Our focus is on empowering your team to work efficiently from anywhere, boosting productivity and collaboration through customised IT Solutions.
Meet the Acora One Team
The Acora team is ready and waiting to help. We’d love to hear from you!
Follow Us
To view this video please enable JavaScript, and consider upgrading to a web browser that
Home News room PCI DSS Compliance
Acora is a UK based, award-winning IT services and technology company with over 25 years’ experience. We provide a range of IT support and Microsoft-centric business software and cloud solutions to help mid-market organisations modernise their IT so they can compete and win in the digital economy. More than 200 clients trust us to take responsibility for part, or all of their IT from solution design to support.
According to Verizon’s Payment Security Report 2020, only 27.9% of global businesses are compliant with the PCI DSS standard.
Did you know? 💡
If you handle payment card information, you need to comply with the PCI DSS standard in the UK to protect stored cardholder data.
As a business, you need to take PCI DSS compliance seriously. So let’s take a look at what the standard is, what it covers, and how you can become compliant.
PCI DSS stands for Payment Card Industry Data Security Standard. (Now there’s a mouthful!)
It is an information security standard designed to:
PCI DSS was originally developed through a collaboration between the five leading payment brands:
It’s now managed by the PCI SSC (Payment Card Industry Security Standards Council or PCI Security Standards Council).
Payment-card fraud is a serious problem. According to the most recent UK Finance report, unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £783.8 million in 2020.
You will need to be compliant in PCI DSS for the following reasons:
So PCI DSS compliance is definitely something worth getting right first time.
PCI DSS compliance involves a lot of specialised terms and acronyms, see some of the main ones detailed below.
PCI – Payment Card Industry – The firms involved in taking card payments
PCI DSS – Payment Card Industry Data Security Standard – An information security standard to protect cardholders’ data when they shop
PCI SSC – Payment Card Industry Security Standards Council – The body that manages PCI DSS and authorises ISAs
ASV – Approved Scanning Vendor
ISA – Internal Security Assessor – An organisation whose employees have been trained in PCS DSS by the PCI SSC
QSA – Qualified Security Assessor – An independent organisation that has been approved to check for PCI DSS compliance
SAQ – Self-Assessment Questionnaire – A questionnaire that merchants can use to check their own compliance with PCI DSS
RoC – Report on Compliance – A document with detailed results from a PCI DSS assessment – usually one carried out by a QSA during an audit. All Level 1 merchants (see below) must complete an RoC
AoC – Attestation of Compliance – A form that you complete and submit with your SAQ to confirm that you are eligible to carry out self-assessment, and that you have done so. You also submit an AoC along with an RoC
Merchant – A merchant represents a person or company that sells goods or services
PSP – Payment Service Provider – Third parties that help merchants accept payments
All merchants and PSPs who process, transmit or store credit card data should abide with PCI compliance. You need to comply with the PCI DSS if you:
Take card payments online through an ecommerce website
Take card payments in person using a card reader or contactless payments – for example, in a shop or restaurant
Take card payments over the phone, using the details provided by the cardholder
You also have to comply with the PCI DSS if you process payments or handle credit card data on behalf of someone else. If you do this, you are known as a PSP (Payment Service Provider). Some businesses can be both a merchant and PSP at the same time.
There are a total of 12 steps or security controls that you need to take to meet the PCI data security standard. The 12 PCI DSS compliance steps are divided into 6 goals:
1. Build and maintain a secure network and systems to protect cardholder data
Install and maintain a firewall configuration to protect cardholder data, and test it regularly
Do not use vendor-supplied defaults for system passwords and other security parameters. Change them as soon as you can and update them frequently
2. Protect stored cardholder data with encryption
Protect stored cardholder data. Only store cardholder data what you absolutely need to, and keep it safe both digitally (through backups, passwords and access control) and physically (through limiting access to your server)
Encrypt transmission of cardholder data across open, public networks, so nobody can read it in transit
3. Maintain a vulnerability management program
Protect all systems against malware and regularly update anti-virus software or programs
Develop and maintain secure systems and applications, so you stay one step ahead of potential problems
4. Implement strong access control measures
Restrict access to cardholder data to those who genuinely need to know it
Identify and authenticate computer access to system components
Restrict physical access to cardholder data
5. Regularly test security systems
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
6. Maintain an information security policy
Maintain a policy that addresses information security for all personnel
Each of these steps helps to reduce your risk of cardholder data loss or fraud. It can also help you to understand any potential security vulnerabilities. You can read the full requirements for PCI DSS on the PCI SSC’s website.
If you aren’t compliant and there’s a breach of the standard, your payment provider can impose a fine on your bank.
For their part, the bank may:
Suffered a breach and want to carry on taking card payments? You’ll have to meet Level 1 requirements for cardholder data from then on, regardless of how many credit card transactions you process. Got fined and still can’t prove your compliance?
You may face further fines until you take the necessary steps to data security. For larger firms, the fines can add up to as much as £80,000. That should be a clear indication of why you need to protect cardholder data.
PCI compliance is a standard rather than a law. It’s enforced through contracts between:
However, that doesn’t mean that you can relax about PCI DSS, or put it off until later. The risks of not following PCI compliance can be very serious. Even endangering your ENTIRE business.
If you suffered a breach, you would lose trust. This includes trust from your bank and your customers. While you might be able to afford the fine, you might never get back your reputation. More importantly:
Nobody wants to be known as the firm that can’t be trusted to look after sensitive cardholder data.
To make things more interesting:
Allowing cardholders data to be lost or stolen is a breach of GDPR (General Data Protection Regulation). This covers consumers’ rights over their data, including payment data. The penalties for GDPR data breaches are severe:
Up to £17m or 4% of your annual turnover.
Need advice on PCI Compliance? Feel free to get in touch.
Not all merchants have to reach the same standards to comply with PCI DSS. There are 4 levels of validation: 1 (Highest) to 4 (Lowest).
The level you must comply with depends on how many transactions you process per year. For each level, there are different tasks that you must carry out every year in order to stay validated. Below shows the full details.
For the meaning of terms and abbreviations used here, see the Glossary of Terms above.
Level 1
Transactions processed per year:
6M+ (or if your cardholder data has previously been compromised)
Validation requirements:
Level 2
1M-6M
Level 3
20k-1M
Level 4
Under 20k
1. Determine Validation Level
Determine which level of validation you need to achieve. Base this on the number of transactions you plan to process within a year.
2. Gap Analysis
Carry out a gap analysis to work out what you need to do in order to become compliant. In other words:
3. Report on Compliance (RoC)
Do you need a Report on Compliance (RoC)? Contact a QSA and ask them to prepare it for you.
4. Scan for Vulnerabilities
Do you need to scan for vulnerabilities? Contact an ASV.
5. Self-Assessment Questionnaire (SAQ)
Do you need to complete an SAQ? There are 9 questionnaires available. Each one is aimed at businesses with different payment setups. Work out which one is applicable to your business, download it and complete it.
The cost of becoming PCI compliant varies depending on the level of validation you need. You may even be compliant with the standard already!
Or you may need to make some changes to the way you handle cardholder data and take payments. Most notably: PCI compliance is not just a one-off task.
You’ll probably have some recurring tasks that you need to keep performing to make sure you stay compliant. The main costs are likely to be:
On top of that: PCI needs careful management. It will take up some of your time as a manager, or that of your IT team.
Power BI and Power BI Pro: Empowering SMEs with Data Insights Understanding and leveraging information effectively is no longer a luxury—it’s a necessity. For small and medium-sized enterprises (SMEs), the ability to make informed, data-driven decisions can set you apart…
Disaster Recovery: Why It’s Essential for Your Business Many business owners are natural optimists—after all, it’s that positive mindset that helps them build and grow successful companies. However, when it comes to disaster recovery, optimism alone won’t protect your business…