For over 15 years Portcullis has been a fully accredited provider of security testing services. We specialise in assisting Commercial and Government Organisations to mitigate their security risk and become compliant with standards such as ISO 27001, CHECK and PCI DSS.

If an organisation has online facilities for selling or taking donations or payments via credit / debit card it has been a requirement since June 2006 as a "merchant", to comply with the Payment Card Industry Data Security Standard (PCI DSS).

The standard was instigated and implemented jointly by Mastercard and Visa in response to increased fraud and identity theft involving stolen credit card data, in order to limit losses by the card providers and improve consumer confidence. It also has the backing of two of the other key players in the form of American Express and Diners Club.

There are two key elements that the standard hopes to address:

To allay consumer fears over using their credit cards online (e.g. that their details may be compromised or abused)

To ensure that merchants are more accountable for their own risk

In the instance that cardholder data is compromised, any merchant that is found to be unable to demonstrate compliance with this new standard may now be deemed liable for any losses that occur as a result of the security breach. There are several other risks that present themselves beyond compliance such as reputation and brand damage. The Governing body behind the standard can also impose fines and withdrawal from the card acceptance programme in exceptional circumstances.

These are just part of the jigsaw that makes up the overall standard. In addition the PCI DSS requires merchants to:

Build and Maintain a Secure Network

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security Policy

These are detailed in the 12 PCI DSS requirements and 200 separate checks.

There are various separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in the table below.