• News >
  • Payment Card Industry Data Security Standard (PCI DSS)

What is the Payment Card Industry Data Security Standard (PCI DSS)?


A - The PCI  Data Security Standard is an alignment of Visa's Account Information Security (AIS) and MasterCard's Site Data Protection (SDP) programmes. It is a global standard for cardholder account data protection across all parties in the card payment chain- which includes acquirers, third party processors and merchants.

 

Why has this standard been introduced?

 

A - The Card payment industry is concerned about the increasing incidence related to stolen cardholder account data. These thefts have resulted in merchants and financial institutions suffering fraud losses, unanticipated operational expenses and the significant inconvenience to cardholders.

 

How does PCI DSS apply to me ?


A - PCI DSS applies to all entities that store, process or transmit cardholder data. The standard applies to manual processing and storage of cardholder data as well as electronic methods of storage.
PCI DSS compliance applies to a merchant's overall environment (including any third parties used by the merchant that would store, process or transmit cardholder data). These third parties may include the following:


- Till and EPOS vendors
- Software Application Providers
- Payment Service Providers
- Data Storage Providers
- Web Hosting Providers
- Shopping Cart Providers
- Software Vendors

 

What do I have to do to become compliant?


A - According to your merchant level you will either have to complete an annual Self Assessment Questionnaire (SAQ), or an Annual On-site Security Audit. The SAQ is primarily aimed at small to medium businesses to demonstrate compliance. On -site security audits have to be validated by an approved Qualified Security Assessor (QSA).
In addition, if you have an e-commerce presence, you may have to complete quarterly Network Scans, which have to be validated by an Approved Scanning Vendor (ASV)

 

Where can I find more information about this Standard?


A - PCI DSS Compliance Management Service: lloydstsbcardnetpcidss.com or the dedicated PCI Security Standards Council website PCI Security Standards

 

How do I know which Self Assessment Questionnaire (SAQ) applies to me?


A - The type of questionnaire you'll need to complete will vary on how you take payments, if your business is using the hosted payment page provided by your third party payment service provider (PSP) to accept card payments or whether you are storing cardholder data on your own systems. Once you have received your Introductory letter and log on credentials, you will be able to enrol on our PCI DSS Compliance Management Service lloydstsbcardnetpcidss.com. The online portal helps you to understand which requirements are appropriate to your business and guides you through your self assessment step by step, providing support and help at every stage.

 

This is the 1st time I have heard about this, how does this affect me?


A - Lloyds TSB Cardnet have previously communicated to all it's merchants via statement messages and statment inserts over the last few years and high level detail is in our Operating Manual. Merchants within the Card Scheme defined levels1& 2 (merchants doing in excess of 1 million Visa or MasterCard transactions annually) and level 3 (more than 20,000 Visa or MasterCard e-commerce transactions annually) have already been communicated to and we are liaising with these merchants individually

 

What risk is my business exposed to by not complying with PCI DSS?


A - By implementing and maintaining compliance with these requirements, you will be taking an important step towards protecting your customers' information from potential hacking and fraud. Failure to comply may also lead to financial penalties, or withdrawal of your card acceptance facility.

 

What should I do if I suspect compromise of cardholder information?


A - In the event that card transaction data is accessed or retrieved by any unauthorised entity, please notify us immediately by calling the Cardnet Helpline on  01268 567100. This will not only minimise risk to the payment system, but more importantly protect your customers.   Systems and procedures are in place to immediately stop the unauthorised use of compromised data, but are effective only when you do your part to promptly report a security incident.