If your large, medium, or small business processes, stores, or transmits customer payments or payment data, you need to be compliant with the PCI SSC Data Security Standard. This is everything you need to know about the requirements, why they’re important, and how you can get started.
Sections
What’s the Data Security Standard?
The DSS is published by the PCI Security Standards Council (PCI SSC) helps to keep people’s payment data safe by providing organisations and businesses with a set of guidelines and requirements. The latest version, 4.0, was published in March 2022 and addresses all kinds of emerging threats to people’s financial data and information.
According to the PCI SSC, the latest DSS has been developed in response to 6,000 items of feedback received from industry members and stakeholders representing over 200 companies and organisations.
What’s the PCI Security Standards Council (PCI SCC)?
The PCI SSC is a global payment security forum made up of stakeholders from the technology and financial sectors, including representatives from American Express, Google, Barclays, and Mastercard. Their mission is to ‘enhance global payment account data security’. In other words, to improve security and standards, increase organisations’ knowledge, and keep online payments secure.
Why your organisation needs the Data Security Standard
In the simplest terms, your organisation or business needs to be DSS compliant if it processes people’s payment data, because security threats are constantly evolving. Fraud is increasingly insidious and innovative, meaning any business that transmits, stores, or processes payment data needs to have all the necessary layers of protection. The DSS is updated regularly to make sure organisations like yours are informed and constantly adapting to new and emerging threats.
A huge range of businesses, organisations, and even government departments have lost data in recent years, including British Airways, the Department of Social Services, Ticketmaster UK, OnePlus. The consequences can be significant, exposing thousands – sometimes millions – of people’s private payment and online account data to fraudsters online.
The DSS is a baseline, meaning it’s the minimum your organisation is required to do. Any more protection is a bonus and can only keep you and your customers more secure.
What kind of businesses need to be compliant?
Any business that processes, stores, or transmits cardholder information is required to be PCI DSS compliant. This can include:
- E-commerce sites
- Physical shops and merchants
- Service providers
- Online subscription services.
Do small bricks-and-mortar businesses need to be compliant too?
Both physical businesses and online businesses need to be compliant, whatever their size. Smaller businesses are often the most likely target of card payment fraud and data breaches, so it’s especially important that even the smallest organisations protect themselves and their customers. Big businesses store significantly more information, however, so they’re required to have an even tougher layer of security.
Your business will be categorised under one of four levels:
Number of annual transactions | |
Level 1 | 6 million+ Visa transactions |
Level 2 | 1 million – 6 million Visa transactions |
Level 3 | 20,000 – 1 million Visa ecommerce transactions |
Level 4 | Less than 20,000 Visa ecommerce transactions and/or up to 1 million Visa transactions. |
Does it matter how my business processes payments?
Your compliance requirements could vary depending on how you process payment data. POS systems, ecommerce, online transactions, mail order, and phone transactions all have different levels of risk and use different processes and software. If you use a combination of these, your needs could be even more specific.
What are the risks of non-compliance?
Compliance isn’t a legal requirement but it’s in your organisation’s contract with your bank or card issuer and the PCI Security Standards Council is made up of various stakeholders, including the five biggest card issuers. If your business doesn’t demonstrate compliance, it could be fined every month until it does, and lose the ability to process card payments. Loss of data due to poor security and compliance can also result in a fine from the ICO too, the UK’s independent body to uphold information rights.
As well as fines, non-compliant businesses can face legal action and liability if their lack of security is responsible for allowing a data breach. Keeping compliant can preserve and save your reputation, as well as a lot of time and money.
What happens if a business has already had a data security breach?
Breaches are common. If your business or organisation has previously experienced a security breach or data loss, you might need to meet a higher level of compliance than another business of a similar size.
The compliance basics
Each version of the DSS tightens and adapts the compliance requirements. These are the most common requirements you’ll need to be familiar with to reduce the risk of payment fraud:
Multi-factor authentication | Required for all access to cardholder data. |
Passwords | Must change every 12 months and if compromised. Passwords also need to be more complex, with at least 15 characters including numbers and letters, and be compared against a list of ‘bad passwords’. |
Encryption | No payment data should be left unencrypted. This includes all data transmissions and encryption keys need to change every 3 or 12 months, depending on your service, or when there’s any change to your processes or environment. |
Access to data | Staff and third parties should only be able to access what they need to. These access privileges should be reviewed at least every six months, be monitored regularly, and enabled only when they need to be. If a third party ends a contract, or a staff member leaves the organisation, their access should be revoked immediately.
Access should also be password protected and unique to individuals, rather than through one sign-in page for everyone. Access logs are also required to keep a record of who has accessed what and when. |
Firewalls | Includes the blocking of anything that attempts to access personal data to prevent unauthorised access. |
Anti-virus protection | Every device that stores or simply processes personal account information should have anti-virus software installed and updated regularly. |
Physical data | Anything handwritten or printed out should be stored digitally and stored in a locked drawer or cabinet. |
Vulnerabilities | Vulnerability scans should be conducted regularly to test for outdated software, guessable passwords, and simple human error. |
Record keeping | An inventory of how information enters your business, where it’s stored, and who accesses it is crucial. Software updates and equipment use should also be logged when it’s used to access, transmit, or store payment data. |
What’s new in the latest version of the Data Security Standard?
The above requirements are always necessary, but v4.0 of the DSS has tightened some measures and made them more specific and customisable. This is what you can expect in the latest update.
Standard security practices you’re already familiar with need to get tougher
The DSS has outlined a need for more multi-factor authentication, stricter password requirements, new requirements for e-commerce sites, and measures to tackle phishing as online frauds become more sophisticated.
Your organisation will be empowered to choose its own security tools
One of the newest additions is increased flexibility and freedom. Your organisation will be encouraged to choose or design your own security functions and controls to keep data private and work on your own timescale and terms. That means less waiting around for specific security solutions to catch up, and more freedom to choose the tools you want.
The latest version of the DSS recommends your organisation have clearly assigned roles and responsibilities for each requirement, and the ability to report areas for improvement to the PCI SCC. For extra peace of mind, you’ll also be able to access testing documents to verify your security measures are doing what they should be doing and the controls are correct.
Organisations have more specific risk assessment and review guidance
Without risk analysis it’s not clear what kind of threats your organisation could be up against. The new version of the DSS includes risk analysis guidance and templates so your organisation is empowered to conduct its own. The DSS suggests running a risk analysis at least every year or sooner if you make some significant changes.
Your business has two years to put DSS v.4.0 into action
You don’t have to get familiar with all of this immediately. The PCI SSC gives organisations two years after publication to become compliant and make any necessary changes to their payment environment and data processing.
V3.2.1 will be retired in Q2 2023
The DSS v.4.0 was published in March 2022 which means requirements outlined in it become effective from 31 March 2025.
The previous version and its requirements will be officially retired in the second quarter of 2023.
Training and important documents are available now
Final versions of the documents you need were published in late 2021, so the transition period from v3.2.1 to v4.0 has started.
Your organisation can access everything it needs in the PCI SSC Resource Hub.
Why your business or organisation needs to be DSS v4.0 compliant
Customers don’t trust businesses that don’t look after their data.
Personal data is valuable so it’s ripe for theft. It can be purchased on the dark web and used for all kinds of fraudulent purposes, or used to imitate the real owner of the data and make false payments.
Understandably, your customers and service users don’t want this to happen to their personal information and don’t remain loyal to businesses that are negligent with their data security measures.
Larger businesses can often weather the storm of a data loss and use their big PR budgets to fight the bad press, but smaller businesses don’t have this spending power and are less likely to recover their reputation after a data breach.
Data breaches have significant consequences for your business
Recovering your reputation isn’t the only battle you’ll have on your hands. A data breach can result in fines, legal liability, losing valuable data that’s essential to the everyday running of your business, and damaging relationships with suppliers and third parties, including card companies that have the power to revoke your ability to take payments.
If your digital environment is open to fraudsters and data thieves – just one out-of-date firewall can be enough – you could find other areas of your business are compromised too, such as your website domain, servers, and social media accounts. Losing access and control to these crucial locations can be devastating for a business of any size.
Once you achieve compliance it’s easier to stay compliant
Putting good practices into place can take some time – which is why the PCI SSC gives organisations two years to do it – but it’s relatively simple to keep up to date once it’s all implemented.
For example, having regular reminders in place to automatically demand password changes, keep firewalls up to date, and check third parties still need access, will make compliance as routine as updating stock, uploading content to your website, and posting job adverts.
Ready to get PCI DSS compliant? This is where to start
Small businesses (Compliance Level 4)
Your organisation needs to fill in the most relevant PCI Compliance Self-assessment questionnaire, depending on whether you operate an ecommerce site, take payments in-person, accept phone and online orders, or a combination. This will allow you to verify how compliant you are right now and what kind of security measures you’re currently missing. The PCI SSC has a range of guidance and advice to follow to help fix anything on your questionnaire that needs some work.
Larger businesses (Compliance Levels 3+)
Larger organisations often need a qualified PCI firm or internal advisor to help them through the compliance process, because their payment environment is more complex and they’re processing more people’s data. There’s a database of Qualified Security Assessors on the PCI SSC website.
It pays to be DSS compliant, whatever your business’ size or remit. You process, store, and transmit customer card data on a daily basis and this data is valuable. It’s essential to look after it for the sake of your customers’ online safety, your reputation, and your bottom line.