What is PSD2 and how does it affect your business?
Disclaimer: This article should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions.
As the population increases, so does the amount of data that’s processed every day. In the last few years alone, over 90% of the data in the world was generated. And it’s only going to increase.
According to PCI SSC, the average total cost of a data breach is $3.8 million, which is a compelling reason to avoid one if you possibly can. And, while it can be hard to stay on top of compliance requirements, poor handling of payment card details can have serious implications.
In this article, we’ll explore what we’ve learned over the years in helping businesses stay on the right side of PCI DSS. And we’ll outline the steps you can take to build a sustainable, secure business.
PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by the PCI Security Standards Council (PCI SSC), an independent body made up of Mastercard, Visa, American Express, JCB, and Discover.
PCI-DSS has six core principals:
The PCI DSS requirements applicable to you will depend on your compliance level (explained below) and your integration type. But, broadly speaking, there are 12 PCI compliance requirements:
Every business accepting credit card payments has to comply with PCI DSS. And even though PCI DSS is not part of any law, the standard is applied around the world.
Every business accepting credit card payments has to comply with PCI DSS. Even though PCI DSS is not part of any law, the standard is applied around the world. And there are some pretty significant penalties and costs for organisations that don’t comply with the requirements. On top of that, there’s a chance card networks will significantly lower or eliminate PCI fines if you can prove you’ve taken all the necessary steps to be PCI DSS compliant.
Your PCI scope will depend on your compliance level to which you are assigned based on your annual card transaction volume. There are four levels:
Level 1: This is the highest security level and you're here either because: You process more than 6 million Visa or Mastercard transactions or more than 2.5 million American Express; you've experienced a data breach; a card network has seen fit to categorise you as Level 1.
Level 2: You process between 1–6 million transactions each year.
Level 3: You process between 20,000–1 million online transactions or less than one million in total each year.
Level 4: You process less than 20,000 online transactions or less than one million in total each year.
To become PCI compliant, you will have to implement the requirements that are applicable to your compliance level. And fill in a form or two. The most common form is the ‘Self-Assessment Questionnaire A’ or ‘SAQ A’.
The SAQ A is intended as a tool to help you assess which requirements you need to implement. The fundamentals of the assessment consist of three security best practices:
In addition to the basics above, here’s a breakdown of the steps you need to take to ensure you’re PCI compliant.
1. Map the flow of cardholder data: Create an accurate data flow diagram to map the movement of cardholder data. This includes any applications, systems and people who work with credit card data, including Service Providers. This is usually done with the assistance of IT staff.
2. Scope your environment: The scope is the identification of people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data (CHD). More information can be found here.
3. Make an assessment: Assess your current level of PCI compliance according to an SAQ A. The person completing the assessment should have sufficient knowledge to be able to assess the environment.
4. Make any necessary changes: You may realise your business falls short of at least one criterion. If this is the case, take time to make any necessary security improvements to your business.
5. Fill out the Self-Assessment Questionnaire (SAQ) A: This form should be completed and signed by a professional qualified to sign off on security related matters. This might be your Chief Security Officer or Chief Technology Officer.
6. Submit documents to your Payments Service Provider (PSP): Once you’ve completed your forms, you can submit them to your PSP (such as Adyen).
7. Setup regular monitoring: Make sure you monitor compliance on an ongoing basis throughout the year, as PCI DSS is not a single event, but a continuous, ongoing process.
Note: Sometimes your payment page may be overlooked
If an attacker gains unauthorised access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker. The risks associated with this integration can be significantly reduced by implementing the requirements as outlined in the SAQ A.
The latest version of PCI DSS was introduced in March 2022. The 12 core PCI DSS requirements remain fundamentally the same. But 4.0 also includes an expansion of requirements in developing security and technology areas such as mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.
To guide the creation of version 4.0, the PCI Security Standards Council agreed four objectives:
PCI DSS 4.0 is designed to ensure account data is properly protected and that businesses are clear on their responsibilities in making that happen. It will also ensure the standard is aligned with the latest changes in the security landscape, expanding requirements into a few new areas, and providing clearer guidance for businesses to follow.
As always, we’re ahead of every update to compliance standards around the world, and work closely with all parties involved to ensure a more secure payments space for everyone.
About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.