The PCI DSS is applicable to most businesses as it is aimed at those that accept card payments from customers.

In the PCI DSS there are 12 high level requirements and 200-plus testing procedures. Compliance can be through formal assessment or use of one of nine self validation tools.

In the PCI DSS there are 12 high level requirements and 200-plus testing procedures. Compliance can be through formal assessment or use of one of nine self validation tools. There is additionally a plethora of supporting guidance documents to help businesses navigate the PCI landscape. In total there are 177 documents on the PCI SSC website.

It’s no wonder that businesses run into difficulty in understanding the PCI landscape. We see a number of recurring themes but the following are the ones we see most often:

  • Organisations that have filled in online attestations incorrectly, largely driven by the fear of being fined by the Merchant Bank, also known as Acquirer or Acquiring Bank, for not meeting the requirements of the PCI DSS
  • Filling in the wrong Self Assessment Questionnaire (SAQ), i.e. using a SAQ that doesn’t match the way payments are accepted and/or data handled
  • The misunderstanding of more recent developments in acceptance of payment such as tokenization and client-side code. PCI Qualified Security Assessors (QSAs) with a background in assessing more traditional environments can, in some cases, incorrectly reject legitimate techniques authorised by the PCI SSC.

Businesses that need to understand how to handle the question of PCI compliance would benefit from addressing the following activities:

  • Identify compliance requirements based on how payments are accepted
  • Clarify the scope to which those requirements are applicable
  • Seek help in understanding the intent of any requirement to avoid answering the wrong question.

These activities go a long way to reducing the PCI compliance burden and more accurately addressing risks to your business based on the handling of payment cards.