PCI DSS responsibility

Who has responsibility for your business’s PCI DSS compliance?

The new EU General Data Protection Regulation (GDPR) sets out that every company should have a designated individual overseeing data protection – not in terms of deciding what data to store, but ensuring that procedures and policies are in place and knowing what to do should a breach occur. And the same goes for PCI DSS.

But that doesn’t mean that ensuring a company’s compliance is down to one person or department alone. In every organisation, there is always the temptation to ‘pass the buck’ on something that isn’t necessarily the specialisation of the team but actually, in order for the procedures to be effective, everyone in the business needs to contribute. Here are just a few examples of the roles that different teams will play.


So often, the obvious choice is to place all responsibility for PCI DSS onto the team that runs and manages the IT network. They play an important role in putting firewalls in place that are robust and up to date as well as ensuring that customer data is being processed in a secure environment and that no cracks appear in the integration between the various systems and databases. The hackers are consistently developing new clever ways to infiltrate systems so IT teams have to evolve with new technologies to keep a data breach at bay. But to do this they need the support of…

Business owners/ senior management

It’s often tempting for business owners and directors to bury their heads in the sand and have an ‘it’ll never happen to us’ attitude when it comes to data protection and cyber security. A dangerous approach to have when data breaches are consistently on the rise, affecting businesses of all shapes and sizes, and the repercussions of not being compliant can destroy the future of the organisation.

Sensible senior management teams, business owners and management boards are very much aware of the risks associated with not being PCI DSS compliant. Ready to invest adequate funds for up to date secure systems and software, they see cyber security as a necessity and an opportunity to improve their relationship with the customer.

A top-down approach is crucial – a survey by ClearSwift in 2015 showed that, worryingly, 22% of employees think they have no responsibilities relating to data security. Management has to oversee the establishment of corporate policies to ensure that knowledge of the risks and responsibilities stretches throughout the organisation. To do this, they need to enlist the commitment of…

Human resources

The HR team is responsible for organising induction and training programmes to maintain the skills of the workforce to a standard required for the business and this should include topics relating to data protection and cyber security. In addition to training, ensuring the staff handbooks are up to date with information relating to the company’s data protection commitments is essential, as is providing clear guidance on what to do if they notice suspicious activity within the database and payment systems.

Call handlers/agents

Technology will only ever be as good as the people that use it. While companies can throw themselves into preventing a security breach, they are reliant on the commitment and efficiency of their staff to prevent weaknesses in the payment process, to look out for the signs of a breach and to know what to do if and when it happens.


At PCI Telecom, we create secure card payment systems that work for your business, be it for payments over the phone or online. Our card payment solutions feature end-to-end encryption and have PCI DSS Level 1 accreditation. Find out more about passing on your PCI DSS compliance responsibilities to us AND getting a card payment system built bespoke for your business by giving us a call today.