PCI DSS - An introduction and overview

A basic guide to the Payment Card Industry Data Security Standard. Covering where to start, who is affected and why the standard exists, this is designed as a non-technical guide for people looking for an introduction to the standard.

About PCI DSS Compliance

About PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is an international standard for handling credit card data. Introduced in response to increased concerns about identity theft and data loss, it was created to amalgate the standards the providers like Visa and Mastercard had created independantly.

Although PCI DSS originated in concerns about online credit card data, it also covers all credit card data an organisation holds, such as order forms, payment slips etc. Where cards are taken over the telephone, faxed or on paper it determines how this data must be handled to make it secure. It is also not limited to credit cards - debit cards and other forms of card payment are also covered.

Penalties
The penalties for non-compliance can be harsh, with fines of over £300,000 or even having the right to take cards revoked. However if a data breach occurs in a non-compliant company, fines can be even higher, with the card issuers able to charge for the cost of managing the fraudlent charges and replacing the cards. The best known case in recent years was TJX, the owners of TK Maxx among others, and the estimated costs were well over £100M.

Common Sense
While the standard at first sight can be forbidding - milestones, requirements, merchant levels and a lot of three-letter-acronyms - in practice many of its requirements are simply common sense. The entire standard can be summed up as: Best Practice for handling Card data.

Many of its steps, such as not sharing user logins or passwords and having an up-to-date and regularly updated anti-virus, should already be in place in most organisations.

Changing Working Practices
Changing human behaviour can be the hardest part of any PCI DSS Implementation. For example, part of the standard insists that each user has their own login, allowing all access to the cardholder data to be tracked. This creates an audit trail if any data is misused, but can be breached by users sharing logins or using someone else's password. The only way to resolve this type of issue is better training.

As every PC which can access the data needs to be PCI compliant, this also discourages companies from dropping the data on the main server or emailing it unencrypted internally. While this is good for data protection, it can cause issues if, for example, your order department are in the habit of swapping emails with attached problem orders unencrypted.

In general the standard is simply a way to make sure that sensitive data is handled securely, and that customers are not at risk of having data stolen.

Who is affected?
The good news is that if you work purely through a third party, such as Paypal or a merchant bank and never receive the card holder data yourself (your payment system that takes the cards is hosted entirely by a third party) you don't need to be PCI DSS compliant. If you are a small merchant, under 20,000 transactions a year and below a certain dollar limit, you currently do not need to be PCI compliant.

However, it is still worth looking at the standard, because many of the things it covers are simply good IT practice.

Where to start
The PCI site can be confusing with requirements, prioritisation guides and merchant levels. In my experience, a good place to start with PCI DSS compliance is simply to download Self-Assessment Questionnaire D (SAQ D). This is the catch-all questionnaire, designed for merchants of any level and therefore is the most comprehensive.

Running through this SAQ does two things
1) This is the worst case scenario - every other SAQ you may need to complete is much simpler.
2) It highlights areas in your business that might need checking, such as procedures, network diagrams and departments affected.

Whether to Proceed
Consider whether you want to proceed with PCI DSS. It may be that if your company is not affected or covered by the standard. Many companies will be able to self assess for PCI DSS Compliance, which means that completing the SAQ and being examined by an assesor is enough. Others will need to go through a full independant audit.

If you do want to proceed a Qualifed Security Assesor (QSA) who is someone trained in the PCI standard can run through your company and highlight any areas you are not in compliance. They can also confirm if you can use a simpler SAQ. However, their time is not cheap, so you might want to get as much done internally as possible using the SAQ as a guide.

Being able to complete the SAQ does not mean you are PCI compliant, although it means you are a long way towards it. Once you can complete it, the QSA will check for other proceedures such as regular security checks and determine whether you are compliant or highlight any further work needed.

Eventually you will (hopefully) be certified PCI DSS compliant. Of course, this is an evolving standard, so you will need to recertify anunally. This process is much simpler, since the work to reach the standard has already been done.

Other Advantages
Since you have done all the work to be PCI DSS compliant you want to get the most out of it.  The data protection and IT good practice are both benefits, but it can feel as though you are doing a lot of work to remove a risk and gaining with no immediate benefit.

PCI DSS does not give any badge or logo to demonstrate compliance. However, some organisations (e.g. TrustGuard) which perform security checks, allow companies they check to display a badge showing how recently their site was certified as safe. Since you need to pay for the checks anyway, this is a side benefit.

To Conclude
Although at first sight the standard and PCI DSS Documents may seem forbidding, much of the content is simply common sense. A lot of the work can be done in-house, using the documentation as a guide, and external experts need not always be used. Finally, if you work purely through a third party supplier and never handle credit card data, you may not need to work on it.

Resources

More about the TJX Case

https://http://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions - SAQ page

http://www.pcisecuritystandards.org/ - The official homepage of the standard, with all the details you will need.

This article is based on the author's experience of PCI DSS projects and is simply an introduction. For information on how to apply it in your organisation, and any updates to the standard, see the PCI DSS website.