• About IPSO
• Companies and Schemes
• National Payments Strategy
• Publications and Reports
• SEPA
• Industry Statistics
• Account Validation & Sort Codes
• Consumer Corner
• Business Centre
  • Payment Types
    • Direct Debits
    • Making Electronic Payments
    • Payment Cards
      • What is a Payment Card?
      • Types of Payment Cards
      • How Does a Business Accept Card Payments?
      • Characteristics of Accepting Payment Cards
      • Advice to Retailers regarding the Security of PIN Entry Devices (PEDs)
      • Safe and Secure Payment Card Acceptance
      • Security Developments in the Card Payments Industry
      • Facts and Figures
      • Frequently Asked Questions
    • Cheques
    • Cash
  • Did you know?
  • Developments in Irish Payments
  • Frequently Asked Questions
• Photo Gallery
• Media Centre

You are here: Home -> Business Centre -> Payment Types -> Payment Cards -> Security Developments in the Card Payments Industry A A 

Payment Card Industry Data Security Standards (PCI DSS)

In today’s retail environment, card data security has become important for every type of business that accepts card payments. There are payment card industry standards in place now which outline how card data should be protected by shops and retailers. Every shop or merchant that accepts card payments, whether in a face-to-face or card-not-present environment, must secure all card information using the global industry standards. By following these industry-wide procedures retailers will:

• Protect their customers' payment information
• Boost customer confidence through a higher level of data security
• Prevent financial losses and customer dispute costs
• Maintain customer trust and safeguard the reputation of the company brand
• Provide a complete ‘health check’ for any business that stores or transmits customer information
• Avoid penalties or fines in the event of a compromise such as a data hack or theft

The industry standards are called Payment Card Industry Data Security Standards, or PCI DSS.

 

What is PCI DSS?

The Payment Card Industry Data Security Standards (PCI DSS) are global information security standards which include a set of comprehensive requirements for enhancing payment account data security. They were developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard, Visa and American Express, to help facilitate the broad adoption of consistent data security measures on a global basis.

PCI DSS include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The comprehensive standards are intended to help organisations to proactively protect customer account data.
Requirements for all organisations that accept card payments

The PCI DSS include 12 key requirements for organisations that accept or process card payments. These are:

1. Installation and maintenance of a firewall configuration to protect data
2. Do not use vendor-supplied defaults for passwords or other security parameters
3. Protect stored data
4. Encrypt the transmission of cardholder data and sensitive information
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

 

These requirements apply to all organisations that store, transmit or process payment card data.

All acquiring processors are responsible for their merchants' compliance with these standards and are required to report regularly to the relevant members of the PCI SSC (i.e. the card schemes). Merchants that have not completed PCI DSS compliance validation need to agree a plan for doing so with their acquirers and to update them regularly on progress.

All merchants, regardless of their size, are required to comply with PCI DSS. Some of the card schemes have produced simple guidelines for small merchants. For more information shops and retailers should contact their acquiring processor.

 

For further information on PCI DSS please visit the website of the PCI Security Standards Council. 

 

 

Chip and PIN

As well as dramatically reducing retailers’ exposure to card fraud at the point of sale, Chip and PIN provides many other significant benefits for businesses that accept card payments, namely:

• Keying in a PIN is faster than the signature process
• Costs associated with card fraud are reduced
• There are fewer customer disputes and chargebacks
• Retailers are no longer required to store receipts for Chip and PIN transactions (contact acquiring processors for more details)
• The use of Chip and PIN shifts the onus of identifying the cardholder away from shop staff who no longer have to check signatures against those on the card

Most shops rent their point of sale terminals from their bank or card processor which have been upgraded to Chip and PIN. Shops that own their own integrated point of sale tills are required to ensure that their tills are compliant with the international Chip and PIN technical standards. Criminals are known to target shops that have not updated their tills with the secure technology.