Companies that process credit card payments are required to maintain PCI DSS compliance, and failure to abide by these regulations can result in fines and the loss of merchant status, crippling an organization’s ability to do business.
This guide will cover all aspects of PCI DSS compliance, including who it applies to, its requirements, and penalties for non-compliance. It will also look at the changes ahead with PCI v4.0. We will use the terms PCI and PCI DSS interchangeably throughout the guide.
In this article:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed to protect the privacy and security of cardholder data. PCI DSS was first introduced in December 2004 by major credit card companies to define the standards by which cardholder data should be protected.
The development of PCI DSS was influenced by the emergence of ecommerce and the increased digital storage of sensitive customer information.
PCI DSS is administered and maintained by the Payment Card Industry Security Standards Council (PCI SSC), which was formed in 2006 by American Express, Discover, JCB International, MasterCard, and Visa, Inc.
The Council is tasked with strengthening payment account security by providing standards and supporting services such as education to assist stakeholders in implementing PCI DSS.
The first PCI DSS standard (Version 1.0), released in December 2004, was based on the Visa Cardholder Information Security Program (CISP). It has undergone multiple revisions over the years, including:
Other changes included detection and reporting requirements for failures of critical security control systems, the requirement to perform penetration testing on segmentation controls every six months, and the requirement to perform quarterly reviews to evaluate employees’ compliance with security policies and procedures, among others.
All businesses that process credit card payments are required to protect cardholder data by maintaining PCI compliance. This includes virtually any company involved in ecommerce as well as the majority of brick-and-mortar businesses.
Companies are assigned different PCI merchant levels by the credit card companies that determine the measures they need to take to achieve and demonstrate compliance.
PCI merchant levels are defined by payment card processors to distinguish businesses that need to provide different compliance evidence. The levels are determined primarily by the volume of credit card transactions an organization processes in the most recent 52-week period. The credit card acceptance method is also considered when assigning merchant levels.
Each credit card processor defines the PCI merchant levels that apply to businesses processing their cards. Most companies choose to go with four similar levels, although Discover only defines three. We will use Visa’s PCI levels to illustrate how businesses are classified and how reporting requirements are affected by their classification.
Every year, Level 1 merchants need to submit a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or an internal resource if signed off on by an officer of the company.
In the case of Discover, merchants in Level 4 are consolidated into Level 3. Merchants at levels 2 through 4 can choose to complete the more stringent ROC rather than an SAQ. We will go into the details of ROCs, SAQs, and AOCs later in this guide.
Several hundred specific requirements are included in PCI-DSS. These requirements are grouped into 12 categories that companies must use as a guide to implementing a compliant IT infrastructure. PCI DSS compliance is required whether the company employs an on-premises environment, a cloud infrastructure, or outsources with a third-party service provider.
Merchants are required to prevent unauthorized access to the IT environment with a reliable network firewall. The firewall configuration should be reviewed and updated at least bi-annually so that only trusted entities can access network resources.
Firewalls also need to be installed on employees’ home computers and mobile devices if they are used to access systems containing cardholder data.
All vendor-supplied default passwords used on any piece of software or hardware that are used to support the cardholder data environment must be changed. Passwords must be changed before allowing a new device or software component to connect to the regulated environment.
Cybercriminals often use default passwords in an attempt to gain unauthorized access to IT systems.
Stored cardholder data needs to be protected at all times. This means encrypting cardholder data at rest and not retaining the information for longer than necessary to address business requirements.
Purging obsolete cardholder data at least quarterly is also highly recommended.
Cardholder data must be encrypted before being transmitted over publicly accessible networks like the Internet. Strong cryptography is necessary to guard the security and privacy of cardholder data.
Companies need to implement current industry standards like IEEE 802.11i for wireless networks to meet this requirement.
Organizations are required to install and use antivirus and malware protection to ensure the safety of cardholder information. The software should be updated regularly to address newly discovered threats.
All machines that can access cardholder data need to have this protective software installed, including mobile devices and the computers of remote workers.
Secure systems and applications are required throughout a PCI-compliant environment. Hardware and software security patches should be installed as soon as they are available.
PCI DSS standards must be followed when engaged in code development.
Merchants must restrict access to cardholder data to individuals who need it to do their jobs. PCI makes the need to know a fundamental aspect of the standards that are used to control who requests access and the reason access is required.
Users must be authorized and have a valid business reason to access cardholder data.
All users with computer access to the regulated environment need to be assigned a unique ID to be used for monitoring access to cardholder data. The ID can be used to identify the individuals who have accessed or attempted to access systems containing sensitive information.
This requirement needs to be addressed with on-site controls that are monitored and logged. Security personnel or automated systems must be in place that restrict unauthorized personnel from physically accessing systems containing cardholder data.
Backup tapes and other media containing sensitive data must be secured and then securely destroyed when the business no longer needs them.
Continuous monitoring is required for all networks and systems that can potentially access cardholder data. The objective is to limit access to authorized individuals and detect unauthorized attempts that may indicate the presence of threat actors.
Network activity must be logged and audit trails maintained for PCI DSS compliance.
Merchants are required to test security solutions, systems, and processes regularly to protect the environment from new vulnerabilities. Quarterly internal and external vulnerability scans and file monitoring should also be implemented.
Lastly, discovered vulnerabilities need to be addressed and mitigated as soon as possible.
All businesses must implement and maintain a security policy for PCI compliance. The policy should be evaluated and revised yearly.
All employees and contractors should review the policy annually as part of standard security training as well as training focused on PCI DSS compliance.
There are various PCI DSS compliance solutions that can help businesses achieve and maintain compliance.
Organizations are required to demonstrate PCI compliance by submitting the appropriate documentation based on their merchant level. The required documents include Reports on Compliance (ROCs), Self Assessment Questionnaires (SAQs), and Attestations of Compliance (AOCs). Let’s look at the details of each piece of evidence.
ROCs are required of all Level 1 merchants and can be submitted by any level to demonstrate compliance. A full onsite assessment of the IT environment is required to complete an ROC. Three parties work together to complete and submit an ROC.
Currently, organizations need to follow PCI DSS v3.2.1, but this version of the standards will be replaced by PCI DSS 4.0 on March 31, 2024. Merchants can use the PCI DSS V3.2 ROC template to complete the process and can prepare for PCI DSS v4.0 by reviewing the new ROC template.
SAQs are a validation tool designed to assist merchants and service providers in reporting the results of a PCI DSS self-assessment. Multiple types of SAQs are available that address different merchant situations.
The different SAQs are used to cover specific situations such as where merchants use hardware payment terminals or only process ecommerce transactions.
Organizations may want to verify PCI DSS compliance by engaging a QSA and submitting an ROC to the PCI SSC rather than using an SAQ.
A PCI Attestation of Compliance is a certification that specifies an organization’s compliance status. It is completed by a QSA and documents that an entity is implementing best practices to secure and protect cardholder data. It attests to the fact that the organization has completed the appropriate SAQ and that it has been verified by a QSA.
As with SAQs, multiple types of AOCs address different business situations. Merchants should work with a QSA to ensure they are submitting the right type of AOC to demonstrate PCI compliance.
Fines and penalties for PCI non-compliance are imposed by payment card companies and banks. The penalties can vary depending on the specific entities imposing the fines. Based on the size of the company and the extent of the compliance violation, fines can range from $5,000 to $100,000 per month.
Fines can be imposed for the number of months that a forensic investigation determines non-compliant practices were in play. They are typically renewed monthly until the violations have been addressed and PCI compliance has been demonstrated. Repeat offenders can be subject to more significant fines.
While large businesses can absorb the fines, small businesses may not be as fortunate. A company can be put out of business if it cannot quickly resolve the non-compliance issues.
In addition to the financial penalties, there are other risks to a business associated with PCI DSS non-compliance.
The current version of PCI DSS, v3.2, is slated to be replaced by PCI DSS v4.0 on March 31, 2024. Companies should already be preparing for the changes in v4.0 standards so they can ensure compliance.
PCI-DSS 4.0 retains all of the requirements previously defined for the security standards when processing credit cards. The requirements were redesigned to concentrate on security objectives and better define how controls should be implemented. PCI DSS 4.0 has four main goals:
Two aspects of cybersecurity are directly addressed by the new requirements in PCI DSS 4.0. The first defines stronger authentication methods that are required to access systems containing or processing cardholder data. This is accomplished by:
The second area of PCI DSS v4.0 that requires substantial changes in how businesses operate concerns the use of encryption to protect cardholder data. The requirement to encrypt data before transmission has been expanded to encompass trusted as well as public networks. This requirement addresses the increased threat of malicious insiders or accidental data disclosure.
Additionally, data discovery to identify unencrypted data resources subject to PCI DSS is required to be performed at least annually.
Deploying a data loss prevention (DLP) solution will benefit organizations that take PCI compliance seriously. A DLP platform can be instrumental in enforcing an organization’s data handling policy that conforms to PCI DSS and protects cardholder data in all states — at rest, in motion, and in use. A DLP solution directly addresses the need to encrypt sensitive data and restrict it from unauthorized use.
The Reveal platform by Next employs cutting-edge technology and next-gen endpoint agents that enforce a data handling policy — without connecting to a separate analysis engine. The tool also provides user training at the point of risk to promote and cultivate a security-conscious culture that supports PCI DSS compliance.
Contact Next to book a demo and learn how this advanced DLP solution increases data security and helps you maintain PCI DSS compliance.
Is PCI DSS a law?
PCI DSS is not a law and penalties for non-compliance are not imposed by any governmental body. The standards are administered and enforced by the PCI SSC, payment card processors, and banks. There are no criminal penalties associated with PCI DSS non-compliance.
Does PCI only affect U.S. businesses?
No, PCI DSS does not only affect U.S. businesses. It is a global standard that applies to all companies processing credit card payments no matter where they are located. Global enforcement of the standards is facilitated by the worldwide reach of the financial institutions that support the payment card industry.
Why would a company submit an ROC instead of an SAQ?
A business may elect to submit an ROC rather than an SAQ to ensure they are fully compliant with PCI DSS. The additional requirements necessary to complete an ROC can identify vulnerabilities or areas that need to be addressed to maintain compliance. It’s beneficial for a company to expend the resources to complete an ROC rather than face potential fines for non-compliance.