Since 2003, PCI DSS has been a required international security standard for anyone accepting card payments, and occasionally it’s updated to ensure it is maintaining data safety. The fourth generation PCI DSS modernises the standard, which previously didn’t consider new controls such as heuristic or biometric authentication options in lieu of traditional passwords. It will also protect customers and merchants from new vulnerabilities that weren’t a risk when the previous iteration was designed.
You must comply with the new PCI DSS
Not all merchants are aware that they must comply with the PCI DSS – but even if you’re a tiny business, the standard is covered in the merchant agreement you signed with your bank which allows you to accept credit card funds.
Complying with PCI DSS v4.0 varies depending on which tier your business falls into:
- If you’re transacting more than six million credit/debit card payments each year, you must use an external independent provider to ensure your business is compliant.
- If your business is transacting between one and six million card payments annually, you will require an internal trained assessor or an external independent provider to work with you to ensure you’re compliant.
- If you’re carrying out between 20,000 and one million transactions annually, your bank will call you and talk to you about complying with the new standard. Your business can choose to self-attest and check your own compliance, although it may be well worthwhile getting some advice to ensure you’re getting it right.
- If your business generates fewer than 20,000 credit/debit card transactions each year, you may not hear from your bank. You’ll need to think about how to be compliant and whether you need to make changes (refer to the starting points below).
Compliance is a commercial requirement, rather than a regulatory one, but your bank agreement does necessitate your compliance. The penalties for non-compliance can be high depending what tier you’re in; this can include immediate suspension of your payment facility and financial penalties for breaching your agreement. When you rely on your payments network to receive income, a suspension can quickly paralyse your cashflow and cause major problems for your organisation.
How to get started on PCI DSS compliance
The high-tier businesses will leave PCI DSS compliance to their internal cybersecurity teams, who will understand all the ins and outs of data security. But for smaller-tier businesses, particularly those in the sub-20,000 transaction category, it might come as a surprise to know that compliance is required before March next year. Here are some tips for getting started:
- Know your PCI DSS requirement and what you’re liable for. Depending on your business and how your customers process their cards, you may not need to make any changes.
- Talk to your bank and your payment processor (such as Windcave or Worldline/Paymark). Both have a strong interest in ensuring you are compliant and they will be able to guide you. They can tell you about what payment types you’re using, how secure they are, what other options might be available, and whether you need to make a change.
- Avoid storing cardholder data as much as possible. If your business does not need to store the cardholder data at all, that is preferable. If you do need to store it, find out whether you can eliminate this need by using a different type of payment, or make sure you have strong data storage policies in place.
- Consider talking to a qualified security assessor to help you understand the compliance requirements for your business. This is particularly important for larger businesses running ecommerce operations, and at a certain tier, it will be mandatory.
- For larger organisations, think about segmenting your network to reduce the parts that handle card information. This makes it much easier to assess your network.
Some payment types make compliance easy
When someone is buying online from your business, they can enter their credit card details in various ways – and some are riskier than others.
If the shopper enters their details directly into your site, your business is holding their card information to some extent, which increases the risk and makes your responsibilities for compliance with PCI DSS more onerous. This risk increases again if you are processing the card transaction, or holding a physical copy of the information such as a written form. Options to reduce this risk might include saving the card details as a token for an online transaction or switching to a different payment type.
A safer payment type is one where your customers enter their card details into a third-party payment portal, such as one provided by your bank or payment gateway. This means your business is not storing any card data, which means you are likely to already be complying with PCI DSS, and reducing your compliance burden in the future.
Make compliance and data security part of your business's BAU
To get a good understanding of your risks and obligations, you should start by speaking to your bank and payment gateway. You might then use a specialist advisor for more help, and get in the habit of auditing your cyber security regularly, even if your business is small. We’ve seen problems arise, even with major businesses, when a company only checks on PCI DSS compliance annually and suddenly realises there’s a big problem. Checking on compliance and data security should be a ‘business as usual’ part of any operation, as automatic as breathing.
Give yourself plenty of time to get your ducks in a row, so you’re all set up before the end of March 2024 – and your business remains compliant, and your customers’ data remains safe.