Data Protection

PCI DSS protection

PCI DSS applies to the processing and storage of all customer cardholder data.

What is PCI DSS?

Whenever customers pay by card face-to-face, online or over the phone, they’re trusting that systems are secure. At the same time, we also trust that customers aren’t fraudsters in disguise.

 

So, to minimise the chance of fraud, the Card Schemes (Visa, Mastercard, Discover, American Express and JCB) came together and created the Payment Card Industry Data Security Standard, known as PCI DSS.

The PCI DSS lists a set of requirements that each business needs to follow. The level of security needed depends on the size of the business and how it operates. Once a Business meets the requirements relevant for specific business set-up, it is deemed as being ‘compliant’ with PCI DSS.

Every business taking card payments is required to have a yearly PCI DSS compliance assessment to ensure they’re still protecting cardholder data to the highest standard.

For example, think of PCI DSS compliance like a car’s yearly MOT. The car needs its MOT renewing every year by a qualified assessor. The assessor identifies any problems that need fixing to a certain standard before they officially authorise the vehicle for use,

The PCI DSS is updated regularly by the Payment Card Industry Security Standards Council.  Visit the PCI Security Standards Council website for the most up to date information and version of the Standard.

What if a third party supplier handles

Our customers data?

The PCI DSS covers the entire trading environment, end-to-end. So, it’s not just our systems which must be compliant, but also the systems of any third party suppliers that store, process or transmit the customers’ cardholder data.

So, when choosing a supplier, it is important to make sure they’re certified PCI DSS compliant.

Why is PCI DSS compliance important?

Anyone who takes card payments has a responsibility to comply with PCI DSS – it helps to prevent fraud for both consumers and businesses alike.

Becoming compliant isn’t a meaningless chore – it’s something that actually benefits. This is because the requirements that underpin PCI DSS compliance will reduce the risk of cardholder data environment being compromised.

Be aware that being compliant with the PCI DSS won’t stop fraudsters targeting our business. However, it will put High-Class Trends in the best position to prevent an attack,

How PCI DSS compliance protects you?

The purpose of the PCI Data Security Standard is to keep every link in the transaction chain as secure as possible.

The PCI DSS is updated regularly by the Payment Card Industry Security Standards Council.  Visit the PCI Security Standards Council website for the most up to date information and version of the Standard.

What if a third party supplier handles data?

The PCI DSS covers the entire trading environment, end-to-end. So, it’s not just our systems which must be compliant, but also the systems of any third party suppliers that store, process or transmit customers’ cardholder data.

What does PCI DSS compliance protects from?

By complying with the PCI DSS requirements, it helps to protect the business and customers against the following:

Account Tampering

‘Trojans’ and other malicious viruses can sneak into our system to change cardholder payment records from ‘paid in full’ to ‘unpaid’ to make unapproved transactions. Keeping our anti-virus software up to date helps to keep these attacks at bay.

Denial of Services

Losing connectivity is a huge issue if a business relies heavily on the internet. This can be reduced, and even prevented, by building and maintaining a secure network that’s protected by one or more firewalls.

Identity Thief

Whether it’s face-to-face, online or over the phone, each card transaction taken will send information across public networks. By encrypting cardholder data ‘in transit’, private details such as name, address, account number and expiry date are kept safe and hidden.

Internal Theft

It’s not just attacking from outside our business that needs to be protected against. Sometimes the threat is closer to home. Having secure internal access controls helps protect ourselves and our customers’ data from dishonest insiders as well as external fraudsters.

Website Tampering

Company web pages and interactive forms are a big target for hackers and fraudsters. Ensuring our network is protected helps prevent ‘defacement’, where slight alterations to web data entry forms can trick customers into revealing sensitive data.

Ghost Attack

With so much information going back and forth, it’s easy for things to slip through the cracks. Constant and thorough monitoring of our transaction activity prevents critical log and audit data being tampered with or erased. It also makes it easier to trace attacks back to their source.

Legal entanglements

You can’t always be around to monitor how employees are using computers. But with the correct measures in place, we can avoid having illegal pornography, unauthorised software or pirated movies being accessed and/or copied onto the business hardware.

Good governance

Working with the controls set out in the PCI DSS will help with other governance and legal requirements that may be relevant to the business. For example, the Information Commissioner’s Office considers cardholder data to be personal data. Merchants and service providers are therefore expected to be compliant with the PCI DSS in order to adhere to the Data Protection Act.