What Role Does IT Play in PCI DSS Compliance?

Posted on Tuesday, November 16, 2021

The Payment Card Industry Data Security Standard, known as PCI DSS,  is an important security standard to control personal data and to limit fraud with bank and credit card payments. 

PCI DSS originated via a joint effort by leading payment brands in the United States including Mastercard, Visa and American Express. collaboration between the major payment brands. They set up the PCI Security Standards Council which oversees the regulation in order to enhance security for consumers.  

Compliance with PCI DSS

Any business that uses cardholder data has to comply with PCI DSS. This relates to any part of the card payment process including transmitting or storing cardholder data.

The most obvious example is a merchant business that takes debit and credit card payments. Even for merchants who use a third party to process their payments, the business itself still needs to follow the PCI DSS guidance and ensure it complies. 

So you may be thinning what happens if you do not comply with PCI DSS? 

While PCI DSS is not actually a law created by the government, the standard is written into all contracts between merchants, the payment processors and the banks making it a legal obligation to comply. 

Due to the contracts they agree payment processing brands can fine acquiring banks who fail to meet PCI DSS Standards. The acquiring banks can then also withdraw their services for accepting payments via car to merchants who fail to comply with PCI DSS. This makes it almost impossible for the merchant to do business unless they comply with PCI DSS. 

Protecting cardholder data is also part of GDPR which carries large fines when there is a breach. 

Benefits of PCI DSS compliance

The benefits to a merchant are that they maintain their reputation with customers, that they don’t lose money to fraudulent payments, and that they can continue to operate and work with payment providers and acquiring banks. 

PCI DSS standards are structured to work with different sizes of businesses so a small business with smaller sums of card transactions may have less work to do to become compliant than a larger business with bigger revenues.  

Compliance obligations can also be increased if an organisation suffers from a data breach.

What is the role of IT in PCI DSS? 

The requirements of PCI DSS are based on having secure IT systems and following good practices. Below are a few of the requirements included in PCI DSS. 

Secure networks 

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

Cardholder data

  • Protect stored cardholder data. 
  • Encrypt transmission of cardholder data across open, public networks.

Vulnerability management 

  • Use and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.

 Access control

  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.

Network monitoring

  • Track and monitor all access to network resources and cardholder data. 
  • Regularly test security systems and processes.

Security policies 

  • Maintain a policy that addresses information security for employees and contractors.

Types of PCI DSS compliance

To meet PCI DSS compliance merchants need to check the list of requirements for their size of business and ensure their cardholder environment meets these standards.

As we mentioned, your exact PCI DSS compliance requirements will vary depending on your business but it is generally classed on the volume of card transactions you process. 

For extra help ensuring your cardholder environment meets all the security standards required and to ensure you are following all the latest GDPR rules it is worth contacting an experienced IT support provider. 

 

About Mustard IT, your security partner

Mustard IT is a trusted team, experienced in security and able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you.