The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that were adopted as a general standard by financial institutions for the protection of payment systems from data breaches, fraud, and theft of cardholder data. It applies to all entities involved in card payment processing, including merchants, processors, acquirers, issuers, and service providers. It was created by the world’s biggest card brand schemes: American Express, Discover, JCB, MasterCard, and Visa and is continuously developed by the Payment Card Industry Security Standards Council (PCI SSC).
PCI DSS is not legally binding, but any organization wishing to accept credit or debit card payments in person, over the phone, or online is required to comply with it. Failure to do so can lead to fines of up to $100,000/month and increased transaction fees. Worst still, they can have their relationship with their bank permanently terminated and wind up on the Merchant Alert to Control High-Risk (MATCH) list which means they will no longer be able to process card payments.
There are four levels of PCI DSS compliance, depending on the number of card transactions/year a company processes. To require the highest level of PCI DSS compliance, Level 1, companies must process over 6 million card transactions/year. Organizations classed as Level 1 need to provide a yearly Report on Compliance (RoC) which involves an audit performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) certified by the PCI SSC. The auditor submits the RoC to the organization’s acquiring institutions to demonstrate its compliance. They must also undergo an annual network scan by an approved scanning vendor (ASV).
For Levels 2 to 4, companies can complete a Self-Assessment Questionnaire (SAQ) that differs depending on the type of business and processing methods. The way levels are assigned can also vary based on the card scheme. As part of their SAQ or in preparation for a QSA/ISA audit, companies can use a PCI compliance checklist to determine whether they are compliant, thus reducing the time and resources spent on auditors. Here is our list:
Familiarize yourself with PCI DSS requirements
It is essential for companies to understand the requirements of PCI DSS and what they protect before putting together a compliance plan. PCI DSS covers two categories of data: sensitive authentication data and cardholder information. Sensitive authentication data includes full track data (magnetic-stripe data or equivalent on a chip), PINs and PIN blocks, and card verification values (CAV2/CVC2/CVV2/CID). Cardholder information refers to primary account numbers, cardholder names, card expiration dates, and service codes.
The latest version of PCI DSS, issued in May 2018, consists of twelve core compliance requirements and nearly 250 associated security controls, covering everything from basic security measures to more complex wide-reaching requirements.
Correctly assess your level
As previously mentioned, a company will be assigned a PCI DSS compliance level based on the number of transactions it executes in a year. Organizations must be able to estimate this number accurately and assess which level they belong to, depending not only on PCI DSS requirements, but also the card scheme they require the compliance for. Acquiring banks can help support companies in determining their volume of transactions in a year.
Apply basic security measures
There are a number of PCI DSS requirements that fall under the umbrella of basic network and system security measures: the use of a firewall and antivirus software and changing default passwords. Many organizations will already have these in place. Those who do not must install and maintain a firewall configuration to protect cardholder data, install and update antivirus software and not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
This category of requirements is the most important for PCI DSS compliance. Companies must know where cardholder data is stored and how it moves in and outside of their network. Cardholder data must be protected regardless of the state it finds itself in: at rest, in use, or in motion.
Organizations can use Data Loss Prevention tools such as Endpoint Protector to discover, monitor, and control the transfer and storage of cardholder information. When data needs to be transferred, it should be encrypted to ensure it is not stolen once it leaves the company network.
Develop and maintain secure systems and applications
Companies should assess the risks of all their systems and applications before deploying them to process cardholder information. They should also be continuously patched and updated to address the latest vulnerabilities. PCI DSS compliance should be a key consideration when systems and applications are developed in-house. If they will be used to process cardholder data, they must meet PCI DSS security standards.
Restrict access to cardholder data
Another big way in which companies can protect cardholder data is by restricting access to it. This means employees should be granted access only on a need-to-know basis and access control measures should be implemented through authentication technology and different levels of access based on an employee’s duties. PCI DSS also requires the prevention of unauthorized physical access to cardholder information stored in data centers or server rooms through measures such as locks and cameras.
Regularly monitor and test networks
For continued PCI DSS compliance, networks and security mechanisms must be regularly tested and monitored. This is to verify that they continue to be sufficient for compliance. Monitoring also supports efforts to detect potential breaches or internal security policy violations.
Implement and maintain an information security policy
PCI DSS compliance needs to be organizational which is why merchants should create, implement and maintain a company-wide information security policy. It should involve not only employees but management too. Organizations must ensure that cardholder information continues to be protected when they outsource payment processing to third parties. This means outside processors must also be PCI DSS compliant.