At Watman & Worth we are extremely security conscious.
PCI DSS compliance was introduced due to the increasing threat of data theft. With millions of stolen customer card records, the card payment industry were forced to take action. To secure customer data and confidence, card payment companies joined forces to create the PCI DSS standard.
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 comprehensive requirements designed to secure and protect customer payment account data. These rules need to be adhered to by all online merchants, and are constantly in review and as such can alter.
Who Needs to Comply?
All websites that offer the facility to accept payment via credit and charge cards are required to meet the latest Payment Card Industry and Payment Application Data Security Standards. These standards are requirements detailed in merchant account agreements, and there are no exceptions to the rules.
PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically. It also covers manual processing and storage.
Although not a legal requirement, compliance with PCI DSS standards is a requirement by Visa, MasterCard and American Express, as well as merchant account providers such as Barclaycard, HSBC, RBS WorldPay and Lloyds TSB. These merchant account providers are required to report the status of merchant account holders to Visa, MasterCard and American Express, who will, if found, enforce hefty non-compliance fines.
PCI DSS Requirements are:
Build and Maintain a Secure Network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an Information Security Policy
12: Maintain a policy that addresses information security
What Happens If You Do Not Comply With PCI DSS?
Failure to comply with the PCI DSS standards will result in fines. The below schedule details the fines that will be levied, and as they are part of all merchant agreements, they are enforceable by your merchant account provider on behalf of Visa, MasterCard and American Express.
The below figures apply to Level 4 merchants only. If you are a level 3, 2 or 1 merchant the fines can be higher. For further clarification on fine details, please refer to your merchant account provider.
Non-compliance will result in card scheme fines being passed onto you, monthly non-compliance fines, and/or termination of your card processing facilities. The costs involved after a data security breach can be extremely high.
In the event of a data compromise, MasterCard and Visa rules require that a forensic investigation will take place. This can potentially cost you thousands of pounds with no upper limit. Following the results of the investigation, the card schemes will submit the following fines.
MasterCard
| $25 | per card that needs re-issuing |
|---|---|
| $5 | for each potential compromised card being monitored |
| $100,000 | additional maximum of fine per incident |
| $100,000 | for storage of the card security code (CSC) also known as CVC2, CV2 or CVV2. |
Visa
| €10,000 | Initial Penalty of |
|---|---|
| €5,000 | Insufficient remediation |
| €10,000 | Monthly violation fee |
| €15,000 | Monthly violation fee after 5 months |
Note
The card schemes retain the rights to modify these fines and charges at any time. All fines are charged in the stated currency to avoid any conversion discrepancy.
In the event that you do not process payments on your website, but transact them through a third party or Payment Gateway provider, you technically may not need to be PCI DSS compliant, but would need to be PA DSS compliant. As 'best practice' it is recommended that you comply with PCI DSS requirements, and if needed PA DSS requirements. Adherence to these security standards will protect you against the potentially unlimited fines that could be imposed upon you should the worst happen. Implementing these measures now are certainly a better solution than trying to defend your business on a technicality later.
