Search:

Payment Card Industry Data Security Standards (PCI DSS)

The Payment Card Industry Data Security Standards (PCI DSS) have been set up, and from 1st July 2007 mandated, to ensure all data supplied by a cardholder is stored, processed and transmitted in a secure and safe environment. The Standards are applicable to all transactions and must be considered by every entity that handles cardholder data. The new PCI DSS rules therefore have important implications for all Merchants.

The context of the mandated change is to reduce the risk posed by poor security in relation to sensitive cardholder information. Recent high profile cases of compromised data storage highlight the significance of this issue and consequent need for PCI DSS.

The PCI DSS are governed by the PCI Security Standards Council (PCI SSC). This is an independent body, led by an Executive Committee consisting of representatives from MasterCard Worldwide, Visa International, Amex, Discover Financial Services and JCB.

The mandated standards impact all elements of the payment process and require any Merchant storing card information to adopt technology, operational and security processes to protect sensitive card data. In order to meet the PCI DSS standards all Merchants are required to address six key areas:

Build and maintain a secure network
Protect all cardholder data
Maintain a vulnerability management programme
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

If Merchants do not take the neccessary measures to meet PCI DSS compliance they risk severe negative consequences. These include:

Heavy fines from the PCI SSC and Acquiring Banks
This includes a one off fine of over £10,000 for non-compliance and uncapped fines every single time a breach of security relating to cardholder data is committed.
Withdrawal of their ability to take Visa and MasterCard Payments
Bad publicity, resulting in loss of trade
Ultimately this could lead to the Merchant no longer being able to trade

The service provided by DataCash is fully PCI DSS compliant. DataCash commits and will contract to maintain its compliance for the lifetime of any contract with a Merchant. A copy of DataCash’s PCI DSS certificate can be viewed here:

A copy of the quarterly external PCI vulnerability scan can be viewed here

Visa reinforces this stating:
“Providing card data is not being held in any other systems (electronic or otherwise) the DataCash solution in itself can be viewed (end to end) as meeting the PCI DSS requirements.”

Due to the compliance that DataCash already has, and its contracted agreement to maintain full compliance, use of the DataCash Service can remove significant costs for operating within the PCI DSS standards for Merchants, both for initial compliance and ongoing conformance accreditation.

All Merchants will still need to assess the implication of attaining and maintaining PCI DSS compliance for their business. The mandated course of required action is largely dependant on the volume of transactions processed by each individual Merchant and for most will include some or all of the following elements:

Annual Onsite Security Audit
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved PCI Scanning Vendor

For more information and advice about the most effective route to PCI DSS compliance within the 1st July deadline and for recommendations of the most suitable Approved PCI Scanning Vendors contact a member of the DataCash Account Management on 0870 72 74 761 or by email at PCIDSS@datacash.com.

Detailed information about the new PCI DSS rules can be found on the following websites:

Contact Sales

Tel: 0870 727 4761
Fax: 0870 727 4781