The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 security control requirements that must be met to accept, process, and store credit card information. Organizations that accept credit card payments must comply with PCI DSS to avoid costly fines and penalties.
PCI DSS compliance is required for all organizations to protect credit card information from being stolen or compromised. This includes businesses of all sizes, from small businesses to large enterprises.
The Payment Card Industry Security Standards Council (PCI SSC) is responsible for developing and maintaining the PCI DSS. It was launched in 2006 and comprises representatives from major credit card service providers, including Visa, MasterCard, American Express, and Discover.
Levels of PCI DSS compliance
There are four levels of compliance based on the number of transactions an organization processes per year:
- Level 1: More than 6 million card transactions per year.
- Level 2: Between 1 and 6 million card transactions per year.
- Level 3: Between 20,000 and 1 million card transactions per year.
- Level 4: Fewer than 20,000 card transactions per year.
How often is PCI DSS compliance required?
PCI compliance is required annually. Organizations must complete a Self-Assessment Questionnaire (SAQ) and submit it to their acquiring bank or credit card processor. SAQs must be completed and submitted every 12 months, even if there have been no changes to the organization’s payment processing procedures.
Organizations not compliant with PCI DSS 4.0 risk facing costly fines and penalties. Non-compliance can also lead to the loss of the ability to process credit cards, which can devastate a business.
What is the current PCI standard?
The current PCI standard is PCI DSS 4.0, released in the first quarter of 2022. Organizations not compliant with PCI DSS 4.0 must upgrade their systems and procedures to become compliant.
According to Davis Wright Tremaine LLP, PCI DSS 4.0 stipulates several revisions to previously recognized rules and regulations on various PCI-related topics, including documentation requirements and technical modifications to the physical hosting environment (CDE).
Self-hosted merchants are now required to handle lists of future modification requests and long-term migration plans, keeping their technical teams extremely busy.
Steps involved in becoming PCI compliant
- Assessment: The first step is to assess your organization’s current state of PCI compliance. This assessment will identify gaps in compliance and allow you to develop a plan to address those gaps.
- Implementation: The second step is implementing the necessary changes to become compliant. This may involve upgrading systems and procedures and training employees on the new standards.
- Validation: The third step is to validate that your organization is indeed compliant. You can do this through an independent assessment conducted by a Qualified Security Assessor (QSA).
How do I know if I am PCI compliant?
If you are a Level 1, 2, or 3 merchant, you will need an annual on-site PCI DSS compliance assessment conducted by a Qualified Security Assessor (QSA).
Level 4 merchants are not required to have an on-site assessment but must still complete a Self-Assessment Questionnaire (SAQ).
There are four different types of SAQs, depending on how credit card information is collected and processed:
- SAQ A: For merchants who have fully outsourced all cardholder data functions to an approved service provider.
- SAQ B: For merchants who outsource their payment processing to an Internet service provider using a secure browser form or use a standalone terminal that isn’t connected to their network.
- SAQ C: For merchants with an Internet connection to their cardholder data environment, use a virtual terminal, batch upload mechanism, or POS terminals connected to their network.
- SAQ D: For merchants with an Internet connection to their cardholder data environment and process their card-not-present transactions or have a point-of-sale system integrated with their website.
An Attestation of Compliance (AOC) form is also required for all SAQs. The AOC is a document signed by an authorized representative of the organization, attesting that they have read and understand the PCI DSS requirements and are in compliance with all 12 conditions.
The 12 PCI compliance requirements
There are 12 PCI data security standards that all organizations must meet to be compliant. These requirements are as follows:
1. Install and maintain a firewall configuration to protect data.
This is an essential requirement, as it helps to prevent hackers from gaining access to sensitive data. Organizations should install firewalls at the network perimeter and on individual servers to provide the best protection from breaches and malware.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Hackers often target systems with easily guessed or known default passwords. Organizations, especially e-commerce organizations that store, process, or transmit cardholder data must use strong passwords and security protocols such as factor authentication to protect information during transmission across open, public networks.
3. Protect cardholder data.
If cardholder data is compromised, it can result in fraudulent charges, loss of customer confidence, and damage to an organization’s reputation. To minimize the risk of data compromise, organizations should encrypt the transmission of credit card data across open, public networks. Organizations can either use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols.
Transport Layer Security (TLS) can be used to encrypt data in transit. TLS provides privacy and data integrity between two applications. On the other hand, SSL is a similar protocol used to encrypt data in transit. However, TLS is more secure and recommended for PCI compliance.
4. Encrypt transmitted data
The fourth requirement is to encrypt all cardholder data transmitted across open, public networks. IGI Global defines encryption as the process of transforming readable data into an unreadable format. Data encrypted with a key can only be decrypted using the same key.
Encryption can be done in two ways:
In transit: Data is encrypted while being transmitted from one system to another. This is also known as data-in-transit encryption.
At rest: Data is encrypted when stored on a system, such as a server or a laptop. This is also known as data-at-rest encryption.
5. Use and regularly update anti-virus software or programs
Installing anti-virus software is a must for any organization keen on cybersecurity. Organizations handling cardholder data should install anti-virus software to protect systems from malicious software, such as viruses, worms, and Trojans. Organizations should update anti-virus software regularly to ensure that it can protect against the latest threats.
6. Develop and maintain secure systems and applications
PCI compliance rules state that organizations must ensure that all software is up-to-date and patched regularly. In addition, any software that is used to store, process, or transmit cardholder data must be secure. This includes web applications, databases, and operating systems.
7. Restrict access to data by business need-to-know
Individuals who can access cardholder data should only be those who need it for their job. For example, customer service representatives need to view customer data to provide assistance. By restricting access to data, organizations can help to prevent unauthorized access and use of stored cardholder data.
8. Assign a unique ID to each person with computer access
Each individual with access to cardholder data should have a unique user ID. This helps to ensure that each person is accountable for their actions. In addition, it can help to prevent unauthorized access to data.
9. Restrict physical access to data
Cardholder data should be stored in a secure network or location only accessible by authorized personnel. Physical access to information should be restricted using security measures such as locks, cameras, and badge systems.
10. Track and monitor all access to network resources and cardholder data
All activity on the network should be monitored and logged. This includes access to data, as well as any changes made to data. Monitoring activity can help to detect unauthorized access and use of payment card data.
Organizations can track and monitor activity in several ways, including:
- Intrusion detection systems: These systems monitor activity on the network and generate alerts when suspicious activity is detected.
- Firewalls: Firewalls can be used to block unauthorized access to the network.
- Strong access control measures: This can be in the form of access control lists used to restrict access to specific resources on the network.
- Security information and event management (SIEM) systems: These systems collect and analyze data from various sources to identify security incidents.
11. Regularly test security systems and processes
Running internal vulnerability scans is a good way to test security systems and identify weaknesses. In addition, organizations should regularly perform penetration testing. This is a simulated attack on the system to test its security.
Organizations can also use third-party services such as the External Security Testing (EST) program offered by the PCI Security Standards Council. This vulnerability management program provides testing services to help organizations assess their compliance with PCI DSS. These services can help to identify weaknesses in the system that attackers could exploit.
12. Maintain a policy that addresses information security
Finally, PCI compliance requires that organizations have a written security policy covering all information security aspects. This policy should be reviewed and updated regularly to ensure it is up-to-date.
The information security policy should address the following topics:
- Data classification: Data should be classified according to its sensitivity. This will help to determine how organizations should protect their data.
- Data handling: Procedures for handling data should be clearly defined. This includes procedures for storing, accessing, and destroying data.
- Personnel security: Organizations should screen all employees before being granted access to sensitive data. In addition, organizations should train their employees on security procedures and policies.
- Physical security: Physical access to data should be restricted. This includes measures such as locks, cameras, and badge systems.
The benefits of meeting PCI compliance requirements
There are many benefits to meeting the requirements of PCI DSS. These benefits include:
- Improved security: By following the PCI DSS requirements, organizations can help to ensure that their systems are secure. This can protect the organization from various security threats, including data breaches.
- Reduced costs: Meeting the PCI compliance requirements can help to reduce the costs associated with data breaches. This is because complying with the requirements can help to prevent data breaches from happening in the first place.
- Improved customer satisfaction: PCI compliance can help to improve customer satisfaction by ensuring that their data is safe. This is because customers will have confidence that their information is being adequately protected.
- Improved business reputation: Achieving PCI compliance can help improve the organization's reputation. This shows that the organization is serious about protecting customer data.
Penalties for non-compliance
Is PCI compliance required by the major credit card companies? Yes, and if an organization is non-compliant, they risk the following penalties:
- Fines: Organizations that do not meet the PCI compliance requirements can be fined by credit card companies and financial institutions. According to pcidssguide.com, these fines can range between $5,000 and $500,000 per month.
- Loss of merchant status: Credit card companies can also revoke an organization's merchant status if they are non-compliant. This can prevent these organizations from accepting credit cards as payment.
- Criminal charges: In some cases, organizations that do not meet the PCI compliance requirement can be charged with a crime. This is rare, but it is possible.
- Liability for fraud charges: Organizations that are non-compliant with PCI DSS compliance requirements can be held liable for any fraud committed using their systems. This is because non-compliance indicates that the organization did not take the necessary steps to protect customer data.
How ne Digital Can Help Organizations with PCI Compliance
ne Digital is a leading provider of compliance managed services. We can help organizations assess their compliance with the PCI DSS requirements and develop a plan to meet them. In addition, we can provide ongoing support to help organizations maintain their compliance.
For more information, you can talk to our experts in Compliance Managed Services.