What is PCI DSS and what's being updated in 2022?
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognised security standard aimed at combating credit card fraud and increasing the safety and control of sensitive card data. The standard applies to all major branded payment cards, such as Mastercard, Visa, American Express, JCB and Discover and is administered by the independent PCI Security Standards Council.
In simple terms, PCI DSS compliance involves 12 ‘requirements’ of any business handling card payment data:
- Protect your system with firewalls
- Configure passwords and settings
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Regularly update and patch systems
- Restrict access to cardholder data to business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to workplace and cardholder data
- Implement logging and log management
- Conduct vulnerability scans and penetration tests
- Documentation and risk assessments
PCI DSS merchant levels
You will have to identify which merchant level your business sits in to know what you need to do to become PCI DSS compliant.
Each major card issuer will have its own set of levels, but a generally representative example of different merchant levels is provided by Visa:
| Merchant level | Criteria |
| 1 | Merchants processing over 6 million card transactions a year across all channels |
| 2 | Merchants processing between 1 and 6 million card transactions a year across all channels |
| 3 | Merchants processing between 20,000 and 1 million e-commerce card transactions a year |
| 4 | Merchants processing up to 20,000 annual e-commerce card transactions or 1 million transactions a year across all channels |
Many small independent businesses will fall into level 4 of the compliance framework if they are:
- An e-commerce business processing fewer than 20,000 e-commerce transactions per year, or 54 transactions per day
- Any type of merchant processing fewer than 1 million transactions across all channels per year, or 2739 per day
Based on your business operations and the way in which you use, store or handle card data, you will have to complete a different self assessment questionnaire (SAQ) in order to become PCI DSS compliant:
SAQ A – for e-commerce, mail or telephone-order merchants that have fully outsourced all cardholder data functions (to a third party) and have no electronic storage, processing, or transmission of any cardholder data on their systems or premises.
SAQ A-EP – for e-commerce-only merchants using a third-party service provider to handle their card information (such as Stripe, Zettle or SumUp) and who have a website that doesn’t handle card data. There can be no electronic storage, processing, or transmission of any cardholder data on their systems.
SAQ B – for merchants that use imprint machines and/or standalone, dial-out terminals. They must have no electronic cardholder data transmission, processing, or storage and this is not suitable for e-commerce businesses.
SAQ B-IP – for merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor. This also must have no electronic cardholder data storage and it is not suitable for e-commerce businesses.
SAQ C-VT – for merchants that use a virtual terminal on one computer which is dedicated solely to payment card processing where no electronic cardholder data is stored.
SAQ C – for any merchant with a payment app connected to the Internet, but where no electronic cardholder data is stored.
SAQ P2PE – for merchants using approved point-to-point encryption (P2PE) devices and where no electronic card data is stored.
SAQ D for Merchants – for merchants that do not outsource their credit card processing to a third party or use a P2PE solution, and who do store credit card data electronically.
SAQ D for Service Providers – for service providers deemed eligible to complete an SAQ.
Is PCI DSS compliance a legal requirement?
In short, no. In the UK, the security standard has not been incorporated into statute law in the way it has been in some US states such as Nevada. This means that there is no legal requirement for businesses that handle card data to be PCI DSS compliant.
However…
While the standard is not enshrined in UK law, there are good reasons for businesses to treat PCI DSS as if it were a legal requirement and ensure they are compliant. In simple terms, customers’ payment card details are not just financial data, but it also constitutes personal data which comes under the remit of the Data Protection Act (2018). In the event of a card data breach, the Information Commissioners’ Office (ICO) may take into account whether a business is PCI DSS compliant when deciding on enforcement actions.
What if I use a third party card payment system?
Many small businesses will use a third party payment processing platform such as Stripe, SumUp or Zettle (formerly iZettle) to handle their card payments, both in a physical shop or online.
By using a third party platform that itself is PCI DSS compliant, your business may not have to go through all the necessary checks itself. If your business is entirely reliant on the third party processing platform, then the onus falls on the third party. This is the case with Paypal who take steps to ensure their client merchants are compliant by providing advice and asking for certain requirements when starting a contract.
If your business is not purely reliant on the third party and you collect and process any card data yourself, then you will need to complete all the steps relevant to your merchant level to be PCI DSS compliant.
What this means for small businesses
There’s both good news and bad news for small businesses when it comes to being PCI DSS compliant. The good news is that many small businesses will sit in the lower levels of the PCI DSS framework due to their size and the number of transactions they process. Small bricks and mortar businesses such as independent shops will likely sit in level 4, while smaller scale online businesses will most likely be at level 3. This means that the process of becoming PCI DSS compliant is simpler and quicker than for larger companies.
However, under the PCI DSS framework, if your business suffers a card payment data breach where account details are compromised, then you could automatically find that your business will then sit at a higher, more complex merchant level.
The Hiscox Cyber Readiness Report 2022 suggests that more than a third (34.8%) of small businesses (with under 50 employees) suffered a cyber attack in the first quarter of 2022 alone. Small businesses are clearly seen by cyber criminals as an easier target because they lack the capital and the know-how to invest in the strongest cyber protection.
The 2022 PCI DSS 4.0 update
The changes to the PCI DSS between the previous version (3.2.1) and the newest incarnation (4.0) are many and varied and you can download a document containing the summary of all the changes from the website of the PCI Security Standards Council. The full standard is also available to download.
Some of the principle changes, however, include measures such as:
- Access privileges now must be reviewed a minimum of twice a year
- All passwords for accounts used by payment systems should now be changed once a year as well as during suspicious activity or a data breach
- Multi-factor authentication (MFA) should now be used for all accounts with access to sensitive card data, whereas previously only security administrators had to use MFA
- Third-party accounts should now only be used as needed and should monitored regularly for security risks
- Passwords for accounts must now be ‘strong and unique’, with at least 15 characters that include both alphabetic characters and numerals. When passwords are changed, all prospective passwords should be compared against a list of known bad passwords
Timeline for PCI DSS 4.0 implementation
The new PCI DSS version 4.0 was introduced in March 2022 and is eventually set to replace the existing version 3.2.1. There is a two year transition period to allow businesses to fully adjust to the new standard and the old version (3.2.1) will be retired and fully replaced with version 4.0 on 31st March 2024.
You may also like:
Download your free essential cybersecurity checklist
Skip the mistakes and boost your cyber protection now with these simple steps
This content has been created for general information purposes and should not be taken as formal advice. Read our full disclaimer.
We've made buying insurance simple. Get started.
- 13 February 20245 minute read
SaaS + AI = breaking boundaries (+ risk)
More and more, SaaS companies are utilising AI to stay one step ahead of the game. But what are the risks involved and how can they be mitigated? Read on to learn more.
- 21 November 202313 minute read
Ultimate guide to startup funding
Everything you need to know about funding for startups. Find out how to make (and not break) your business, with our ultimate guide.
- 19 September 20234 minute read
Is now the time for cyber insurance?
In our increasingly digital world, and with cyber crime on the rise, is there an optimum time of year to buy cyber insurance?
