Protecting your business and your customers

What is Payment Card Industry - Data Security Standards (PCI DSS)

PCI DSS is a global scheme to safeguard cardholder data by ensuring card transactions are processed, transmitted and stored securely.

This protects all parties from the increasing threat and occurrence of card fraud and theft - which can lead to unexpected expenses for your business, and a significant inconvenience for your customers.

PCI DSS compliance is mandatory for any business that processes card transactions.

If you are a Lloyds Cardnet client and don't yet have PCI DSS compliance, you are likely paying substantial fines, but we can help you become compliant.

PCI DSS and the benefits of compliance

What PCI DSS means for my business

Being PCI DSS compliant means demonstrating that your business is handling cardholder data safely and securely.
You can not store the following information:

  • Information stored in the magnetic stripe
  • The three-digit number signature strip used for mail/telephone orders or online transactions

You can keep only the essentials needed for your business such as name, account number or expiry date.

The 12 principles of PCI DSS

The principles that will apply to your business depend on how you process credit cards. To help you better understand these requirements, we have a dedicated PCI DSS online portal, as well as a PCI DSS help line you can call on 0845 0710 544.

Build and maintain a secure network1. Install and maintain a firewall configuration to protect data
2. Do not use default passwords for system and other security programs
Protect Cardholder Data3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information across open public networks
Maintain a vulnerability management program5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement strong access control measures7. Restrict access to cardholder data to employees on a need-to-know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy12. Maintain a policy that addresses information security within your business
How do I become compliant?

The process to become compliant depends on the size of your business. Small to medium sized businesses need to complete a Self Assessment Questionnaire (SAQ), while larger entities may need a Formal Onsite Assessment by a Qualified Security Assessor (QSA).

To get started today, contact your Lloyds Cardnet Account Manager who can set you up with our user-friendly PCI DSS online portal. The tools on the portal will help you through the registration process, whether you require an SAQ or QSA.

What if I already have valid compliance?

If your business already has PCI DSS validation, you simply need to provide us with evidence of compliance. You can still benefit from our online PCI DSS portal, which will make it easier to renew validation each year.

Maintaining compliance each year

PCI DSS compliance needs to be renewed every year. This is because processes or card acceptance equipment may have changed in your business. Also, the Standard itself could have changed in the course of a year to adapt to new security threats or market requirements.

Usually, PCI DSS compliance is far easier in subsequent years and won’t take as long to complete.

How to renew PCI DSS compliance

How Lloyds Bank Cardnet can help you

All Lloyds Cardnet merchants must be PCI DSS compliant. To help, we’ve developed a user-friendly online portal - making it much easier to become and stay compliant.

Here's what the portal offers:

  • A dedicated helpline with knowledgeable staff
  • Help understanding which requirements apply to your business
  • Step-by-step guides to assists you through your self-assessment
  • On-going support and service to ensure that you maintain your compliance

Find out more about the PCI DSS online portal for Lloyds Cardnet clients. Or contact your Lloyds Cardnet Account Manager who can help set up your PCI DSS portal access.

Penalties for non-compliance

If your business is processing card payments and you are not yet compliant with PCI DSS, you could be receiving substantial fines. Your card acceptance services and machines could also be revoked.

Fines are charged per outlet and increase over time, so the sooner you become compliant the better.

Consequences of not being compliant

Compliance requirements when working with third parties

If you're working with Third Parties involved in processing or storing card transaction data on your behalf, you need to ensure they are also compliant. These can include software providers, payment service providers, web hosting companies, EPOS & till vendors, to name but a few.
Here's what you'll need to do:

  • Make sure they are PCI DSS compliant, you can ask for proof of validation
  • Ensure they are registered with Visa as a Merchant Agent at www.visamerchantagents.com.
  • Notify Lloyds Cardnet about third parties you’re working with

Need more information about PCI DSS or security?

Or, you can call our dedicated PCI DSS help line with any questions on 0845 0710 544 (9am to 5pm Monday to Friday)