PCI Frequently asked questions
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements, covering people, processes, and technology, all designed to protect cardholder data, combat fraud and reduce business data breaches.
It was first introduced in 2004 by the PCI Security Standards Council, a body founded by the five major card brands – American Express, Discover Financial Services, JCB International, Mastercard and Visa.
Who does PCI DSS apply to?
Any entity that stores, processes or transmits cardholder data is subject to PCI DSS, including businesses, processors, acquirers, issuers, and other service providers.
Why is PCI DSS important?
Taking a proactive approach to data security is important for many reasons, including:
- Protecting cardholder data - PCI DSS compliance helps protect the cardholder data that your customers share with you, and your third-party suppliers, during payment, or for management. As a business that handles this data, it's your responsibility to ensure this data is kept safe and secure.
- Boosting customer trust - give your customers the confidence that their sensitive cardholder data is important to you and you've got measures in place that will protect their personal information.
- Reducing the chances of a data breach - by implementing security measures listed within the standards, you can strengthen your payment processing controls which will help reduce the risk of data breaches and avoid costs associated with dealing with the data breach.
- Avoiding penalties and legal issues - complying with PCI DSS means you’re meeting regulatory requirements and this will help keep you away from non-compliance penalties, as well as reputational damage.
How do I show I’m compliant with PCI DSS?
You need to carry out an audit, or assessment, of your cardholder data environment (CDE) and complete a set of validation documents, such as the Self-Assessment Questionnaire (SAQ), which need to be submitted to your acquirer for reporting.
An audit involves determining your scope, such as identifying all locations and flows of payment data, as well as any systems that are connected to (or, if compromised, could impact) your CDE, and then reviewing this information against the applicable PCI controls to ensure they’re being met. Whoever carries out the assessment will then mark which controls are being met in the validation documents.
What documentation is required?
Validation requirements are set by the card brands and businesses are categorised into different levels depending on annual transaction volumes. These levels are:
Level 1: Over 1 million transactions across all payment channels
Level 2: Between 1 and 6 million transactions across all payment channels
Level 3: Under 1 million transactions, but over 20,000 ecommerce transactions
Level 4: Under 1 million transactions across all payment channels and fewer than 20,000 ecommerce transactions
If your annual volumes are below the 1 million annual threshold, i.e. you’re a level 3 or level 4 business, then you’re permitted to self-assess your CDE and complete a SAQ.
Alternatively, you can choose to use a Qualified Security Assessor (QSA) who will independently audit your CDE and produce a detailed Report on Compliance and accompanying Attestation of Compliance. Businesses with higher volumes must use a QSA.
I use secure technology and/or outsource my payment processing - do I still need to validate PCI compliance?
Yes, because PCI DSS covers people and processes, as well as technology.
If you're the merchant of record for any transactions, i.e. the entity a cardholder will see on their statement after making a payment, you’re responsible for ensuring the payments are secure - irrespective of how they’re taken.
Who are SecurityMetrics and what do they have to do with PCI Compliance?
SecurityMetrics is a security solutions provider and QSA company that we’ve partnered with to provide us with Global Fortress, a service available to our level 3 and level 4 customers to assist them with PCI compliance and the validation process. Services include access to a PCI portal and a customer support team available 24/7/365.
If you’re eligible for this service, once you’ve taken your first transaction, we’ll send a letter to remind you of your PCI obligations. We’ll also send you instructions on how to engage with SecurityMetrics and enrol on the service, as well as information on the fees you’ll incur for missing the associated deadline.
SecurityMetrics will also send you email communications to keep you updated with important information
How do I use Global Fortress?
Once you’ve enrolled on the Global Fortress service, you can call SecurityMetrics who will ask you some questions about your payment processing methods so they can determine the SAQ most appropriate to your business; this is called scoping. They will then discuss the PCI requirements relevant to the SAQ and you’ll be asked to confirm your adherence to each of them. You can also visit their portal and go through this process yourself.
Following the validation, your completed SAQ, and any other relevant documentation, such as certificates, will be saved in the portal for you to refer to and download if and when you need to.
What are scans and do they apply to me?
PCI scanning tests for external and internal vulnerabilities in your network and operating systems to ensure all cardholder data remains protected throughout the payment processing journey. The scans look at external-facing devices connected to the internet such as websites, firewalls, routers, servers and embedded links to identify any vulnerabilities that need addressing.
As external networks are at greater risk of cyber crime, some SAQs have the requirement to perform quarterly external vulnerability scans that must be carried out by an Approved Scanning Vendor.
We can’t advise on whether scanning applies to your environment. If you need help with this, or scoping, you should speak to a QSA.
If you’re eligible for Global Fortress, scanning requirements will be a part of the SAQ that’s identified to be most appropriate to your environment.
How often do I need to complete my PCI compliance?
Businesses are required to complete a PCI validation annually. If scanning is applicable to your environment, you’ll need to ensure these are carried out, and passed, every quarter to ensure compliance.
What’s the alternative to Global Fortress?
If you’re eligible for Global Fortress but you’d prefer to carry out your own PCI assessment, or use an alternative QSA, please let us know as soon as possible. You’ll need to provide us with your full set of validation documents to prove your compliance so that we can report this back to the card brands.
You can email your documents to [email protected] or post these to:
PCI DSS Compliance Programme
Global Payments
Granite House, Granite Way
Syston, Leicester
LE7 1PL
If you enrol for Global Fortress, your compliance with PCI DSS will automatically be reported to us, so you don’t need to provide us with your completed documentation.
What are PCI non-compliance charges and how much are they?
If you’re unable to prove your business is PCI compliant, you’ll be charged non-compliance fees to reflect the added risk involved in taking unsecured non-compliant payments. These charges are either £0.15 per transaction or £75 per MID per month, whichever is greater, and this will be charged one month in arrears.
Will the PCI non-compliance fees be refunded once I become compliant?
No, the charges apply for the period you were non-compliant. As soon as you can prove compliance, you’ll stop incurring further fees.
Do other acquirers charge PCI non-compliance charges?
Yes, this is a common practice in the industry to reflect the added risk involved in accepting unsecured and non-compliant payments.
Who can I speak to if I have any questions?
Please contact your Customer Success Manager, email [email protected] or call us on 0345 702 3344*. If you’ve signed up for Global Fortress, you can call SecurityMetrics on 0203 014 7829.
*Lines are open from 9am to 6pm, Monday to Friday, except public holidays. If you have a speech or hearing impairment, you can call us using the Relay Service by dialling 18001 followed by 0345 702 3344*. Calls may be recorded. To help us continually improve on our service and in the interests of security, we may monitor and/or record your telephone calls with us. Any recordings remain our sole property.