Card transactions generate tonnes of data. From transaction details such as the payment method used and amount paid, to Personal Identifiable Information (PII) such as full names and card details, this data must be stored somewhere safe.
Attempts at credit card fraud can be highly sophisticated - the inability to prevent such attacks due to poor card payment security could result in breach of customer trust and financial losses for the business, as well as inadvertently enabling criminal activity. Recent statistics show an encouraging 19.5% drop in credit card fraud and every business that accepts cards has a role to play in advancing the responsibility of responsible commerce by ensuring that their own data practices are adequate and they’re doing everything they can to ensure customer payment data is secure.
In 2006, Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC), setting out rules and guidelines designed to keep card payments secure. The guidelines ensure all businesses that handle consumer credit card data play by the same rules and are up to speed with the requirements involved to keep this data safe. With this goal in mind the PCI Data Security Standards (PCI DSS) were created to protect consumers, banks and businesses from being exposed to potential critical data breaches.
The ins and outs of PCI compliance can be daunting, particularly given the abundance of day-to-day priorities and business-as-usual. Below is a summary on the PCI DSS which provides a headline overview on the topic as your business works through how to manage its PCI requirements.
This summary should only serve as an introduction and does not constitute professional or financial advice. It therefore should not be acted upon without seeking professional advice. The full requirements which get updated frequently can be found on the PCI SSC website.
To understand why there’s a need for the PCI DSS, it’s important to consider the landscape into which it came to be. When the PCI standard was developed in 2006, the evolution of the internet as a commercial tool and the ability of accepting online payments represented an opportunity for businesses and convenience for customers, making everyone’s lives easier.
It also brought with it security concerns. Providing credit card details online left customers exposed and provided a business challenge to ensure data security. Inevitably, incidences of data theft increased significantly, leading to the establishment of the PCI SSC in 2006 mandated to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals”.
It is crucial to understand that while the Council is charged with setting the standards and requirements for businesses to follow, PCI compliance is ultimately the responsibility of the merchant and the payment brands, not the PCI SSC.
Every business involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS) as is required based on their size and level of involvement.
PCI DSS exists to make sure all businesses treat the handling of payment data the same way - online, in-store, or over the phone or in writing - keeping payments secure and data safe. By doing so you’re keeping your customers safe and maintaining trust.
For ease of clarity PCI DSS compliance can be broken down into three main areas.
Depending on your business, it may be necessary to directly handle credit card data when accepting payments, which means you will need to comply with PCI DSS to ensure this data is kept safe and handled appropriately.
How businesses handle payment data varies depending on the business itself, but as a general rule, if a business doesn’t have to handle customer payment data, it shouldn’t.
Third-party integrations such as Assembly’s ready made drop-in UI are available to allow card data to be handled safely, reducing the risk and complexity that comes with doing this yourself. PCI compliance is a collective responsibility and applies to both your business and Assembly. Your business is still required to comply with PCI DSS, however using Assembly’s drop-in UI, facilitates your business with the easiest level of PCI DSS, SAQ A.
If a business is required to store credit card data, it will need to define the scope of the cardholder data environment (CDE) where sensitive information is stored, and take specific steps to protect this.
It makes sense then that, wherever possible, businesses should keep this storage to only the essentials - effectively creating a CDE that’s as small as possible. Every security requirement within the PCI DSS applies to the CDE, so ensuring this payment data is separate from the rest of the business is important, lest you find yourself having to apply the PCI security controls to every system and device in the business.
Every year, ALL businesses that accept card payments are required to complete a PCI DSS assessment of their security controls, procedures and policies. This validation process varies from business to business, but will generally include a Self-Assessment Questionnaire (SAQ) completion - a self-validation tool to assess security for cardholder data.
This checklist includes some of the actions required to keep card payment data safe and secure.
Understand your business’ compliance requirements
Although Assembly processes credit card data on your behalf, you still have an obligation to be PCI compliant.
The PCI Security Council provides guidelines on the required compliance levels.
PCI sets out different levels for merchants in order to assess their fraud risk and decide on the appropriate security level for their business, as well as the amount of assessment and security validation needed to pass PCI DSS assessment. In order to ensure you’re compliant with PCI requirements it’s important to know where your business sits within this framework.
There are four different levels, which are broken up largely by the volume of credit card transactions your business churns through every year (although other factors may come into play depending on your security history).
The following are the four levels of PCI compliance:
As part of the PCI DSS, businesses are required to complete a Self-Assessment Questionnaire (SAQ) - a checklist created by the PCI SSC to simplify the process for businesses to check their PCI compliance - and there are different SAQ types depending on your payment integration method (outlined in the table below). Your business will have to complete this SAQ in order to formally achieve a level of PCI compliance.
The SAQ is made up of a series of yes/no questions related to each PCI requirement. If you answer ‘no’ to any questions, you’ll be required to provide details and dates related to resolving this compliance issue.
There are a range of different SAQs available. The one you complete will depend on the type of business and your merchant level.
If you’re still unsure about which self-assessment questionnaire is applicable to you, see the guidelines under “Which SAQ Best Applies to My Environment?” here.
Assembly does not provide advice regarding PCI compliance requirements - it is your sole responsibility as a business owner that accepts card payments to seek your own independent QSA advice.
If you need clarity, guidance, or advice in relation to your PCI requirements, you must engage a Qualified Security Assessor (QSA) who can help you understand and fulfil your requirements. You or your organisation can then work through an internal assessment, with the help of a QSA, to attain compliance.
PCI compliance is not something you only need to think about once a year - it should constantly be top of mind to ensure your level of compliance remains up to date at all times.
Depending on your credit card partner, you may be asked to submit regular reports or assessments to demonstrate that you’re on top of your card payment security responsibilities so it’s best to be on the front foot with your checks. You must also ensure you keep your six-monthly updated SAQ on record and have it available to present when it is requested by your payment services provider.
Ok, so all this talk about PCI and compliance and SAQs is enough to make anyone’s head spin, we know. But while it can seem overwhelming and, let’s face it, dry, the importance of implementing healthy security and compliance measures for your business can’t be overstated.
PCI compliance is critical to ensure you keep your customers safe and protect your business from exposure to data breaches. If your business doesn’t comply with PCI standards, you’re risking data breaches, fines, audits, and other unforeseen costs, not to mention potentially unrecoverable brand damage which can only result in loss of business.
Such penalties can be catastrophic for businesses. For example, if your company violates PCI-compliance standards, you may be subject to fines from the credit card company associated with the breach and/or a damaged relationship that affects your agreement.
It is your sole responsibility to establish your own PCI compliance - this is not something that Assembly Payments can do on your behalf.
We take data security seriously and have been audited by a PCI-certified auditor, achieving the highest level of certification - PCI Service Provider Level 1. It’s important to remember though that this doesn’t mean your platform automatically receives the same certification just by partnering with us.
If you are looking for card payment integration into your platform, with Assembly, you can accept all major credit cards with a ready made drop-in UI which reduces the cost and effort which comes with building your own one.
With our ready-made drop-in UI solution, capturing credit card details - on your website or mobile application - through the Assembly platform is a straightforward task. You can rest assured that your system will remain well encrypted and you also won't require a self-attestation questionnaire to be completed.
PCI compliance is something that should always be top of mind in your business. It’s crucial that you remain vigilant and in control of all the ways in which you’re required to comply in order to keep card payment data secure. It’s good practice to check in with these requirements regularly, particularly if your business undergoes any changes, so that you can always be on the front foot.
It’s important to remember as well that while complying with the PCI DSS guidelines is an important step in protecting your customers and your business, it’s something that cannot occur in isolation. Following the PCI DSS standards for handling and storing cardholder data is an excellent step, but ensuring you’re partnering with an experienced payments provider who can add an additional layer of security to your payments is a smart move.
To integrate drop-in UI as a component of your PCI compliance plans contact us today.
Ensuring the security of card payments is good news for everyone, so start planning today.
InsightsRebuilding the plane, while still flying it. Our journey on building our data platform from scratch.
Find out how Assembly took an eight year old monolithic platform that was slow, manual, and costly and built a fully scalable digital platform that connects all the data dots across our business. Now, we get the big picture view, allowing us to holistically see how our business is running.
CompanyAssembly’s Hack Day 2021: Tiny Care Slack Bot
Having been through more than a year in lockdown, the objective of this year’s Hack Day was to provide an opportunity for the Product & Tech teams to come together and collaborate on new ideas (outside of payments), learn, and simply have fun!
Insights5 scaling considerations for finance teams
As a company works at a frenetic pace to meet the challenges of scaling up, the finance team plays a vital role in working alongside the management team and the wider organisation to define and execute the business's strategy. Finance’s role in capturing and analysing financial data is central to these efforts, as using data-driven insights to guide strategic business decisions becomes the norm.