security
WHY DO YOU NEED PCI DSS?
PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically. It also covers manual processing and storage.
Although not a legal requirement, compliance with PCI DSS standards is a requirement by Visa, MasterCard and American Express, as well as merchant account providers such as Barclaycard, HSBC, RBS WorldPay and Lloyds TSB. These merchant account providers are required to report the status of merchant account holders to Visa, MasterCard and American Express, who will if found, enforce hefty non-compliance fines.WHAT HAPPENS IF YOU DO NOT COMPLY WITH PCI DSS?
Failure to comply with the PCI DSS standards will result in fines. The below schedule details the fines that will be levied, and as they are part of all merchant agreements, they are enforceable by your merchant account provider on behalf of Visa, MasterCard and American Express.
The below figures apply to Level 4 merchants only. If you are a level 3, 2 or 1 merchant the fines can be higher. For further clarification on fine details, please refer to your merchant account provider.
Non-compliance will result in card scheme fines being passed onto you, monthly non-compliance fines, and/or termination of your card processing facilities. The costs involved after a data security breach can be extremely high.
In the event of a data compromise, MasterCard and Visa rules require that a forensic investigation will take place. This can potentially cost you thousands of pounds with no upper limit. Following the results of the investigation, the card schemes will submit the following fines.
$25 per card that needs re-issuing
$5 for each potential compromised card being monitored
An additional maximum of $100,000 fine per incident
$100,000 for storage of the card security code (CSC) also known as CVC2, CV2 or CVV2.VISA
Initial Penalty of €10,000
Insufficient remediation €5,000
Monthly violation fee €10,000
Monthly violation fee after 5 months €15,000
The card schemes retain the rights to modify these fines and charges at any time. All fines are charged in the stated currency to avoid any conversion discrepancy.
In the event that you do not process payments on your website, but transact them through a third party or Payment Gateway provider, you technically may not need to be PCI DSS compliant, but would need to be PA DSS compliant. Business Internet Consultant recommends as best practice that you comply with PCI DSS requirements, and if needed PA DSS requirements. Adherence to these security standards will protect you against the potentially unlimited fines that could be imposed upon you should the worst happen. Implementing these measures now are certainly a better solution than trying to defend your business on a technicality later.DOES YOUR WEBSITE NEED TO BE PCI DSS COMPLIANT?
Under certain circumstances your website may not need or require to be PCI DSS compliant. At Business Internet Consultant, we believe that all online businesses should work to best practice, and ensure that their websites meet all of the necessary data security standards, even if technically it is not currently required of them. The Payment Card Industry is constantly reviewing PCI DSS requirements and increasing the minimum level of compliance, so it is always better to be prepared.
Please complete the form below if you can complete as much information as possible this will allow us to direct your enquiry more efficiently.
PCI DSS Compliance
PCI DSS Compliance - Payment Card Industry Data Security Standards - Requirements for ecommerce solutions.