Is PCI DSS a legal requirement in the UK?
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not required by UK law. Instead, it is enforced through the contractual agreement between an organization and its bank or card issuer.
Previously, we've discussed the meaning of PCI DSS. But, simply put, all UK organizations that process or transfer cardholder data need to be compliant with PCI DSS. But this isn't enshrined in UK law. Instead, compliance is mandated by the PCI Security Standards Council, a group of the five largest card issuers. Companies can face fines from these card issuers if they do not meet the correct PCI DSS compliance level.
So, although not strictly a legal requirement, PCI DSS compliance will, in many ways, still be mandatory for UK organizations. Also, PCI DSS is extremely relevant to legal regulations protecting private or personal data.
This guide will explore PCI DSS compliance in the UK, how it is enforced, and its impact on wider UK regulations.
Is PCI DSS Compliance Mandatory in the UK?
The PCI DSS is a global standard for ensuring secure card payments, and that includes in the UK. All UK organizations that process or transmit cardholder data must be compliant with the PCI DSS at some level. Companies will need to provide proof of PCI DSS compliance to their bank or risk a fine.
These organizations will either be merchants or service providers. Merchants are the high street shops, online retailers, or individual traders that accept and process card payments. Service providers process, store or transmit cardholder data within their business operations.
A range of UK businesses will fall under these two categories, all within various settings. Cardholder data fraud risk will be relative to the business operations' complexity and function. Businesses must achieve varying compliance levels depending on the number of transactions being processed.
Compliance levels are directly linked to the organization's annual card transactions. This changes the steps an organization needs to take when measuring and reporting PCI DSS compliance.
The largest UK companies which process millions of card payments each year will need to complete a full PCI audit by an external assessor. A smaller UK company accepting card payments may need to fill in a self-assessment form. Both examples need to prove compliance but to varying degrees.
How Is PCI DSS Compliance Enforced in the UK?
PCI DSS sets 12 requirements for the secure processing and storage of cardholder data. Each step will lower the risk of card fraud or serious data breaches. If a company isn't compliant with it, the card issuer can't be sure that the cardholder data environment is secure. As a result, the card issuer will issue fines until the business can prove compliance.
PCI DSS sets 12 requirements for the secure processing and storage of cardholder data. Each step will help the organization lower the risk of card fraud or serious data breaches. If a company isn't compliant when it should be, the card issuer can't be sure that the cardholder data environment is secure. As a result, the card issuer will issue fines until the business can prove compliance.
PCI DSS Fines and Penalties
Compliance is mainly enforced through card issuers fining non-compliant companies. Fines are usually levied at the bank and are then passed on to the non-compliant business. Banks may also offset the cost of fines through increased transaction fees. This might result in higher fees for businesses, adding to the financial cost of non-compliance.
After a security incident or data breach, fines may be issued if it transpires that the company wasn't compliant with PCI DSS. The organization may continue to receive fines until they can prove compliance. This is in addition to any regulatory fines faced by the organization due to a data breach.
Fines and higher transaction costs act as a deterrent for any non-compliant organization. Depending on the level of non-compliance and the size of an organization, fines and penalties can be up to ''80,000. If a business continues to be non-compliant, it might lose the ability to process card payments.
Who Enforces PCI DSS Compliance?
Although the card issuer gives the fines, It's down to the bank to monitor the day-to-day PCI DSS compliance of businesses. Adherence to PCI DSS standards is usually included within the contractual agreement between a merchant and its bank.
The bank will usually assess what level of compliance the business must achieve. The level is related to the total amount of cardholder transactions processed each year. The business must then submit proof of compliance to the bank. This can be a full-scale audit for large organizations or just a self-assessment questionnaire for smaller operations.
PCI DSS Compliance and Other UK Legal Requirements
Although there is no direct legal requirement for compliance with PCI DSS, it can play a key role in complying with data protection regulations. The EU's General Data Protection Regulation (GDPR) or the UK's Data Protection Act (DPA) safeguard personal and private data. Organizations can face huge fines if a serious breach of personal data occurs, which of course, includes cardholder data.
Compliance with PCI DSS helps organizations embed policies and procedures to protect cardholder data. The requirements outlined by the PCI DSS will help to mitigate the risks of payment card fraud during transactions. For UK organizations that store cardholder data, PCI DSS compliance is vital to securing and strengthening their systems.
If a data breach occurs and the organization doesn't have adequate data protection policies, they could face huge regulatory fines. GDPR fines can amount to four percent of global turnover, so the penalties of a serious data breach can be severe.
Managing PCI DSS Compliance in the UK
Keeping track of PCI DSS requirements and compliance can be a complex task. Tools like Diligent Compliance software make the management of PCI DSS compliance easy.
PCI DSS compliance can lower the risk of card fraud and data breaches. Keeping track of compliance helps organizations avoid unnecessary fines and strengthen system vulnerabilities. Compliance software brings the policies, documents, and evidence needed for PCI DSS compliance in one place.
To understand how compliance software may help your organization, book a demo with Diligent today.
