Protecting your business and your customers
What is Payment Card Industry - Data Security Standards (PCI DSS)
PCI DSS is a global scheme to safeguard cardholder data by ensuring card transactions are processed, transmitted and stored securely.
This protects all parties from the increasing threat and occurrence of card fraud and theft - which can lead to unexpected expenses for your business, and a significant inconvenience for your customers.
PCI DSS compliance is mandatory for any business that processes card transactions.
If you are a Lloyds Cardnet client and don't yet have PCI DSS compliance, you are likely paying substantial fines, but we can help you become compliant.
PCI DSS and the benefits of compliance
What PCI DSS means for my business
How do I become compliant?
Being PCI DSS compliant means demonstrating that your business is handling cardholder data safely and securely.
You can not store the following information:
- Information stored in the magnetic stripe
- The three-digit number signature strip used for mail/telephone orders or online transactions
You can keep only the essentials needed for your business such as name, account number or expiry date.
The 12 principles of PCI DSS
The principles that will apply to your business depend on how you process credit cards. To help you better understand these requirements, we have a dedicated PCI DSS online portal, as well as a PCI DSS help line you can call on 0845 0710 544.
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect data|
2. Do not use default passwords for system and other security programs
|Protect Cardholder Data||3. Protect stored cardholder data|
4. Encrypt transmission of cardholder data and sensitive information across open public networks
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software|
6. Develop and maintain secure systems and applications
|Implement strong access control measures||7. Restrict access to cardholder data to employees on a need-to-know basis|
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data|
11. Regularly test security systems and processes
|Maintain an information security policy||12. Maintain a policy that addresses information security within your business|
Maintaining compliance each year
The process to become compliant depends on the size of your business. Small to medium sized businesses need to complete a Self Assessment Questionnaire (SAQ), while larger entities may need a Formal Onsite Assessment by a Qualified Security Assessor (QSA).
To get started today, contact your Lloyds Cardnet Account Manager who can set you up with our user-friendly PCI DSS online portal. The tools on the portal will help you through the registration process, whether you require an SAQ or QSA.
What if I already have valid compliance?
If your business already has PCI DSS validation, you simply need to provide us with evidence of compliance. You can still benefit from our online PCI DSS portal, which will make it easier to renew validation each year.
How Lloyds Bank Cardnet can help you
PCI DSS compliance needs to be renewed every year. This is because processes or card acceptance equipment may have changed in your business. Also, the Standard itself could have changed in the course of a year to adapt to new security threats or market requirements.
Usually, PCI DSS compliance is far easier in subsequent years and won’t take as long to complete.
How to renew PCI DSS compliance
Penalties for non-compliance
All Lloyds Cardnet merchants must be PCI DSS compliant. To help, we’ve developed a user-friendly online portal - making it much easier to become and stay compliant.
Here's what the portal offers:
- A dedicated helpline with knowledgeable staff
- Help understanding which requirements apply to your business
- Step-by-step guides to assists you through your self-assessment
- On-going support and service to ensure that you maintain your compliance
Find out more about the PCI DSS online portal for Lloyds Cardnet clients. Or contact your Lloyds Cardnet Account Manager who can help set up your PCI DSS portal access.
Compliance requirements when working with third parties
If your business is processing card payments and you are not yet compliant with PCI DSS, you could be receiving substantial fines. Your card acceptance services and machines could also be revoked.
Fines are charged per outlet and increase over time, so the sooner you become compliant the better.
Consequences of not being compliant
If you're working with Third Parties involved in processing or storing card transaction data on your behalf, you need to ensure they are also compliant. These can include software providers, payment service providers, web hosting companies, EPOS & till vendors, to name but a few.
Here's what you'll need to do:
- Make sure they are PCI DSS compliant, you can ask for proof of validation
- Ensure they are registered with Visa as a Merchant Agent at www.visamerchantagents.com.
- Notify Lloyds Cardnet about third parties you’re working with
Need more information about PCI DSS or security?
Or, you can call our dedicated PCI DSS help line with any questions on 0845 0710 544 (9am to 5pm Monday to Friday)