PCI DSS
PCI Compliance enquiry line: 0161 209 5166 - assurance@nccgroup.com
The Payment Card Industry Data Security Standard (PCI DSS) was implemented collectively by the Payment Card Industry in response to increased fraud and identity theft involving stolen credit card data in order to stem losses by the card providers and improve consumer confidence. The PCI DSS was designed to not only address the most common consumer fears over making credit card transactions, that their cardholder details will be compromised and abused, but also to ensure that the “merchants” who process credit card transactions become more accountable for their own risk.
Every organisation that accepts payments by credit card has been required since June 2007 as a “merchant” to comply with the PCI DSS. This affects a wide range of organisations, including retailers, leisure providers, publishers, service providers, local authorities and charities.
Where cardholder data is compromised, organisations who are unable to demonstrate compliance with the PCI DSS may now be liable for losses that arise from the security breach and face the prospect of substantial fines imposed by the card schemes or being permanently barred from the card acceptance programme.
To avoid being penalised, it is essential that you act now to ensure your organisation is – and stays – compliant with the PCI DSS.
The key challenges
The key challenges affecting organisations in complying with the PCI DSS include:
■ Identifying the many different means of payment by debit or credit card your organisation offers its customers - these can include EPOS, automated voice payment, online, electronic payment kiosks and by phone through contact centres. All of these different payment methods will have a different impact on achieving compliance with the standard.
■ Identifying the many different areas where payments are being made – most commonly through individual stores/outlets/branches, online, by phone through contact centres, by direct debit, through direct TV channels and by mobile phone. In the public sector, the list will include an even wider range, including schools, theatres, leisure centres, libraries, one-stop-shops and car parks.
■ Identifying how cardholder information is processed within the various systems, the links from the organisation to its acquiring bank, links to other service providers (e.g. Worldpay) for the processing of financial transactions.
■ Ensuring compliance of applications that are processing financial information (e.g. e-payments via a web-based service)
■ Ongoing security testing of networks and systems to ensure they remain compliant and that any new vulnerabilities are identified and remedial action taken
How NCC Group can help
As a leading independent provider of consultancy and security testing services specialising in helping organisations protect themselves from information security threats, and as a Payment Card Industry Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), NCC Group is ideally placed to advise on PCI DSS. We are currently working with many organisations – such as Cineworld, Slough Borough Council and London Borough of Brent - to help them to achieve compliance.
We offer the following one-stop PCI DSS solution:
| Scoping – identifying where you are now in relation to the PCI DSS, covering both networks and systems and business processes |
| Gap analysis and remediation planning – identifying the risks you face through non-conformance and the steps needed to ensure you are properly covered |
| Remediation advice – expert and detailed advice around the security of your networks and systems and supporting policies and procedures |
| PCI DSS audit and certification – guiding you through the process to achieving compliance |
| Ongoing compliance management – regular security testing and auditing to ensure you stay compliant |
Contact
For more information on how we can help you to ensure your organisation becomes – and stays – compliant, contact our PCI enquiry team on +44 (0)161 209 5166 or at pci@nccgroup.com.