Breadcrumb

PCI DSS: Definition & Examples

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedSep 20212 min read

In an increasingly cashless commercial landscape, security standards need to be established for handling payment data. Standards that are uniform regardless of the payment card company, or the nation in which the transaction takes place. As such, Visa, MasterCard, Discover Financial Services, JCB International and American Express came together in 2004 to do just that.

The result was the Payment Card Industry Data Security Standard (PCI DSS). This is a standardised approach for securing and maintaining payment card data. Since its inception, PCI DSS has evolved to keep up with the changing nature of cybersecurity threats. Though the PCI SSC has no authority to force compliance, it is generally recognised as a useful set of guidelines for best practice. As such, businesses benefit from getting to know the rules around PCI DSS to ensure secure card payments online and on-site.

What are the PCI DSS Requirements?

There are 12 requirements that make up the DCI PSS standard. These are broken down into the following categories:

Build and maintain a secure network and systems- Businesses must install and maintain a firewall configuration, and system passwords must be original
Protect cardholder data- Cardholder data must be encrypted when transmitted over public networks. Stored cardholder data must be protected
Maintain a vulnerability management program- Businesses must develop and maintain secure systems. Anti-virus software must be used and updated regularly
Implement strong access control measures- Physical access to card data must be restricted, and each staff member with system access needs their own unique ID
Regularly monitor and test networks- Access to cardholder data must be constantly monitored and tracked, with regular testing of security processes and systems
Maintain an information security policy- Your security policy must be strictly maintained throughout your daily operations. This includes swift responses to security issues, assigning responsibilities to staff members and screening new candidates

Understanding PCI DSS Compliance levels

Now we know a little about how to incorporate PCI DSS best practice into our business operations. But what does compliance look like in real terms?

There are 4 compliance levels for businesses. The level that applies to you will depend on how many transactions you undertake per year. Fortunately, compliance is fairly straightforward for all but the biggest businesses. Let’s take a closer look:

Level 4

Level 4 compliance applies to merchants that process less than 20,000 e-commerce transactions per year, or up to one million on-site transactions. An annual assessment is required. However, this is fairly easy to manage, taking the form of a Self Assessment Questionnaire (SAQ). In some cases, a quarterly PCI scan may also be required. This must be carried out by an Approved Scanning Vendor (ASV).

Level 3

Level 3 compliance applies to merchants that process anywhere from 20,000 to one million e-commerce transactions per year. They must also complete a yearly assessment with a slightly different SAQ. Again, they may also have to undertake a quarterly PCI scan.

Level 2

Level 2 compliance is for merchants processing 1-6 million credit or debit card transactions on-site per year. They are also required to complete an annual assessment using a relevant SAQ for their level. A quarterly PCI scan may also be required.

Level 1

Finally, level 1 compliance applies to merchants processing more than six million credit or debit card transactions annually on-site. Compliance is more rigorous for these large businesses. They must undergo an annual audit by an authorised PCI auditor. A quarterly PCI scan is also mandatory for businesses at this level.

For more information on PCI DSS compliance, be sure to take a look at our comprehensive compliance checklist here.

We can help

If you’re interested in finding out more about the Payment Card Industry Data Security Standard and how to ensure compliance for your business, then get in touch with our financial experts. Discover how GoCardless can help you with ad hoc payments or recurring payments.