PCI DSS: Does it have to be a Headache?

With worldwide card fraud costing over £23 billion (Merchant Savvy) in the last year alone, especially now with agents remote working; PCI compliance is crucial.

All companies that take card payments over the phone are subject to PCI DSS requirements.

These levels and requirements can be very expensive to achieve and maintain, and often places an added burden on IT teams and management to keep up to date.

They can often require system upgrades and regular audits, certainly a headache you could do without. Not to mention the consequences when PCI compliance goes wrong!

What is PCI Compliance?

The Payment Card Security Data Security Standard (PCI DSS) was established in 2004. It is a set of security requirements designed for businesses who process major credit card brands.

PCI DSS was introduced to help businesses prevent the escalating fraud issues associated with processing credit cards to help protect consumers.

The cost of credit card fraud is expected to reach a figure of £29.80 billion by 2027 (Merchant Savvy).

In the UK particularly, the most popular type of credit card fraud is CNP (card not presented) whereby the transaction is made remotely via the telephone or through an online portal for example. The cost of this totalled £470.2 million in 2019 (Merchant Savvy).

Now with more online and telephone-based transactions occurring, and agents remote working, it’s never been more crucial to think about your PCI compliance strategy.

The Rules of PCI

PCI compliance is a set of requirements designed to ensure that all companies processing, storing or transmitting credit card (payment card) information maintain a secure environment.

There is a set number of ‘levels’, based on the number of transactions that you handle over a 12-month period.

Level 1
Any merchant processing over 6 million transactions per year. And any merchant that the card provider determines should meet the Level 1 requirements.

Level 2
Processing 1 – 6 million transactions per year.

Level 3
Between 20,000 to 1 million e-commerce transactions per year.

Level 4
Any merchant processing fewer than 20,000 e-commerce transactions and all other merchants processing up to 1 million transactions per year.

Requirements for PCI

To achieve these levels, these are the key requirements of the business:

Level 1

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Auditor
  • Internal Auditor is recommended to obtain the PCI SSC Internal Security Assessor certification
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance form
  • Annual Self-Assessment Questionnaire (SAQ-A) with 16 questions

Level 2

  • Annual Self-Assessment Questionnaire (SAQ-D) with over 300 questions
  • Quarterly network scan by ASV
  • Attestation of compliance form

Level 3

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of compliance form

Level 4

  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirement set by merchant bank

There are also 6 key objectives to achieving PCI within the levels, containing 12 requirements. The objectives are:

Build and maintain a secure network and systems

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

  1. Use and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications

Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an information security policy

  1. Maintain a policy that addresses information security for employees and contractors

(PCI Security Standards Council)

Making PCI Easier

To be considered PCI compliant your networks and systems must be secure. This includes personnel if payments are taken over the phone. Agents and other staff members who take card payments, need to be trained adequately. Ensuring they know exactly what they need to do, and their knowledge must be monitored and tracked.

Systems need to be kept secure from malicious attacks or intrusions, and this is a constant task as cyber capabilities are always improving. If call recording is implemented, then you must consider how that data is stored.

Normally, this is how much your systems are in scope of PCI DSS (in the pink):

Diagram depicting how much your systems are in scope of PCI DSS

But… PCI DSS compliance doesn’t need to be as much of a headache for you.

There are solutions that enable you to take payment card information over the phone, without your agent seeing the transaction, or the numbers being seen. Enabling your agent to maintain conversations with your customer during the process.

Through our PCI compliance options we’ve helped customers take secure card payments over the phone via DTMF (dual-tone multi-frequency) masking, meaning that the unique audible tones cannot be guessed to match with the credit card number.

Diagram depicting how having a PCI DSS partner takes the stress away from your in scope systems

Take the stress of PCI compliance away from your business today, explore a full range of options here.

PCI DSS level 1 service provider logo