As an entrepreneur, it’s your duty to provide your clients with safe and secure payment methods. These are usually regulated by specific laws that ensure sensitive data of both businesses and customers stay protected. The most prominent example of such regulations is the Payment Card Industry Data Security Standard, PCI DSS for short.
In a nutshell, PCI DSS refers to any organization that accepts credit card payments. It applies to anything involving credit cards, specifically to:
- Point-of-sale systems
- Card readers
- Store networks and access routers
- Payment card data storage and transmission
- Data stored in paper-based records
- Online payment apps and shopping carts
To be PCI compliant, such a company has to protect cardholder data and maintain a secure environment. The organization that regulates PCI DSS is the PCI Security Standards Council (PCI SSC), an independent body established by the five largest credit card companies – Visa, MasterCard, Discover, American Express, and JCB.
To keep PCI compliance, a company has to meet technical and operational standards imposed by the mentioned PCI SSC. The goal here is to help ensure the security of credit card transactions and protect cardholder data at all times. And if it all seems complicated, don’t worry. In this guide, we’ll cover everything you have to know about PCI DSS compliance, including requirements your business has to meet, its benefits, and many more. Read on and see how to maintain secure systems and keep your company and customers’ data safe.
payments securely and faster?
Ask Weave
Weave Helps Businesses Collect Payments Sucessfully and Safely
Introduction to PCI DSS Compliance
In general, as we briefly mentioned in the intro, PCI compliance refers to credit card data security. To be more specific, PCI Data Security Standards cover every aspect of payment card transactions, ensuring you protect your customers every time you accept, store, process, and transmit cardholder data and sensitive authentication data.
To ensure all these, businesses need to follow certain PCI DSS requirements, established in 2006 by the Payment Card Industry Security Standards Council.
The objectives of the PCI DSS can be divided into:
- Building and keeping a secure network
- Protecting cardholder data
- Maintaining a vulnerability management system
- Implementing strong access control
- Monitoring and testing networks
- Maintaining an information security policy
In principle, implementing PCI DSS should reduce data breaches, protect sensitive data, and improve company reputation. Lack of following PCI data security standards might lead to sensitive cardholder data being stolen, which can cause severe consequences, ruining your brand reputation.
Key PCI Compliance Requirements
Payment Card Industry Security Standards Council provides a clear set of guidelines on how various service providers can maintain PCI compliance. There are 12 key requirements, 78 base requirements, and over 400 test procedures. Besides these, PCI provides in the DSS various tools and resources to help organizations protect credit card data, including:
- Self-Assessment Questionnaire (SAQ) to help a company validate its PCI DSS compliance
- PIN Transaction Security (PTS) requirements for device manufacturers and vendors, with a list of validated PIN transaction devices
- Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications
These resources come with Payment Card Industry Data Security Standards, and their goal is to help businesses create and maintain more secure systems. And as for the 12 key requirements, a company should follow, here’s a more thorough explanation on how they work and how to apply them in your organization to ensure you stay PCI DSS compliant:
1. Use Firewalls for Data Protection
The first PCI data security standard ensures that a business protects cardholder data through proper firewall configuration. Like for any other online user, a firewall is the first layer of security, responsible for restricting incoming and outgoing network traffic by specific criteria configured by your company.
Most importantly, firewalls prevent unauthorized access to your stored cardholder data and other sensitive information that might jeopardize your operations. Maintaining an efficient firewall system is the core of PCI DSS and the first thing to consider in reaching your organization’s goal to become PCI compliant.
2. Implement Proper Password Protection
Many organizations still underestimate the importance of implementing proper password protection. This might not be the case with you (hopefully), but you’d be surprised how many companies use generic passwords for routers, modems, POS (point of sale), firewalls, and other network devices. This can lead to severe security vulnerabilities, increasing the chances of successful cyber attacks and security breaches.
Well, if you want to achieve PCI compliance, such measures won’t work. PCI puts an emphasis on implementing strong passwords instead of using default ones. This standard also states that a company must maintain an inventory of all the configuration procedures, every system, passwords you use, and devices.
3. Protect Cardholder Data
The third and the most important requirement provided by PCI is cardholder data protection. After all, that’s practically the whole point of PCI DSS compliance. According to this data security standard, an organization must know all the data it stores, along with its retention period and location.
Secondly, stored cardholder data must be encrypted with the payment card industry-approved algorithms, such as AES-256. Also, besides payment card data encryption, this PCI DSS requirement states a strong encryption key management. Regular scanning and maintenance of primary account numbers (PAN) is also necessary to make sure there are no encrypted data left.
4. Encrypt Transmitted Cardholder Data
This requirement works similarly to the previous one. The only difference here is that it refers to cardholder data you transmit over a public network. Being PCI compliant means you must know where and to whom you send the data and from whom and where you receive it.
Then, you must ensure this data is encrypted (using protocols like TLS or SSH) to prevent cybercriminals from accessing it when sending it through public or open networks.
5. Use Anti Virus Software
Like a firewall, anti-virus software is the core of every cyber security strategy (or at least should be). PCI thinks the same way, underlining the importance of using top-quality anti-virus programs. Not only that, any organization has to ensure their anti-virus and malware-protection software is regularly updated and used on all devices and systems that interact with PAN, including smartphones, laptops, PCs, and tablets.
6. Maintain Security Systems and Update Software
The world of cyber threats is constantly evolving, with new malware software or cyber attack techniques appearing each day. With this in mind, it’s absolutely vital to ensure your firewall and anti-virus software is capable of dealing with those new threats. For this, though, you need to keep everything up to date.
In fact, practically every software product requires patches and updates. This doesn’t only refer to security programs but also operating systems, POS terminals, application software, or cloud databases. PCI acknowledges this, including updating software in the Payment Card Industry Data Security Standards.
7. Restrict Access to Cardholder Data
Only people who work with it should have access to cardholder data, following the rules of role-based access control (RBAC). As required by PCI DSS, these roles should be documented and updated regularly. The list of roles must contain a definition of each role, privilege level, and data resources necessary to perform operations credit card data.
8. Assign Unique IDs for Access to Data
PCI DSS requires every person mentioned on the RBAC list to use unique credentials, passwords, and identification. Shared passwords and logins are treated as one of the PCI compliance violations. Individual login details are crucial for maintaining cardholder data security. And as for people with remote access, PCI standards require two-factor authentication.
9. Restrict Physical Access to Data
As you can see, PCI DSS pays particular attention to strong access control measures. The ninth requirement also refers to this issue, this time focusing on the protection of physical access to cardholder data. That being said, all the physically stored cardholder data should be kept in secure locations, monitored, and controlled using video cameras and other electronic access tools.
That’s not all, though. In addition to these security controls, PCI requires businesses to retail the recordings or access logs of personnel movement for at least 90 days. They must also implement an access control system that allows distinguishing authorized personnel and visitors. As for portable or removable storage devices with cardholder data, they must be physically protected and destroyed if a company doesn’t need them anymore (this applies to all the data).
10. Create and Monitor Access Logs
Any activity involving PAN and cardholder data requires a log entry. Additionally, PCI compliance requires that all the systems must have a proper audit policy set, as well as send the log entries to a centralized syslog server. It’s also any company’s duty to review these logs regularly in search of any suspicious activities or abnormalities. This standard also refers to correct record keeping and documentation. This requirement aims to detect, minimize, and prevent the impact of security data breaches.
11. Regularly Test Security Systems
It goes without saying that to ensure all the security parameters and software you use work correctly and that there are no weak spots in your defense, you need to test them regularly. PCI thinks the same. That’s why they included regular security system testing in their list of requirements for PCI compliance.
Those security checks include such practices as:
- Scanning to detect authorized and unauthorized wireless access points using a wireless analyzer at least quarterly.
- Scanning external IPs and domains exposed in the CDE with a PCI Approved Scanning Vendor at least on a quarterly basis.
- Conducting internal vulnerability scans quarterly.
- Using a profound application penetration test and network penetration test to check all external IPs and domains at least once a year.
All these practices can significantly decrease the risk of data breaches, helping you maintain compliance with PCI requirements. Also, the regularity of these scans and tests doesn’t have to be followed strictly. PCI recommends performing checks at least quarterly, but it’s a good idea to test your security more often, especially after you implement any changes.
12. Create a Documented Policy
Last but not least, PCI requires businesses to create and maintain a documented policy. Everything regarding credit card data needs to be documented for compliance. With this in mind, you should document things like equipment and software inventory, the logs of accessing cardholder data, a list of employees with access to data, etc.
PCI compliance requirements also state that a company should perform regular user awareness training, employee background checks, and a formal risk assessment. You should also document where and how the data is stored and what security measures you use to keep it safe.
Levels of PCI Compliance
In general, there are four levels of PCI compliance your company can fall into. And while the twelve key PCI standards remain unchanged, they can apply differently depending on the compliance level. The compliance level refers to a vendor’s transaction volume during a 12-month period. The specific requirements might differ depending on the credit card brand, but in general, they can be divided as follows:
- Level 1: Refers to sellers that process over 6 million credit card transactions per year.
- Level 2: Includes merchants that process from 1 to 6 million card payments a year.
- Level 3: Into this level, fall businesses with 20,000 to 1 million card transactions processed per year.
- Level 4: Refers to vendors with less than 20,000 card transactions a year and other businesses that process up to 1 million card payments.
Now, as for requirements, vendors who fall into the 1st level of PCI compliance must be reviewed yearly by an internal auditor. They also require a network scan performed by a PCI-approved scanning vendor.
Companies that meet levels 2, 3, and 4 must complete the PCI DSS Self-Assessment Questionnaire yearly. PCI also requires them to undergo quarterly network security scans performed by an approved vendor.
Advantages of PCI Compliance
Staying PCI compliant comes with a plethora of benefits for any organization. Implementing and maintaining PCI DSS compliance standards can make a massive difference, significantly decreasing the risk of cardholder data being stolen. However, there’s much more to PCI DSS requirements and the advantages they bring than this.
Let’s take a look at some of the most significant benefits of following Payment Card Industry Data Security Standards:
PCI Standards Decrease Data Breaches
PCI technical and operational standards are the core of any vendor cyber security strategy. They require merchants to use stronger firewalls, security software, encryption, store cardholder data in a safer environment, etc. This significantly decreases the risk of a data breach and sensitive data being stolen.
PCI Compliance Builds Trust With Customers
If a vendor meets PCI compliance standards, it means that a customer can trust it with their personal and credit card data. They can also rest assured that you will securely transmit and process their payments. It might not seem like much, but it can really help build trust and reputation, making a huge difference in terms of succeeding in the highly competitive industry.
PCI DSS Helps Vendors Meet Global Standards
As you already know, PCI DSS was established by the Payment Card Industry Security Standards Council, an organization associating five of the world’s largest credit card brands. This means PCI standards are recognized globally, allowing your business to take place among the international retailers and companies, increasing your brand reputation as a vendor any consumer can trust with their payment data.
What Happens If a Company Is Not PCI Compliant?
Maintaining Payment Card Industry compliance is not the rule of law. However, payment brands can fine an acquiring bank for PCI compliance violations. Banks usually then pass the fine along until it finally reaches a merchant. Depending on the violation, a fine varies from $5,000 to even $100,000 a month. The credit card company can keep fining a business until it finally achieves PCI compliance.
The problems don’t end there, though. If you fail to protect cardholder data, you will very likely have to deal with monitoring fees, lawsuits, and other actions by federal and state governments. Compared to these, PCI fines are just a drop in the bucket.
Becoming PCI Compliant
In general, the first thing to do to become PCI compliant is to determine which self-assessment questionnaire you should follow. Then, you have to complete and hold evidence of a passing vulnerability scan performed by a PCI-approved scanning vendor (applies to levels 2, 3, and 4 of PCI compliance). Then, you’ll need to complete the attestation of compliance and submit all the above information.
Tips on Maintaining PCI DSS Compliance
Becoming PCI compliant is not that complicated. The real struggle begins when you have to maintain compliance. In fact, many businesses fail to follow PCI security standards, which can lead to fines and other penalties we covered above. To help you stay PCI compliant, we’ve listed our top tips on doing so:
- Engage with PCI compliant card processors and banks
- Employ good cyber security practices inside your company (using firewalls, strong passwords, employee training, etc.)
- Locate and classify all the sensitive data you store and transmit
- Identify users and determine who should have access to data
- Monitor every activity, behavior, and data
- Regularly test your software and conduct internal audits to eliminate vulnerabilities
Key Takeaways
Payment Card Industry Data Security compliance refers to the security standards developed by the PCI Security Standards Council. The primary goal of PCI DSS is to protect cardholder data stored and processed by companies that accept credit card payments.
While it’s not a law, staying PCI compliant is practically a must. If a business fails to meet PCI standards, it risks being fined, not to mention other consequences, such as lawsuits and monitoring fees, leading to irretrievable loss of reputation.
And that’s about it! Hopefully, this guide has answered all your questions regarding PCI compliance. And if you have any further concerns, below you’ll find some of the most frequently asked questions regarding PCI compliance.
PCI Compliance FAQs
To whom does the PCI DSS apply?
All the businesses and organizations, regardless of their size and number of transactions, that store, process, and transmit cardholder data are required to follow PCI Data Security Standards.
How can I define cardholder data?
As defined by PCI Security Standards Council, cardholder data refers to the full Primary Account Number (PAN) or the full PAN and elements such as cardholder name, service code, and expiration date.
Is PCI compliance the rule of law?
No, PCI compliance isn’t a law. However, credit card companies can fine businesses that fail to maintain secure systems according to PCI requirements. The fine can vary depending on the violation. Usually, it’s something between $5,000 and $100,000 a month until the issue is resolved.
What are the best practices for storing credit card data?
There are a couple of ways you can store cardholder data. The recommended way is to work with a third-party credit card vault and tokenization provider. This will help you pass the risk to the company that specializes in cyber security instead of doing it yourself.
Of course, you can also store all the data yourself. In that case, though, you’ll first need to meet PCI specifications. This is checked by a Qualified Security Assessor who will perform an audit to ensure you meet all the requirements stated in the PCI DSS.