The card schemes have set out information security requirements to make sure that sensitive cardholder information remains safe whenever a transaction is processed.
We make sure our merchants comply with these requirements, which are regulated by the PCI Security Standards Council (PCI SSC), formed by Visa, MasterCard, American Express, JCB and Discover.
The PCI SSC has published a set of 12 requirements called the Payment Card Industry Data Security Standards (PCI DSS). To find out more, visit our dedicated PCI website.
Who needs to be PCI DSS compliant?
Any business that stores, processes or transmits card data must comply with PCI DSS - and that includes all merchants who accept cards and any agent they may use.
PCI DSS is a mandatory programme, so any merchant who doesn't comply runs the risk of fines, as with any other breach of card scheme rules. As a card acquirer, Clydesdale Bank and Yorkshire Bank Merchant Services has a responsibility to report our merchants' PCI DSS status to the card schemes (Visa and MasterCard). This is confirmed in our standard terms and conditions.
If your business has not begun to work towards PCI compliance, you could be fined by the card schemes. There are also fines for storing Sensitive Authentication Data (SAD) post-authorisation. In extreme cases, non-compliant businesses are subject to an Account Data Compromise (ADC) for which there are fines, plus the potential loss of business and reputation.
How to keep your customers' card data secure
To make sure your customers' card data is secure, you need to comply with all the PCI DSS requirements that apply to your business. The steps you need to take to comply will depend on the size of your business and the type of card acceptance system you have.
The card schemes have divided businesses into four PCI levels depending on the volume and type of transactions processed.
If you don't store any card data
Even if you do not store any cardholder account data in your own systems, you will still need to verify the PCI DSS status of any third parties who act on your behalf to store, process or transmit your customers' cardholder data. Third-party service providers may include:
· Resellers
· Software application providers
· Acquirers
· Payment service providers (PSPs)
· Card processing bureaux
· Data storage entities
· Web hosting providers
· Shopping cart providers
· Miscellaneous third-party agents
· Software vendors
General security information
· You must not store Sensitive Authentication Data (SAD) after authorisation even if it is encrypted. This includes full magnetic stripe data, three- or four-digit security codes and PIN/PIN block information. If you do not need the data, do not store it.
· You must not use card and verification details for any purpose other than completing the card transaction.
· You must not pass this information to anyone else, except for the purpose of helping you to complete the card transaction.
· You are only allowed to keep a separate record of the card number and expiry date, if both these conditions apply:
· You have the specific agreement of the cardholder, and
· You are only going to use this information to help with future transactions, such as recurring payments or new orders believing further orders are likely.