Skip to content

Compliance for Mobile Devices

PCI DSS

What is the PCI DSS ?

The Payment Card Industry Data Security Standard or PCI DSS was developed to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. It applies to all merchants and service providers that process, transmit or store cardholder data. If your organization handles card payments, it must comply- or risk suffering financial penalties or even the withdrawal of the facility to accept card payments. The PCI DSS was launched in 2004 and is the result of collaboration between the major credit card brands: American Express, Discover, JCB, MasterCard and Visa.

Do I need to comply with the PCI DSS ?

All organizations that accept credit and debit cards or that store, process and/or transmit cardholder data need to comply with the standard. Merchants and service providers compliance requirements differ depending on a number of factors including the size of the organization and the volume of transactions it undertakes.

What are the penalties for non-compliance ?

The PCI DSS is a standard not of law. It's enforced through contracts between merchants acquiring banks and payment brands. Each payment brand can fine acquiring banks for PCI DSS compliance violations, and acquiring banks can withdraw the ability to accept card payments from non-compliant merchants. It's also worth remembering that a PCI DSS breach is always a GDPR breach as cardholder data is classified as personal data under the regulation. So as well as any enforcement action from your acquiring bank, your organization could face administrative fines of up to 20 million Euros or 4% of annual global turnover (whichever is greater) under the GDPR.

How to become PCI DSS compliant?

The PCI DSS specifies 12 requirements that are organized into 6 controlled objectives:

1. Build and maintain a secure network:
    - Install and maintain a firewall configuration to protect cardholder data 
    - Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect cardholder data: 
    - Protect stored cardholder data 
    - Encrypt transmission of cardholder data across open public networks 
3. Maintain a vulnerability management programme: 
    - Use and regularly update antivirus software or programs 
    - Develop and maintain secure systems and applications 
4. Implement strong access control measures:
    - Restrict access to cardholder data by business need-to-know 
    - Assign a unique ID to each person with computer access 
    - Restrict physical access to cardholder data 
5. Regularly monitor and test networks:
    - Track and monitor all access to network resources and cardholder data 
    - Regularly test security systems and processes 
6. Maintain an information security policy:
    - Maintain a policy that addresses information security for employees and contractors