Key Takeaways
-
PCI DSS is a set of security standards that ensure secure handling of cardholder data.
-
PCI DSS compliance is not legally mandatory but is a contractual requirement imposed by payment card schemes and could have serious financial consequences if not adhered to.
-
PCI DSS compliance can build customer trust, avoid financial losses, and build good brand reputation.
-
Small businesses may need to simply fill out a self-assessment questionnaire whereas a large business requires a formal assessor.
Businesses must adhere to industry standards to protect sensitive information. One such standard is PCI DSS. This guide explores PCI DSS compliance, its significance for businesses in the UK, and the steps to achieve it.
In this article we will cover:
What is PCI DSS Compliance and why do businesses need it?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards established by major payment card brands to ensure the secure handling of cardholder data. It applies to any business that handles payment processing, specifically when processing, storing, or transmitting payment card information
The primary goal of PCI DSS compliance is to protect customer data and prevent fraud. By adhering to these standards, businesses can enhance their security measures and reduce the risk of data breaches, financial losses, and reputational damage.
PCI DSS v4.0.1
PCI DSS v4.0.1 stands as the sole active, fully supported standard governed by the PCI Security Standards Council (PCI SSC). Designed as a targeted, limited revision, v4.0.1 introduces no entirely new or deleted requirements. Instead, it serves to tighten formatting, sharpen implementation guidance, and clarify complex language, most notably redefining the strict 30-day patch window for critical vulnerabilities to ensure UK businesses can apply security updates with greater precision.
Core Requirements of PCI DSS
Every UK business handling card payment data must align with these core pillars, which dictate that organisations must:
- Build and Maintain Secure Networks: Install robust network security controls and eliminate default, vendor-supplied configurations across all system components.
- Protect Account Data: Safeguard both stored and transmitted cardholder data (CHD) using advanced, industry-standard cryptographic protocols.
- Maintain a Vulnerability Management Program: Deploy secure systems and web applications and ensure regular, rapid patching.
- Implement Strong Access Control Measures: Restrict logical access to the Cardholder Data Environment (CDE) based on a strict business "need-to-know" framework, backed by mandatory multi-factor authentication (MFA).
- Regularly Monitor and Test Networks: Log, track, and scrutinise all access to network resources, while routinely testing system configurations and perimeter defences.
- Maintain an Information Security Policy: Establish and enforce comprehensive internal policies that govern organisational risk and personnel security.
Why is PCI DSS compliance essential for UK businesses?
While PCI DSS compliance isn't a legal requirement in the UK, it is a contractual one. Here are some of many reasons why to get PCI DSS compliance:
Protecting customer trust:
By demonstrating a commitment to safeguarding customer data, businesses can build trust and confidence among their customers. This enhances customer loyalty and retention.
Preventing data breaches:
Compliance with PCI DSS enables businesses to implement robust security measures that prevent data breaches. These measures include secure network configurations, encryption, and regular vulnerability scanning.
Avoiding financial losses:
Data breaches can be financially devastating, involving costs such as forensic investigations and potential fines. Being PCI DSS compliant reduces the risk of such breaches and the associated financial burdens. Especially in recent years, the fines of a data breach have become steeper, with a card data breach potentially reaching maximum statutory fines under UK data protection laws.
Maintaining brand reputation:
A data breach can severely damage a business's reputation. Prioritising PCI DSS compliance allows businesses to safeguard their brand image and maintain customer confidence.
In summary, PCI DSS compliance ensures the secure handling of customer payment card data, protects against data breaches and fraud, and helps businesses gain customer trust. By adhering to PCI DSS standards, businesses can mitigate risks, enhance security, and preserve their reputation.
What steps do UK businesses need to take to achieve PCI DSS compliance?
Achieving PCI DSS compliance in the UK requires businesses to follow a series of easy steps to ensure the secure handling of payment card data. By implementing these steps, businesses can protect customer data and build trust with their customers. Here are the essential 7 steps to achieve PCI DSS compliance:
- Assess your business’s processes:
Conduct a thorough assessment of your business's software and processes, including networks, systems, and applications that handle payment card data. Identify vulnerabilities or gaps that need to be addressed. - Build and maintain a secure network:
Implement strong network security measures, such as firewalls, secure configurations, and access controls. Restrict access to cardholder data and ensure secure transmission of data across networks. - Protect cardholder data:
Employ encryption techniques to protect cardholder data both in transit and at rest. Limit access to cardholder data on a need-to-know basis and regularly monitor access to detect unauthorised activity. It’s worth noting that Multi-Factor Authentication is now mandatory for all access to the Cardholder Data Environment. - Maintain a vulnerability management program:
Establish processes for identifying and addressing new vulnerabilities as they arise. This can be done by implementing a program to regularly scan for vulnerabilities and patch identified weaknesses promptly. - Implement strong access control measures:
Limit access to cardholder data by assigning unique user IDs to individuals with a legitimate business need. Regularly review and update user access privileges to prevent unauthorised access. - Regularly monitor and test networks:
Implement processes to monitor and track all access to cardholder data. Conduct regular security testing, including penetration testing and vulnerability scanning, to identify and address potential vulnerabilities. - Maintain an information security policy:
Develop and maintain a comprehensive information security policy that addresses all aspects of PCI DSS compliance. Communicate the policy to all employees and enforce compliance through training and monitoring.
What do I need to confirm PCI DSS compliance?
- Determine your merchant level: PCI DSS requirements vary based on the number of transactions your business processes annually. Determine your merchant level (1-4) to understand the specific requirements applicable to your business.
| Level |
Transaction volume (per year) |
Typical merchant type | Validation requirements |
| 1 | Over 6 million transactions (all channels), or any merchant that has suffered a data breach, or as designated by a card brand | Large retailers, global/national companies | Annual on-site assessment by a Qualified Security Assessor (QSA) or internal auditor (if signed by an officer), quarterly network scans by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) |
| 2 | 1 million to 6 million transactions (all channels) | Mid-sized retailers | Annual Self-Assessment Questionnaire (SAQ), quarterly network scans by ASV, Attestation of Compliance |
| 3 | 20,000 to 1 million e-commerce transactions, or up to 1 million total transactions (varies by card brand) | Smaller e-commerce merchants | Annual SAQ, quarterly network scans by ASV, Attestation of Compliance |
| 4 | Fewer than 20,000 e-commerce transactions, or up to 1 million transactions (all channels) | Small businesses, local retailers | Requirements set by acquiring bank; typically annual SAQ and quarterly scans if applicable |
Note: Under recent changes, level 1 enterprises can now choose between the traditional “defined approach” or a customised approach which allows large UK organisations to design their own security controls provided they can prove the control mitigates the risk.
Complete a self-assessment questionnaire (SAQ):
The SAQ is a questionnaire that assesses the security controls implemented by your business. There are now several SAQ types, and it’s best to direct merchants to their acquirer to understand how best to attest their compliance.
By following these steps, businesses can navigate the path to achieving PCI DSS compliance and ensure the secure handling of payment card data. Achieving compliance is an ongoing process that requires continuous monitoring, updates, and adaptation to evolving security threats.
Note: The information provided in this guide is for informational purposes only and should not be considered legal advice. It is recommended to consult with a qualified professional to ensure compliance with specific contractual and industry requirements.
PCI compliance FAQs
Is PCI DSS a legal requirement in the UK?
No, PCI DSS compliance is not mandated by law in the UK. However, it is a contractual requirement imposed by payment card schemes.
What happens if my business doesn't comply with PCI DSS?
Non-compliance can lead to penalties, fines, and legal liabilities. Additionally, it can result in a loss of customer trust and damage to your business's reputation.
How often do I need to complete a Self-Assessment Questionnaire (SAQ)?
Level 2, 3, and 4 merchants need to complete a Self-Assessment Questionnaire (SAQ) on an annual basis. Level 1 merchants require a full assessment resulting in a Report on Compliance.
Which SAQ should I use?
It is best to direct merchants to their acquirer to understand how best to attest their compliance.
How often do I need to conduct an external vulnerability scan?
In order to meet PCI Compliance, you need to conduct an external vulnerability scan on a quarterly basis.
What are the different SAQ types?
There are 9 types ofSAQ, including:
1. SAQ A: For e-commerce and channels where cardholder data functions are outsourced to a PCI DSS-compliant third party.
2. SAQ A-EP: For e-commerce channels whose websites don’t directly receive cardholder data but do impact the security of the transaction.
3. SAQ B - For businesses using standalone, dial-out, non-IP-connected payment terminals with no electronic storage of cardholder data.
4. SAQ B-IP - For businesses using standalone, PTS-approved IP-connected payment terminals with no electronic storage of cardholder data.
5. SAQ C - For businesses using payment application systems connected to the internet who don’t store cardholder data.
6. SAQ C-VT: For businesses using web-based virtual terminals on a single internet-connected computer to manually key in payment data but with no storage of cardholder data.
7. SAQ D (Merchants): For businesses that process or store cardholder information on-site and don’t use point-to-point encryption.
8. SAQ D (Service Providers): For third-party service providers that process, store, or transfer card data on behalf of other organisations.
9. SAQ P2PE: For businesses using a PCI-validated point-to-point encryption to process transactions that don’t hold cardholder data.
How much does PCI compliance cost in the UK?
In the UK, PCI DSS compliance costs range from around £5 to £100 per month for small businesses using SAQs and up to £50,000+ per year for large organisations requiring formal audits.
Who can perform PCI compliance audits for UK companies?
A Qualified Security Assessor (QSA), which is part of an independent organisation certified by the PCI council, is the only entity authorised to perform formal PCI DSS audits. These aren’t usually necessary for small businesses, but if you are a level 1 organisation, you must use a QSA.