Home > A guide to trading online

PCI DSS Compliance: your need-to-know guide

Your questions about PCI DSS compliance answered

All businesses accepting card payments need to meet the Payment Card Industry Data Security Standard (PCI DSS). Being PCI DSS compliant reduces the risk of your customers' card data getting into the wrong hands.

What is PCI DSS?

PCI DSS is a set of 12 basic security requirements developed by the PCI Security Standards Council. It was put in place to ensure that businesses storing, transmitting or processing card data are not putting their customers or their businesses at risk of data theft and fraud.

Sage Pay's E-business Benchmark Report found that around a third of the 2000 online businesses surveyed don't know if they're PCI DSS compliant. It's particularly important for those that are hosting their own payment pages.

Why do I need to be PCI DSS compliant?

The public expects businesses and financial institutions to protect data on credit and debit cards. PCI DSS doesn't guarantee that there won't be a data breach, but it encourages businesses to think wisely about how they use customer data.

Penalties for not complying with PCI DSS range from an increase in security auditing, to facing an unlimited amount of fines, and even losing the ability to process card transactions altogether. Of course the reputation of your business is also at risk if there is a data breach.

How do I become PCI DSS compliant?

There are four levels of PCI DSS compliance, and the level you require is dependent on two main factors: 1. Your transaction volume 2. How you process transaction information.

The PCI Security Standards Council recognises Qualified Security Assessors (QSAs) who can carry out your PCI DSS certification. Your merchant bank may also have a recommended QSA.

Becoming PCI DSS compliant can be a costly and time-consuming process. However, there are some simple ways to reduce the cost and burden of compliance, and of course your risk of a data breach.

One of those ways is to avoid handling card data. The more your business is involved with handling card data, the more open to abuse it us. Consider shifting the responsibility for card data to a third party. For example, have your payment pages hosted by your Level 1 PCI DSS compliant payment service provider. It won't necessarily cost you more and shouldn't hinder the customisation of payment pages or compromise your customers' checkout experience.

What else do I need to know about PCI DSS compliance?