Payment Card Industry Data Security Standard (PCI-DSS)
The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle cardholder information. All merchants, whether small or large, need to be PCI compliant. The burden of compliance can be daunting at first, but at Bongo IT we are here to help.
You may have noted that in 2018 some of the Payment Service Providers e.g. Barclacard have tightened their regulations and are now providing more difficult questionaires. If you now find yourself stuck, please speak to one of our team.
What is involved
Our first step is to document the cardholder data flow. This allows us to understand how sensitive data flows through your systems, and which parts of those systems need to be scanned. We will then look at reducing the number of systems involved in the flow of cardholder data, to lessen the compliance task.
After filling in the correct questionnaire for your level of interaction with cardholder data, we initiate the scan. The scan tests all the systems through which data flows for basic security vulnerabilities. After rectifying any vulnerability, and re-running the scan until no vulnerabilities remain, compliance is achieved. We will then inform your Payment Service Provider (PSP) that you are compliant. The scan will automatically run every 3 months, and will inform you if you ever drop out of compliance.
PCI DSS Case Study
Bongo IT was approached by an Oxford-based charity who had been asked by their PSP to become PCI compliant. As there was an urgent deadline, we initially worked to achieve compliance. As on ongoing project we were able to suggest measures to reduce the number of systems requiring compliance, and to discuss this reduction with the shopping cart system’s developers. In time it became possible to avoid PCI compliance all together, offloading the security of cardholder data to the PSP’s systems.