PCI DSS

Credit cards have been with us since the 1960s and debit cards since the 1980s. Inevitably, both forms of payment quickly attracted the attention of criminals who set about devising ways to find and exploit loopholes in the security of card systems. Most of the major card providers introduced their own programmes to ensure that merchants met specific security requirements but without a unifying set of standards, these measures were limited in their effectiveness. As a result, the industry as a whole formed its own Security Standards Council (PCI SSC), aligned the various different security policies and in 2004 released its Payment Card Industry Data Security Standard (PCI-DSS).

While not enjoying the status of legislation, it benefits from being much more easily implemented throughout the world and it is in the interests of the card companies to abide by it. It means that any business using card payment technology for transactions with customers is compelled to comply with its provisions or risk losing the card payment facility. The PCI-DSS may have been designed to target criminals but its effects and benefits are wider as its security protocols will also catch the consequences of accident or error. The standard imposes stringent conditions but no responsible business would risk the reputational damage that could flow from non-conformity.

The PCI-DSS sets out twelve conditions, both operational and technical. Among these are the use of firewalls and other measures to protect cardholder data, encryption, anti-virus software, properly maintained secure systems and applications. Participants are expected to carry out regular testing of those systems. They must also ensure that access to cardholder data is restricted in order to prevent it from being more widely disseminated than absolutely necessary. Those who are authorised must be given a unique ID while physical access must also be restricted.

A system must be established to track and monitor all access to the network in general and the cardholder data in particular. To guarantee that all compliance obligations are met, the merchant needs to maintain a security policy that is fully understood and followed by all personnel. Our PCI consultants services are fully developed to handle all elements of the PCI-DSS and we will not only advise you on every aspect of compliance but can offer practical measures, including sophisticated software solutions, to make it simple for you to meet your responsibilities.