.jpg?width=400&name=professionals%20header%20(2).jpg)
Any business that processes credit or debit card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS). First introduced in 2004, it’s been in place for nearly two decades, but meeting PCI compliance requirements is still challenging for some businesses.
In this post, we’ll discuss the PCI compliance requirements and share best practices from industry experts to help you implement and maintain the right systems and processes to keep cardholder data safe — and your business in compliance.
In this article:
PCI compliance requirements are a set of technical and operational standards that businesses must adhere to if they accept, handle, store, or transmit payment card data. The PCI Security Standards Council develops the standards and provides resources and guidance to ensure the safety of cardholder data.
Currently, there are 12 PCI compliance requirements, including:
The specific obligations of a company to provide proof of compliance vary based on the company’s merchant level, which is based on the number and type of payment card transactions processed annually.
To give you a better understanding of the PCI compliance requirements and the safeguards and processes you can put in place to ensure ongoing compliance, we reached out to a panel of compliance experts and cybersecurity professionals and asked them to answer this question:
Keep reading to learn what our panel had to say about the best practices you should implement to ensure your business’s PCI compliance.
“To meet PCI compliance requirements, it's essential to follow best practices…”
Harman Singh is the Director at Cyphere, a cybersecurity services company helping customers protect their most prized assets across the UK and US.
“When it comes to meeting PCI compliance requirements, there are several best practices you can follow to ensure your business is secure and protected…”
Here are a few tips:
By following these best practices, you can help ensure that your business is meeting PCI compliance requirements and keeping your customers' data safe.
“My personal best practices for meeting and exceeding PCI compliance are…”
Whether you're running a single location or multiple locations, it's important to have someone who understands network security to review the system you're using and configure the proper networks and VLANs necessary to keep all networks separate. For small businesses, it may be an upfront cost of $750-$3,000 for the correct hardware, configuration, and initial testing.
Some POS companies bundle preconfigured firewalls with their systems, such as Toast. Toast includes for small locations a Cisco Meraki Z3 firewall. Though this firewall does not have a high firewall throughput, it is more than enough to handle an entire POS system and reduces the management costs and PCI compliance on smaller operations.
Due to the geographical footprint of our larger clients, we created custom documents with detailed visual diagrams and procedures for upper management to handle the physical installation of hardware inside the card data networks. It is important your managers have the proper documentation and a consistent configuration at all locations. We use color-coordinated ethernet cables that match the colors on diagrams, visually matching which ports are connected easily.
Using a single vendor for your firewall, switch, and WAPs will not alone give you PCI, but it is a practice that can prevent confusion, prevent mismanagement, and streamline making changes to your networks. With multiple hardware configurations, you may need to repeat firewall modifications, create additional diagrams, and may increase your PCI compliance costs with authorized auditors.
Our yearly audit for one client has been cut almost in half by using a single POS platform and single network structure as now they no longer must make two separate sample visits for the separate configurations.
Organization is an absolute must at all locations. I have visited multiple locations where wires are in big tangles, and a large issue is based solely on a manager plugging the wrong cable into the wrong port.
Color coordinating cables will allow your managers to visually troubleshoot in the field quickly with the assistance of IT. Keeping all cables organized also reduces the risk of cables simply coming unplugged just from normal everyday work.
I always insist on using a wall-mounted rack in our buildouts, keeping the wiring organized, and keeping it away from where employees would be handling daily business tasks unrelated to the network.
Keeping all documentation of whitelists and logs of hardware changes is the most important item on the list. Documenting every action in whatever manner the IT team sees fit for your business structure is key to staying not just compliant but truly secure.
Whether you choose to use a highly modified Excel spreadsheet or an asset management platform, you must know what hardware is installed, when it was installed, and when unused hardware was decommissioned.
Your whitelist documentation must be up to date, and old whitelist documents must be archived and clearly marked not for use once the whitelist document becomes outdated or changed.
If you are a franchisee, follow all requirements of your franchise agreement when it comes to PCI compliance. Should there be a data breach due to improper hardware being used, you may be found in violation of your franchise agreement.
On top of a fine for not following PCI-compliant measures, you could lose your franchise and be forced to sell your franchise to new owners. Collaboration between cybersecurity vendors and POS providers before, during, and after major implementations is crucial to ensure your network remains secure.
Youssef EL ACHAB is Cloud Security/DevOps consultant at ITCORG Certificate, a blog about IT, IT certifications, Cloud and DevOps.
“Here are some of the best practices for meeting PCI compliance requirements…”
By implementing these best practices, you can ensure that your organization meets PCI compliance requirements and sensitive data remains secure.
Ovidiu Cical is the CEO & Co-founder at Cyscale. The company's goal is to assist businesses of all sizes in establishing, improving, and maintaining their Cloud Security Program based on industry best practices.
“In transit as well as at rest, everything PCI must be encrypted…”
TLS v1.2 or later should be used by businesses as SSL and earlier versions of TLS are no longer regarded as being secure enough. It is standard practice to substitute card numbers with random tokens to encrypt them, rendering them illegible to unauthorized parties.
To prevent the data from being intercepted by attackers when dealing with PCI in transit, you might want to think about using point-to-point encryption (P2PE) technology. Scanning your repository for any PCI that is not encrypted regularly is a smart idea.
“Restricting access only to need-to-know parties is one best practice for PCI compliance…”
The PCI DSS strictly mandates that access to any cardholder information must be restricted to only those parties that need to know it.
These roles must also be tightly documented and updated frequently to stay compliant. Unless the party is part of the need-to-know group, cardholder data never should be shared otherwise.
“PCI DSS (Payment Card Industry Data Security Standard) is a set of guidelines and requirements designed to ensure the security of credit card transactions and protect cardholder data…”
Here are some best practices to meet PCI compliance requirements:
By following these best practices, you can help ensure that your payment system meets the PCI compliance requirements and that you are protecting cardholder data from unauthorized access and breaches.
“The best practices for meeting PCI compliance requirements involve…”
Implementing a comprehensive security framework that safeguards sensitive cardholder data throughout its lifecycle. Are we maintaining a secure network infrastructure to protect cardholder data? Are we regularly monitoring and testing our systems?
Let’s explore some scenarios from work to illustrate these practices.
By implementing these best practices, we show our commitment to protecting cardholder data, build customer trust, and maintain compliance with PCI standards. Safeguarding sensitive information is not just a regulatory requirement; it is our responsibility as custodians of data to prioritize security at every level of our operations.
“Meeting PCI compliance requirements necessitates implementing several best practices…”
By following these best practices, my first-hand experience demonstrates that organizations can effectively meet PCI compliance requirements.
“First, you must conduct an initial assessment of your environment and any other processes by which payment card data is obtained or stored…”
You also need to develop a plan for handling and protecting sensitive customer data through encryption and tokenization whenever possible.
Additionally, you should establish policies and procedures for regular security monitoring, testing, vulnerability scanning/management, incident response plans (for the unlikely event of a breach), backup/disaster recovery strategies, etc.
It's also important to implement adequate network segmentation to ensure that only authorized personnel can access certain systems or databases containing sensitive information. You must provide employees with proper training on security protocols such as how to handle and protect cardholder data during a transaction.
Furthermore, it's essential for organizations to maintain secure remote access protocols enabling authorization checks whenever cards are processed remotely over the Internet using strong authentication methods like multi-factor authentication tokens or biometrics, etc.
Last, but perhaps most important, is continuously strengthening cyber hygiene practices throughout your organization such as documentation of different processes associated with payment acceptance. Also:
These and other precautions must be taken into account in order to stay PCI compliant.
“Maintaining PCI DSS compliance is a continuous process, requiring regular review and updates of your security controls…”
“Listen to your vendors…”
Although the documentation from your payment processor may be dense and hard to read, carefully studying it is imperative. Using their APIs as intended and following their recommended best practices — not just what you see on StackOverflow or on Reddit — can save a lot of time and expense and quite possibly save you from an unfortunate security incident.
“Creating and upholding information security policies and frequent training and awareness initiatives are vital in ensuring adherence to PCI DSS responsibilities…”
Organizations can benefit from expert guidance and validation of their compliance endeavors by involving qualified security assessors (QSAs) or assistance from other PCI DSS professionals in annual PCI DSS compliance assessments.
To maintain ongoing compliance, it is important for organizations to consistently monitor, update, and enhance their security controls, conduct regular assessments, and stay informed about the latest PCI DSS requirements and modifications.
Referring to official PCI Security Standards Council resources is crucial for obtaining the most current and tailored information and guidance based on specific circumstances and compliance levels.
“Most businesses will want to store and use PCI information to improve user experience…”
Think renewing a purchase automatically or acting as a liaison to purchases to collect coupon savings or reward points. If your user experience would be the same if you didn't have the PCI information, then you should look to outsource or offload the storage and processing of PCI information.
If your user experience would be degraded because you have to ask your user every 15 days to re-enter their CVV or PAN then storing PCI information is an advantage for your use case.
To simplify and smooth the way for PCI compliance, the first step is to limit the scope of the application or infrastructure that needs to be reviewed/approved. Choose a single database with a single container to be the sole access and processing point for PCI data.
This one decision can make the process much simpler, as there would be only one application service in scope for PCI assessment. To attain the highest PCI certification, ensure the data in that container is both secured and that the use or consumption of that data is logged and controlled.
“Encrypt cardholder data transmission over open, public networks…”
This requirement appears to be about safeguarding cardholder data when it is transmitted over open, public networks such as the internet, wireless technologies, cellular technologies, General Packet Radio Service (GPRS), and satellite communications.
When cardholder data must be shared over open, public networks, businesses should employ robust encryption to conceal the information from unauthorized users. PCI DSS also stipulates that PAN should never be transmitted unencrypted via end-user messaging such as email, instant message, SMS, and chat.
Faizan Ahmed Khan is a Sr. Content Marketing Specialist at UBUY Kuwait.
“Physically restrict PCI…”
Securing PCI against unauthorized users is, in my opinion, the finest method for achieving PCI compliance.
When storing personally identifiable information (PII) on a physical medium like paper, further precautions must be taken to prevent unauthorized access. This entails securing them in a location that is monitored by various means of surveillance technology.
Employees should ideally utilize ID badges to get entry to restricted areas.
All of these should be in place to safeguard servers and other devices storing PCI even if you are not storing PCI on a physical disk.
“In terms of best practices, I emphasize a proactive and holistic approach to PCI compliance…”
From my experience, I have found that the following key elements significantly contribute to meeting and exceeding the stringent requirements:
These are just a few of the key best practices I have found to be invaluable in achieving and maintaining PCI compliance.
“Meeting PCI compliance requirements involves implementing several best practices to protect sensitive cardholder data…”
Some key practices include:
It is important to note that these practices provide a general overview, and organizations should consult with qualified cybersecurity and compliance experts to tailor their approach to specific PCI compliance requirements.
“As a cybersecurity professional, my key recommendations for meeting PCI compliance requirements are primarily focused on understanding your environment and maintaining robust security measures…”
First, know your systems, networks, and processes that handle cardholder data, as these are subject to PCI standards. It's essential to secure this data using methods such as encryption, tokenization, and masking.
Implement robust firewalls and maintain strong access controls, ensuring that only necessary personnel can access sensitive data, preferably with multi-factor authentication.
Regularly test, monitor, and audit your security systems for effectiveness and any unusual activity. Furthermore, it's vital to consistently update and patch all systems to mitigate known vulnerabilities.
Lastly, cultivating a strong security culture through regular staff training and clear policies is crucial. Remember, PCI compliance is a continuous process, not a one-time event.
“The best practices for meeting PCI compliance requirements are…”
1. Understand the PCI Data Security Standard (PCI DSS).
Familiarize yourself with the requirements outlined in the PCI DSS, which provides a comprehensive framework for protecting cardholder data. Ensure that you or your organization meets the necessary criteria and maintains compliance.
2. Protect cardholder data.
Implement strong security measures to protect cardholder data throughout its lifecycle. This includes using two important features, encryption and tokenization. Tokenization and encryption are both techniques used for data security, but they differ in how they protect sensitive information:
While both techniques enhance data security, there are notable differences:
3. Use secure network infrastructure.
Implement and maintain a secure network infrastructure to prevent unauthorized access to cardholder data. This includes using firewalls, secure wireless networks, and strong access control mechanisms to protect your systems from threats.
4. Regularly update and patch systems.
Keep all your hardware, software, and applications up to date with the latest security patches. This helps address vulnerabilities and reduce the risk of exploitation by malicious actors.
5. Implement strong access controls.
Restrict access to cardholder data and systems that process or store this data. Only provide access to authorized individuals who have a legitimate need to access such information. Use strong passwords, multi-factor authentication, and least privilege principles to ensure secure access.
6. Monitor and regularly test your systems.
Implement a robust system for monitoring and logging activities related to cardholder data. Regularly review these logs and conduct vulnerability scans and penetration tests to identify and address any weaknesses in your security controls.
7. Maintain a comprehensive security policy.
Develop and maintain a documented security policy that outlines your organization's approach to protecting cardholder data. Ensure that all employees are aware of the policy, receive proper training, and adhere to its guidelines.
8. Engage with PCI-compliant vendors.
When working with third-party vendors or service providers who handle cardholder data on your behalf, ensure that they are PCI compliant (like EBizCharge). Verify their compliance status and establish contracts that clearly define their responsibilities in maintaining the security of cardholder data.
9. Implement an incident response plan.
Develop and maintain an incident response plan that outlines the steps to be taken in the event of a security breach or data compromise. Regularly test and update the plan to ensure its effectiveness.
10. Engage with a Qualified Security Assessor (QSA).
When a business has a high volume of card transactions or complex systems, consider engaging with a QSA, a qualified -third-party organization that can assess your compliance with the PCI DSS and provide guidance on meeting the requirements.
“In my experience, finding and naming your PCI vulnerabilities is the most effective method for achieving PCI compliance…”
One of the most essential requirements of PCI-DSS is transparency with regard to the storage and location of payment card data. It goes without saying that you can't protect your information if you have no idea where it is stored.
If you want your data repositories to be automatically scanned for PCI and categorized, you need a data classification system. In a similar vein, implement a system that labels information as it is being created or updated.
Jon Morgan is the CEO and Editor-in-Chief of Venture Smarter, a leading consulting firm that specializes in helping startups and small businesses scale and grow. With over 9 years of experience in the industry, John has a wealth of knowledge and expertise in areas such as strategic planning, market research, and financial analysis.
“The best practices for meeting PCI compliance requirements are…”
Following these best practices will help you achieve and maintain PCI compliance, but it’s also important to keep an eye on the regulatory landscape as new data privacy regulations are emerging around the world.
If your business takes PCI compliance seriously, a data loss prevention (DLP) solution like the Reveal platform by Next can help you streamline your compliance by enforcing your company’s PCI-compliant data handling policy and protecting cardholder data at rest, in motion, and in use.
Reveal offers next-gen endpoint agents — the first to deliver machine learning on the endpoint — that enforce your data handling policy without connecting to a separate analysis engine and reinforces employee security awareness training by providing user training at the point of risk.
Contact Next today or book a demo to learn how Reveal can help you maintain PCI compliance and build a security-conscious culture.
Any business that handles payment card data in any way, such as accepting payment cards, processing transactions, storing cardholder data, or transmitting cardholder data must comply with the PCI requirements.
Some businesses are required to undergo more rigorous assessments and provide more proof of compliance than others, depending on the company’s merchant level. The merchant level is determined by the payment card company (Visa, MasterCard, etc.) and is based on the number and type of payment card transactions the merchant processes each year.
A company is PCI compliant when it has the appropriate security measures and privacy safeguards in place to protect cardholder data.
Compliance requires:
Noncompliance with PCI DSS can have several ramifications. In addition to monthly penalties ranging from $5,000 to $100,000 per month, companies that are not compliant with PCI DSS are at greater risk of a data breach. Suffering a breach can result in legal action, reputation damage, and a loss of revenue.
Businesses face a few challenges in meeting PCI DSS requirements, including:
Blog
Blog
Blog
Blog
Resources
Resources
Resources
Resources
