PCI DSS – Preparing For Change
One of the things that Covid had an enormous impact on was retailers’ attitudes to credit and debit card payments. The fear of handling infected cash seemingly overnight transformed retailers who pre-Covid had minimum spend rules on card payments and/or simply did not take card payments. When I recently purchased a £1.00 item of stationery, the preferred payment was by card whereas a couple of years ago, I would have had to spend more than £5.00 to be able to pay by card. An 80p bag of crisps at my local can also now be paid for by card.
What is the PCI DSS?
Anyone who stores, processes, and/or transmits cardholder data must comply with a set of rules by the Payment Card Industry Data Security Standard Council. These rules were initiated in 2004 by the major card brands (e American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc) and the purpose was to increase controls around cardholder data to reduce credit card fraud. The underlying motive was that card brands underwrote fraudulent losses meaning that if a card is stolen and misused, the cardholder would have those funds reimbursed. Ultimately, someone was paying for these fraudulent activities.
Since 2004 the Standard as we shall refer to it has evolved to meet changes in the risk and threat landscape and the controls and technologies available. Those old enough to cast their minds back to the early 2000s will recognise the enormity of changes to things like e-commerce, software as a service, and techniques for identity verification and authentication. The PCI DSS has changed periodically to address these changes.
In March 2022 version 4.0 of the PCI DSS was published. The latest version of the Standard incorporates a substantial number of changes from the current version 3.2.1 and every Merchant and Service Provider (in the world) who takes card payments will be required to comply with version 4.0 from 31st March 2025. More of that later, but to start with, I would like to ensure that everyone is on the same level of understanding about the PCI DSS and how it works.
One of the big questions that I am often asked is how anyone knows whether a is compliant or not. To answer this question, we need to look at what the PCI DSS actually is and who is responsible for what within the Payment Card Industry.
The PCI DSS is a standard – a set of rules, requirements, and obligations. It is not the law in the UK (United Kingdom) and therefore not complying with the PCI DSS is not against the law. What makes it binding for retailers is that they enter a contract with their bank(s) regarding card payments. It is a contractual requirement for a retailer (or “merchant” to use PCI DSS parlance) to comply with the PCI DSS. This means that if a merchant does not comply, it is the banks who impose sanctions, not the courts, and those sanctions may include fines, increased fees, charges, or even a termination of the contract.
The PCI DSS is one of a series of standards administered by the Payment Card Industry Security Standard Council (the PCI SSC). Other standards administered by the PCI SSC which regulate the payment card industry cover card production, development of software and the like. This web of standards is designed to facilitate card payments whilst reducing fraud.
So, to cut a long story short, it is the banks who are responsible for ensuring that retailers taking card payments are PCI compliant.
What is an AOC (Attestation on Compliance)?
All merchants (and service providers) must undertake an annual assessment and attest that they are compliant or not. I.e., they must send a statement (an attestation of compliance or AOC (Attestation on Compliance)) to their bank signed by a senior officer of the organisation attesting that they are compliant having first carried a compliance assessment.
The actual compliance assessment is extremely strict and prescriptive and involves testing that all the controls the PCI DSS requires are in place and effective. To give you some idea of the prescriptive nature of the PCI DSS, one of the requirements is that all computing devices used in, connected to or able to influence the cardholder data environment must have a defined method of synchronising time. I.e., all computers, firewalls, switches, servers etc. must have their time set by a common source. An assessor, whether internal or external, is required to examine system configurations to verify that the time server(s) accept time updates from specific, industry-accepted external sources. Frequently this is a setting in the firmware of a device and the assessor must examine a representative sample of devices to reliably attest that the control (10.4.1) is in place. And because we are talking about a formal assessment, the assessor must retain evidence of the tests they undertake and of compliance. In the case above the evidence typically consists of screenshots of the configuration and of the time settings on devices.
What is an SAQ (Self-Assessment Questionaire)?
There are two methods of carrying out a compliance assessment and this is determined by the number of transactions a Merchant/Service Provider takes each year. Merchants/Service Providers taking few card payments can carry out a self-assessment via a self-assessment questionnaire (SAQ) but those taking many card payments, and those deemed to be an elevated risk (e.g., those who have had instances of fraud), are required to have a formal independent assessment carried out by a qualified security assessor (QSA). The QSA must complete and submit a report on compliance (ROC) following their assessment and countersign the AOC (Attestation on Compliance).
What are the levels in the PCI DSS?
To give you some idea of what is considered a high or a dwindling number of transactions, the PCI DSS categorises merchants into four levels. Level four merchants process fewer than 20,000 transactions per year; level three merchants between 20k and 1 million; level two between 1 million and 6 million; and level one merchants more than 6 million transactions per year. Note that there may be variations in the categorisations by different card brands.
In general, level three and four merchants are considered lower risk and therefore usually self-assess; level one merchants must have a QSA assessment, and the situation for level 2 merchants seems to vary with some requiring a QSA and others being able to submit a self-assessment questionnaire (SAQ) depending on the demands of the acquiring bank
So, back to the question of how anyone knows if a merchant is compliant? The banks police compliance and require their retail customers to carry out a compliance assessment every year via an SAQ or a ROC and submit an AOC.
Why are there different SAQs (Self-Assessment Questionnaire)?
The PCI DSS comprises over 251 separate requirements. These are grouped into 6 high-level requirements:
1. Build and maintain a secure network and systems
2. Protect account data (cardholder data in v3.2.1)
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
If you would like support with PCI, Phil Brining is our resident QSA and can support you with anything related to the PCI DSS.