Is PCI DSS a regulation? Everything you need to know about

What is PCI DSS?

Surely, or almost certainly, you have seen the acronym PCI DSS at some point, and perhaps you are not entirely clear on what it means, well, PCI DSS is the acronym for Payment Card Industry Data Security Standard.   

<<< Learn more about how to comply with PCI DSS with Recordia >>>

PCI DSS is a set of security standards that helps companies prevent fraud and theft of credit card data, which involves both the cardholder’s personal data and authentication data.  

PCI DSS arose in 2004 from the union of the largest credit and debit card companies in the world, AMEX, VISA, MasterCard, Discover and JCB, decided to create a single standard common to all of them, since, previously, each of these companies had their own security standards (which resembled each other), which could cause some confusion.   

It is important to highlight two aspects:   

• PCI DSS is a standard, not a law. It is enforced by contracts between merchants, acquiring banks and payment brands, not imposed by country governments.   
• Another important point is to keep in mind that breaking PCI DSS means a General Data Protection Regulation (GDPR) breach. This is because credit and debit card information are cardholder data that is classified by the Regulation as personal data under its protection. It is worth remembering that the most severe breaches of GDPR compliance are punishable by up to 20 million euros or 4% of the company’s annual turnover (whichever is higher between the two options).

What does PCI DSS say?

The PCI DSS standard is made up of twelve requirements to be fulfilled classified into 6 fundamental aspects.  

Build and maintain a secure network.    

1. Install and maintain a firewall configuration to protect data.  

2. Do not use vendor-supplied passwords or defaults.  

Protect cardholder data.    

3. Safeguard cardholders’ personal information.  

4. Encrypt the transmission of cardholder data and confidential information over open public networks.

Establish a vulnerability management program.  

5. Update and activate anti-virus software on a regular basis.  

6. Develop and maintain secure systems and applications. Develop and maintain secure systems and applications.  

Create strong access control measures.  

7. Limit access to information to only those companies that need it.  

8. Assign a unique ID to each person with access to the system.  

9. Restrict physical access to data to card owners only.  

Regularly monitor and test networks and access.  

10. Track and monitor access to network resources and cardholder data.  

11. Perform regular testing of security systems and processes.  

Maintain an up-to-date cross-cutting information security policy.  

12. Create a policy that covers and keeps up to date the aspects related to information security.  

Who does PCI DSS apply to?

At this point, you may be wondering what kind of companies PCI DSS applies to or what requirements they must meet. Well, this standard must be complied with by banks, merchants, and issuers or any other entities that process, store, or transmit credit or debit card data.  

The PCI SSC (PCI Security Standards Council) created a four-tier system to classify businesses by size and risk to determine the requirements that apply to individual businesses. These merchant risk levels are based on the total number of payment card transactions a business conducts annually.  

The PCI-DSS Standard is composed of four levels of compliance, which are based on the annual number of transactions of a merchant, depending on the level in which the entity is located, they will have to comply with more demanding requirements, for example, in level 1, an annual compliance report must be submitted, which is called ROC or Report of Compliance, while for the other levels this is replaced with a self-assessment questionnaire called SAQ or Self-Assessment Questionnaire. Quarterly network scanning by an Approved Scanning Vendor (ASV) and possession of the Attestation of Compliance (AOC) that declares an organization’s PCI DSS compliance status is common to all four levels with some exceptions. The levels are as follows:  

• PCI-DSS Level 1 is for businesses that handle more than 6 million Visa or MasterCard transactions each year, or 2.5 million at American Express.  
• PCI-DSS Level 2 is for businesses that process between 1 million and 6 million transactions annually.  
• PCI-DSS Level 3 is for businesses that process between 20,000 and 1 million Visa or MasterCard transactions each year.  
• PCI-DSS Level 4 is for businesses that process fewer than 20,000 Visa or MasterCard online transactions annually.

Call Recording and PCI DSS Compliance

Online commerce is currently booming, and many companies are spending more effort on online deployment than on physical deployment. This means that companies must install an adequate payment infrastructure, and part of this is what we call payment gateways, which are programs that connect a bank account with the corresponding payment processor where the customer manually enters their data.   

However, the real challenge is in MOTO (mail order/ telephone order) payments. The fact that calls in call centers are recorded is considered commonplace, e.g., for quality reasons. However, the main reason why these calls are recorded in compliance since these calls often involve the transmission of data that is protected by regulations such as GDPR.  

Returning to the subject of MOTO payments; in Call Centers, especially in those dedicated to sales, on many occasions sales are closed with customers who must authorize payment through their credit or debit card data, data that cannot be recorded under any circumstances. For this reason, there are several alternatives such as the use of software that stops recording at that moment and resumes recording once it is finished. But these are not entirely effective.

What is really effective and secure is to opt for a conversational intelligence solution that anonymizes sensitive credit card data. Artificial intelligence anonymization techniques, such as the one used by Recordia, automatically detect and remove PCI data from call recordings using a high-precision speech recognition engine and machine learning algorithms. The credit card data is automatically erased from the recording and replaced with white noise, returning the clean recording and transcript with the data removed to users.

Want to learn more about Recordia Speech Analytics and its PCI Anonymization solution? You can find more information here.