PCI DSS: What Is It, and How Do You Comply?

The Payment Card Industry Data Security Standard (PCI DSS), sometimes shortened to PCI, is an international security standard comprised of a set of controls. These controls must be applied to technologies, security policies, and ongoing processes to protect payment systems and payment cardholder data from breaches and theft.  

The Standard was developed by MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB, the founding payment card brands of the PCI Security Standards Council (SCC). Along with their strategic member brand UnionPay, these founding brands continue to revise and maintain the Standard, releasing updates every few years.  

The PCI DSS is not a risk-based standard like ISO 27001 and, as such, any controls which are in-scope for your organisation are compulsory and must be implemented to achieve PCI compliance. The controls you need to comply with and the way in which you are assessed (third-party audit or self-assessment questionnaire) is determined by how many card payments your organisation processes per year and how you accept these payments.  

Any debit, credit, or pre-paid cards branded with any of the 6 participating brands’ logos are in scope of PCI DSS. Therefore, if your organisation processes, stores or transmits cardholder data from any of these brands, or could impact the security of this data, the PCI DSS will apply to you.  Even if your payment card handling has been outsourced, the Standard is still applicable as you have a responsibility to ensure that your third parties are compliant with the PCI.  

Failing to comply with the Standard can lead to a range of penalties being imposed, including monthly fines until compliance requirements are met, increased payment card transaction fees and, in the most serious cases, losing the capability to accept payments via payment cards. Data breaches will also usually result in significant reputational damage to the affected organisation and a loss of goodwill among consumers. Depending on the type of data that has been compromised (i.e. if it contains personally identifiable information), the organisation may also be in breach of the General Data Protection Regulation (GDPR) and subsequently investigated and fined by the Information Commissioner’s Office (ICO).  

So, where does your PCI compliance journey start? 

How do you achieve PCI compliance?  

The first thing you will need to understand to become PCI compliant is your flow of payment card data, or how card data moves through your organisation. This includes an understanding of where it enters your organisation, who it is shared with, the systems it touches, where and in what form it is stored, and who can access it.  

To determine your scope, you will need to consider every payment channel you use and establish the payment flow for each, with the aim of keeping the scope as contained as possible. You will also need to establish the annual number of card payments your organisation takes, as this will determine whether your compliance can be assessed by completing a self-assessment questionnaire (SAQ) or if you will need to be assessed externally by a qualified security assessor (QSA). Your transaction volume will also determine which controls you need to implement. 

Once you have a thorough understanding of the flow of payment card data within your organisation, your scope, the controls you must implement and the way you will be assessed, we recommend you conduct a gap analysis to help you ascertain where you’re already compliant and where there is room for improvement. Many organisations benefit significantly from enlisting the help of a consultant at this stage, as their understanding of PCI DSS and experience in helping organisations meet its requirements allows them to easily identify any areas of nonconformity and how to correct them. We at URM can provide trustworthy consultancy, bolstered by years of experience helping organisations achieve and maintain PCI compliance.  

When you have implemented the necessary remedial actions, you can complete the SAQ or invite the external assessor to conduct the audit. It’s important to always keep in mind that PCI compliance should not be approached as a one-off project or a box that has been ticked following a successful assessment. Once compliance has been achieved, you need to maintain it, and whether you complete an SAQ or are assessed by an external QSA, it is an ongoing, annual process and should be integrated into your business-as-usual operations. Meanwhile, the responsibility to your clients who have trusted you to securely process their card data is not constrained to a yearly assessment but is instead continuous and constant. It is therefore vital to the success of any organisation processing payment card transactions to maintain compliance, keep consumer and client confidence and safeguard its reputation.