Understand PCI DSS Compliance

Our range of experience, accreditations and customer testimonials demonstrate why we stand out from the crowd.

Nettitude is one of the most experienced organisations in the world for Payment Card Industry Data Security Standard (PCI DSS) consulting, auditing and pragmatic security solutions.

Make PCI DSS Compliance Simple

  • What is PCI DSS?

    PCI DSS is a set of comprehensive requirements for enhancing payment account data security. The standard was developed by American Express, Visa, MasterCard, Discover and JCB, to help facilitate the broad adoption of consistent data security measures on a global basis. The standard covers both credit card and debit card transactions. It extends across online, bricks and mortar retailers and call-center environments.

  • Who should become PCI compliant?

    PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The standard is intended to help organisations proactively protect customer account data. All organisations that store, process or transmit card data are required to comply with the PCI DSS. Compliance is mandatory for all these organisations, irrespective of their size

  • How is PCI DSS enforced?

    The standard is enforced by acquiring banks and many of these institutions are now proactively contacting their merchants-service account holders to ensure that they have embarked on a PCI DSS compliance program. Organisations that are not deemed to be working towards achieving compliance can be fined by the acquiring banks. The approach that is taken will vary from bank to bank, however this frequently includes a fixed charge fine or a per-transaction surcharge up to the point where the merchant achieves compliance. Any organisation that experiences a card data security breach can be fined by their acquiring banks up to £200 per compromised card.

  • What is the cost of not complying?

    Offending organisations can expect to receive costly fines, easily avoided through achieving compliance. A global banking giant received a £3 million fine from the FSA in July 2009 for breaches in computer security. Whilst the owners of a well-known retailer were fined for the loss of 45 million credit card details is expected to see final costs for the breaches in excess of £800 million.

PCI Services for Merchants

In Nettitude’s experience it is common for merchants to be contacted by their acquirer and told that they need to achieve PCI DSS compliance. These communications tend to go out to clients that have some form of merchant services capability. This will usually be through mail order Telephone Order (MOTO), card not present, or face to face card processing requirements.

Merchants are instructed to complete either Self-Assessment-Questionnaires (SAQ) or Reports on Compliance (ROC). This requirement is determined by the number of transactions that an organisation processes each year.

The matrix below shows the compliance validation requirements by merchant level. These requirements are subtly based upon the geography and the card brand. However, from a high Level perspective, the bandings are as follows.

PCI for Service Providers

Service providers are required to become compliant with the PCI DSS if they deliver services to merchants that process, transmit or store payment card data. In Nettitude’s experience it is rare for service providers to be contacted by their acquirer to become compliant. Instead they receive upwards pressure from their clients to achieve PCI DSS compliance.

The matrix below shows the compliance validation requirements by service provider level. These requirements change subtly, based upon the geography and the card brand. However, from a high level perspective, the bandings are as follows.

Level 2 organisations can choose to certify as a level 1 organisation. Through certifying as a level 1 organisation, the service provider is listed on Visa and MasterCard websites as being a PCI compliant service provider. Organisations that certify as a level 2 are unable to be listed on either the Visa or MasterCard websites.

Download table showing ‘Compliance Validation Requirements by Service Provider’

Intelligent Cyber Security and Risk Management   0345 5200 085    solutions@nettitude.co.uk