PCI DSS’s full name is Payment Card Industry Data Security Standard. It is intended to enhance payment account data security by reducing the risk of loss, theft or misuse of cardholder data.
Who sets the rules ?
The Payment Card Industry Security Standards Council was formed in 2006 by the leading global card schemes (Visa Inc, Mastercard Worldwide, American Express, Diners and JCB). It has representation from leading global payment providers (including Barclays, TSYS, Heartland Payment Systems) and merchants (including British Airways, McDonalds, Tesco).
Who does it apply to ?
Compliance applies not only to merchants but also to merchant acquirers and processors (eg WorldPay, First Data, etc) and issuers (eg Barclays, Lloyds, etc). Cardholder data is a tempting target for fraudsters and there’s been a series of recent high-profile security breaches around the world to both merchant systems and merchant acquirers’ systems including WorldPay, Sony and Global Payments.
Whats involved in compliance for merchants ?
All card accepting merchants irrespective of size, need to be compliant with PCI DSS however there are “levels of compliance” depending on merchant size. The larger the merchant, the more complex and onerous the PCI DSS compliance requirements. Most SME merchants are defined as Level 4 merchants for whom the compliance level is not onerous – all that is required to certify compliance is submission of an annual self assessment questionnaire.
PCI Levels :
- Level 1 – > 6 million transactions per year
- Level 2 – 1 million to 6 million transactions per year
- Level 3 – 20,000 to 1 milltion e commerce transactions per year
- Level 4 – < 20,000 ecommerce transactions per year or < 1 million other transactions
The 12 PCI DSS requirements are relatively simple and common sense and, if you are in the majority of merchants who do not store any cardholder data, simple to implement :
Self Assessment Questionnaires can be completed online and are administered by your supplier for a fee (typically c.£30 per year). The product usually also carries some element of insurance should you be unlucky enough to suffer a security breach.
All banks/ISO’s have teams dedicated to PCI DSS and other security issues. If you have a specific query or concern, easiest way is to call your supplier directly. Alternatively the PCI Council website and quick reference guide is at :