Barclays uses cookies on this website. Some cookies are essential to provide our services to you. Other cookies help us to analyse how you use the site, so we can improve your experience on our site. Cookies are stored locally on your computer or mobile device. Please select 'Accept all' to consent to cookies, or select ‘Reject all’ to reject all but essential cookies’, or select 'Manage cookies' to change your preferences. For more information visit our cookie policy.

PCI DSS Beginner’s guide

Beginner’s guide to PCI DSS

What is PCI DSS?

The Payment Card Industry Data Security Standard, known as PCI DSS, is a set of requirements that explain how to protect you and your customers when taking payments. These are industry-wide requirements, and so any supplier that takes payments for you will expect you to take the PCI DSS seriously.


What happens if I don’t meet the PCI DSS?

When you first start taking payments, you’ll have 90 days before you need to meet the requirements of the PCI DSS. After that, you’ll need to keep meeting the requirements and show you’re doing so at least once a year. 

If you can’t prove that you’re protecting your customers’ cardholder data, the results could be serious for both you and your customers, such as:

  • financial penalties and charges
  • damage to your business’ reputation and loss of customer trust
  • money stolen from your customers
  • your customers’ identities stolen

How do I meet the requirements of the PCI DSS?

Unfortunately, there’s no straightforward answer to this. Meeting the requirements of the PCI DSS depends on how complex your business is, and the data security measures you already have in place. In fact, you may already be meeting the requirements and not realise. 

Fraudsters are known to target the weakest businesses, regardless of whether they are large corporations or small local businesses. The easiest targets are those who aren’t meeting the PCI DSS, so it makes sense that adopting the requirements will put you in a stronger position to prevent attacks.

Every business is different, but here are some examples to give you an idea of what’s involved:

Example 1: Sharon’s corner shop – a simple payment system 

Set up

  • The card machine is connected via the telephone line
  • Paper receipts are printed and handed to customers
  • Till reports are stored in a box underneath the till

Risks / threats

  • Fraudsters can tamper with card machines to steal data 
  • Paper receipts can reveal cardholder data, such as the long number on someone’s card (known as the primary account number) 
  •  

Solution (meeting the PCI DSS)

• Make sure you destroy any till receipts that customers leave behind

• Don’t forget to lock away your till receipts 

• Keep a close eye on your card machines. Inspect for unusual damage or changes. And make sure you install the security updates provided by your vendor (if your machine comes from Barclaycard, simply leave it powered on overnight so it can perform the monthly ‘maintenance call’) 

• Keep till receipts locked in a safe environment, and make sure you remove any cardholder data which you don’t need, such as the long card number

Example 2: a more complex system 

Set up

• Gareth has his own website

• When customers check out, they’re sent to a payment page, which is run by a third-party provider 

•This third party processes the payment, then sends an authorisation back to Gareth’s web servers to confirm payment

• No cardholder data is ever held on Gareth’s servers 

Risks / threats

• If Gareth’s website has poor security such as easy-to-guess passwords, hackers could get his cardholder data, even though Gareth doesn’t intend having any customer data on his servers in the first place

• Fraudsters could get his cardholder data by hacking into the servers of his third-party providers

Solution (meeting the PCI DSS):

• Use strong, hard-to-guess passwords

• Install the latest security patches from your vendors, such as your website hosting company 

• Install anti-virus software on computers and keep the software up to date

• Choose third-party providers that meet the PCI DSS 

• Ask your technology suppliers for help if you need it

Getting assessed for meeting the requirements of the PCI DSS

Again, every organisation is set up differently and therefore needs to be judged on an individual basis. What you’ll need to do to meet the requirements depends on the kinds of security risks that your business faces. 

Many small-and medium-sized businesses can prove they meet the requirements of the DSS by filling out a Self-Assessment Questionnaire. At Barclaycard, we provide a portal called Data Security Manager to help our customers with this process.

You can also choose to have an official Qualified Security Assessor examine how you take payments, but this usually applies to larger organisations due to the costs and level of transactions involved.

 

If you’d like more detail about meeting the requirments of the PCI DSS, visit our help & support page.

Are there any costs in meeting the requirements of the PCI DSS?

There may or may not be costs involved in meeting the requirements of the PCI DSS, as it depends on how complex your set up is. For example, the security measures you have now and how much you need to change them to meet the requirements.

There are four types of PCI DSS costs you may have to pay:

• PCI DSS validation costs, such as assessment fees or support fees

• technology upgrades, such as anti-virus software for your work computers or mobile devices

• keeping to the requirements of the PCI DSS, such as training staff on PCI DSS procedures

• miscellaneous costs, such as buying a paper shredder 

For more detail on PCI DSS costs, please visit our help & support page.