The number of credit and debit card payments being made in the UK each year has significantly increased over the past decade, the UK Cards Association reported that 15 billion transactions were made in 2015 with a value that amounted to around £660 billion (35% of the UK GDP in 2015). With the increasing rise in card payments payment security has taken more of a front seat in recent years, and rightly so.

However, there is still a bit of confusion around PCI DSS, many people don’t understand what it is and what implications it can have on them or their business. As a PCI DSS Tier 1 Service and Solutions Provider we have heard it all here at C3.

1. We don’t process enough payments to require to be compliant

Ever since the implementation of the newest PCI – PCI 3.2 – in 2016 there is no longer a minimum number of transactions that have to take place for a merchant to be required to be PCI compliant. This means that even if you process one card payment every year you still need to adhere to the standards and be fully compliant.

2. PCI only applies to e-commerce companies

Any company that stores, processes or transmits cardholder information, whether you have a shop in a physical location and use POS devices, process card payments online through your online store or offer a tele-billing service, PCI applies to you.

3. Masking numbers is enough

Many believe that hiding the whole credit or debit card number with the exception of the last 4 digits is enough when in fact it is not, this is only a small step in the PCI process. This only hides the full number on the payment screen so that, in a contact centre for example, the agent can’t see the number, it does not account for your network or system storing that information in a non-compliant manner elsewhere where it can be retrieved and decoded later.

4. Merchants are allowed to store any data

There are many business owners that think they have the right to store any and all of the data that they want to in order to aid their business. This violates PCI DSS as well as legislation regarding privacy, customers may not have given permission for their sensitive data to be stored. PCI states that unencrypted credit card numbers, CVV or CV2 numbers, PIN blocks, PIN numbers or Track 1 or Track 2 data cannot be stored under any circumstances. If anyone is found to have stored any of the above information they run the risk of facing serious consequences particularly if any data has been compromised, a security breach and all the costs that come with it could put a company out of business.

5. PCI is unreasonable

When it comes to the security of the sensitive information and data of your customers nothing is unreasonable. PCI DSS is a common security practice, it may be hard to understand for those who do not have large security or IT departments, but that is where C3 come in. We are fully accredited to provide a range of secure solutions to process credit and debit card payments via telephone, SMS and/or online

We have worked with some of the UK’s biggest charity events such as Comic Relief and Children in need to process thousands of secure payments per hour. We also work with many retailers, value added service providers and tele-billing organisations to develop PCI DSS Compliant smart payment applications.