Compare payment processors and secure the lowest credit card processing fees for your business
If your business takes card payments from customers, you must ensure your procedures comply with Payment Card Industry Data Security Standards (PCI DSS). These rules set the minimum standards for payment data security.
Here’s what you need to understand about the PCI DSS and how to find a payment processor that provides the security your business needs to meet the requirements.
The PCI DSS requirements are a global set of best practices set out by credit card companies to ensure a baseline level of protection for payment cardholders’ data.
The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006 by the five major credit card associations Visa, Mastercard, American Express, Discover Financial Services and JCB to align their data security standards. They aim to make the management of consumers’ card data safer, to reduce the risk of data breaches and fraud.
Vulnerabilities that can compromise customers’ personal data can occur anywhere in the card-processing system, including point-of-sale devices, mobile devices, computers and servers, paper-based record storage and data transmission to service providers.
The PCI DSS standards describe the technical and operational requirements that all merchants and other organisations must meet when accepting or processing card payments. Software developers and manufacturers that provide applications and devices to process transactions are also subject to these regulations.
PCI DSS compliance addresses three main aspects of card data security:
The starting point for achieving PCI DSS compliance is understanding which requirements apply to your business. You must then assess the security of your data collection and storage, fix any vulnerabilities or security gaps, submit reports providing evidence of compliance, and implement data monitoring and alerting systems to ensure security controls function effectively.
Whether an organisation must adhere to the requirements does not depend on the volume of transactions it processes — if an organisation receives any card payments or financial data, then it must comply with PCI DSS. Organisations that do not receive payment data directly, as they use a payment gateway or payment service provider, do not need to comply.
Where the volume of transactions processed comes into play is when looking at which specific PCI DSS requirements an organisation must meet, and there are four levels of compliance.
This is the strictest level of compliance and applies to organisations that process more than 6 million transactions per year for Visa or Mastercard or 2.5 million+ for American Express. This also applies to organisations with fewer transactions that have experienced a data breach or are assigned Level 1 by a card association.
Level 1 requirements:
This level of requirements is for organisations that process between 1 million and 6 million transactions per year.
Level 2 requirements:
Level 3 of PCI DSS applies to organisations that process between 20,000 and 1 million transactions per year.
Level 3 requirements:
Lastly, organisations that process less than 20,000 transactions per year must comply with Level 4.
Level 4 requirements:
To achieve PCI DSS certification, organisations need to show in their assessments that they comply with 12 high-level requirements that are organised into six different control objectives and further subdivided.
Every PCI DSS version has divided the control objectives into sub-requirements differently, but the 12 main requirements have remained the same throughout.
|1. Build and maintain a secure network and systems|| |
1. Install and maintain network security controls
2. Apply secure configurations to all system components
|2. Protect account data|| |
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
|3. Maintain a vulnerability management program|| |
5. Protect all systems and networks from malicious software
6.Develop and maintain secure systems and software
|4. Implement strong access control measures|| |
7.Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
|5. Regularly monitor and test networks|| |
10. Log and monitor all access to system components and cardholder data
11.Test the security of systems and networks regularly
|6. Maintain an information security policy||12. Support information security with organisational policies and programs|
Each of the 12 requirements includes the following content:
While complying with PCI DSS regulations can seem like unnecessary work, it is essential to protect your business, employees and customers.
According to UK government data updated in July 2022, 39% of businesses suffered cybersecurity breaches or attacks in the last 12 months and one in five lost data, money, data or other assets.
Unauthorised financial fraud losses from payment cards totalled £272.3 million in the first half of 2022 alone, according to a fraud report from the trade association UK Finance. Data breaches can damage your business’ reputation with consumers and a lack of trust can threaten its continued success.
There are important benefits to ensuring your business maintains PCI DSS certification, for example:
Some of the basic PCI DSS requirements overlap with General Data Protection Regulation (GDPR) and other data security regulations, so by complying your business will have the systems in place to also meet those requirements.
PCI DSS compliance is not required by law, but the card associations in the Security Standards Council can fine banks for data breaches. If your business does not comply with the standards the bank could pass on the fine or close your account.
There are other potential consequences for failing to comply, especially if your business experiences a data breach. These consequences include:
While the UK’s Information Commissioner’s Office (ICO) states that PCI DSS compliance is not necessarily equivalent to compliance with GDPR, should an organisation that processes card data suffers a data breach it will consider the extent to which the organisation complies with PCI DSS requirements when deciding what action to take.
If your business takes card payments, then the payment processing provider you use must offer robust payment security. Merchant Savvy can help you find a payment processor that will ensure your business complies with the latest PCI DSS guidelines. Contact us today to discuss your needs.
As a greater proportion of transactions occur online each year the original PCI-DSS regulations outlined in 2006 were updated. In September 2019 the Payment Services Directive 2 (PSD2) was introduced to increase payment security in digital transactions and ensure greater consumer protection.
PSD2 is a payment security standard that primarily applies primarily to payments made in EU/EEA currencies.
Compare Payment Processor Fees
Compare preferential rates and card processing offers from the UK’s leading merchant account providers
You’ll only deal with our in-house payment experts
Your details will not be shared
Copyright © ALL RIGHTS RESERVED 2023
Merchant Savvy is a division of VUBO Ltd (Company Number 09017066).
Address: Spaces, 9 Greyfriars Rd, Reading, RG1 1NU.
Compare Payment Processors