The Payment Card Industry Data Security Standard A.K.A. PCI-DSS

This article is for anyone who's interested in taking credit or debit card payments. What most people don't realise, is that PCI-DSS (Payment Card Industry Data Security Standard) compliance is a legal requirement regardless of whether you take the credit card details over the internet or not.

The PCI-DSS was created in late 2004 as a group effort by the worlds major card processing companies as an amalgamation of all their individual efforts. There has been a number of revisions since then, mostly making improvements and clarifications to the original standard. Generally speaking though the idea of the PCI-DSS is to increase the security surrounding card processing and thus reduce fraud! As with all things tech however, its not as simple as it sounds!

So first up, who needs to be concerned? Well that happens to be every single business that takes payment by credit or debit card, and that's regardless of how you acquire the card details or what you do with them. So even if you use those old style carbon copy card imprint machines - this still applies to you!

So what can you do? This ones an easy bit, for most small and medium businesses you have two options. 1) You can find a company that does PCI-DSS assessments, or 2) you can work out which sections of PCI-DSS apply to your organisation and complete the Self Assessment Question (or SAQ). It's also quite common to find that you also need to have quarterly vulnerability scans on your computers and computer networks. If at this stage your (correctly) anticipating pages and pages of paperwork and you could do without the headache, there are companies out there that will guide you through the SAQ's and do your quarterly security scans for around £150 per year. Yep, that's right, you have to go through this whole process every year...

As far as websites are concerned, there is some good news. If you take card payments online in an e-commerce website for example, you will probably find that the responsibility of the security of your online card transaction is put squarely at the foot of someone else! This is because most small businesses, instead of processing the payment themselves on their website, send customers temporarily to a third party called a payment gateway.

These payment gateways have to be extremely secure because of the volume and value of the card transactions that they process. As far as PCI-DSS is concerned, these companies need to be as secure as possible, so the rules are much stricter than for small businesses. The one bit you are responsible for is ensuring that you have chosen a PCI-DSS compliant payment gateway provider! Don't be fooled however, being PCI-DSS compliant, whilst a step in the right direction, doesn't mean that your website cannot be hacked.

For more information, get in touch! Whilst we don't currently offer PCI-DSS compliance services, we can guide you in the right direction, so feel free to give us a ring and we will do whatever we can to help you!