An Introductory Guide to PCI DSS Compliance

If you are taking payment from customers, and, it is vital that your business gets PCI DSS compliance right. However, PCI DSS compliance in the UK can be very challenging to wrap your head around, particularly if you are accepting payment over the phone. In this guide, we provide an introductory guide to PCI DSS and how your business can best meet your compliance needs.

What is PCI DSS?

Three credit cards from Visa, Mastercard, and AMEX

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls created by the PCI Security Standards Council, the global forum for industry leaders in the credit payment sector.

The forum itself was set up by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc, who make up more than 99% of the payments market. Each company requires all transactions to be PCI DSS compliant and can issue penalties to non-PCI DSS compliant companies. In other words, if you want to accept over-the-phone card payments at your call centre, you need to be PCI DSS compliant.

PCI DSS is a granular standard that applies to all entities which stores, processes, or transmits payment card data, or any group or organisation that might impact the security of credit card processing.

What is PCI DSS 3.2.1?

Woman using iPhone and MacBook Laptop

Since January 1st 2019, the previous version of PCI DSS (3.2) became outdated and replaced with the new version 3.2.1. Most of the changes were clarifications of the old document, fixing errors, and removing outdated notes and testing procedures. You can find a full list of the changes on their website here.

As of 1 January 2019, all companies who take payments over the phone must have systems in place valid to at least version 3.2.1 of PCI DSS. While some of these changes are minor, make sure your business keeps up-to-date with the new standards.

What are the PCI DSS Standards?

Person ticking things off of PCI DSS compliance uk checklist

To be PCI DSS compliant, you have to meet 12 standards which fall into six categories:

1 Build and Maintain a Secure Network

Firstly, you must install and maintain a firewall configuration that protects you and your customer’s data. Secondly, you cannot use a vendor-supplied default for system passwords and other security but instead must have specially chosen security in place.

2 Protect Cardholder Data

Firstly, you must encrypt and protect stored data. Secondly, you must encrypt any transmission of cardholder data and sensitive information that goes across the internet.

3 Have a Vulnerability Management Strategy

Firstly, you must use and regularly update antivirus software. Secondly, you must develop and maintain secure systems and applications for taking payments.

4 Strong Access Control Measures

Firstly, you must assign a unique ID to each person with computer access to your payments system. Secondly, you must restrict physical access to cardholder data.

5 Monitor and Test Networks

Firstly, monitor all network access and cardholder data for intruders and hackers. Secondly, you must regularly test your security systems and processes for vulnerabilities.

6 Information Security Policy

Firstly, you must restrict access to data on a need-to-know basis. Secondly, you must maintain a policy that addresses information security and stick by it.

As of 2019, your business must also use Transport Level Security (TLS) as a security control. You can test whether your current system is PCI DSS compliant through a self-assessment questionnaire (SAQ) provided by the PCI Security Standards Council here.

Alternatively, our agent-assisted hosted dialler service requires no training and the agent is not exposed in any way to card data or DTMF tones, which greatly simplifies your PCI DSS obligations. For more information, we have produced a guide here on PCI DSS compliance, with more details on what we can offer your business.

What is PCI DSS Best Practice?

There are many best practice principles behind PCI DSS compliance. Some of the main ones include:

  • Ensure all your software always is up-to-date.
  • Always change default manufacturer passwords.
  • Isolate point-of-sale systems from other networks.
  • Only use reputable dealers for anything related to payments.
  • Identify risk and security and go above minimum-security requirements whenever possible. Regularly test your security system and set up alerts for attempted attacks and audit your system regularly for compliance.
  • Clearly define who is responsible for DCI PSS compliance in your business.
  • Segment your Card Holder Data (CHD) and Sensitive Authentication Data (SAD) from the rest of your company’s data. Retailer Saks lost the card data of five million customers because hackers could access their payment processing system from the company’s emails – both were held on the same server.
  • All CHD and SAD should be encrypted or tokenised from the moment you interact with your customer.
  • Implement Role-based access controls (RBAC) so that only relevant agents should ever have any access to CHD or SAD; ‘descope’ administrators or your HR team so they can never access this information if they currently can.
  • Use strong passwords and two-step authentication for access to anything related to payments.
  • Use dual-tone multi-frequency (DTMF) masking technology to give more security to your consumers.

What Documents Will I Need to be PCI DSS compliant?

Two phones connected via the internet of people

While you don’t need any specific documents to be PCI DSS compliant, it is very wise to have, somewhere, information about the following:

  • Antivirus Policy
  • Password Policy
  • Cardholder Data Policy
  • Firewall and Router Policy
  • Information and Physical Security Policy
  • Access Control Policy
  • System Configuration, Monitoring and Logging Policy
  • Testing Systems and Processes Procedure
  • Information Security Incident Management Policy
  • Inventory and Ownership of Assets Policy
  • Application and System Development Software Policy
  • Managing Service Providers Policy
  • Information Security Awareness Program & Responsibilities Policy Statement
  • Individual User Agreement Templates
  • Data Classification, Protection, and Management Policy

Altogether, these documents would cover the security of your customers, your call system, and your staff. It covers both physical, online, and over-the-phone methods of payments. Finally, these documents also mean you have a policy for testing your system if attacked and have tests in place to check the security of your existing system.

Hostcomm has PCI-DSS level security across its entire platform, not just payment IVR. Because of this, if your organisation needs to meet the standards outlined in PCI DSS compliance in the UK , working with Hostcomm greatly reduces your PCI DSS compliance obligations. Contact us for more information about how our hosted dialler solutions can meet your business’ needs.

Trusted by

The Car Buying Group Logo 2 Case Study Beer 2 Case Study EE logo white2 Case Study David lloyd white Case Study Kantar white Case Study Hmrc white Case Study Lb redbridge white Case Study Peabody White Case Study Scottishpower white 150px Case Study Shelter 2024 Case Study


PCI DSS Certified, TPS Telephone Preference Service, ICOCSA Supplier Member, Cyber Essentials