05 October 2009

Payment Card Industry Data Security Standard 2008

The Payment Card Industry Data Security Standard or (‘PCI DSS’) was developed by the founding Payment Branch of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB MasterCard Worldwide and Visa International. The PCI Security Council describe PCI DSS as a “multifaceted security standard that includes requirements for security management, policies and procedures, network architecture, software design and other critical protective measures” Its purpose is to help organisations, including charities, proactively protect customer account data.

The PCI DSS applies to every charity, regardless of size, which:

  • processes;
  •  stores; or
  • transmits credit card data.

Failure to comply may lead to a charity being fined by the bank that processes the charity’s transactions or having their privileges removed by the credit card company.

The PCI DSS sets out a number of requirements which must be met by all those caught by the Standard which are as follows:

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security.

Organisations not only need to comply with these requirements, but must also have that compliance validated. The level of validation required depends upon the number of transactions carried out per year:


 Level No. of transactions per year 
 1  Six million or more
 2  One million to six million
 3  20,000 to one million
 4  Fewer than 20,000






Most charities will fall within level 4 with fewer than 20,000 transactions per year and these will require an external network vulnerability scan conducted quarterly by an accredited security firm and satisfactory completion of an annual self-assessment questionnaire.

For more information about PCI DSS and related compliance matters contact David Dannreuther.

Category: Article