PCI DSS: Credit Card Compliance

If your business handles credit card transactions and is not PCI DSS compliant, you need to keep reading in order to avoid possible legal ramifications.

To what does PCI DSS refer? PCI DSS is the Payment Card Industry Data Security Standard. It protects credit card users by requiring merchants to meet certain criteria to handle credit card transactions in their business.

What Is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework devised, published, and managed by the Payment Card Industry Security Standards Council. PCI DSS explicitly governs security around credit card transactions and other forms of card-based payments (credit-backed debit cards, online purchasing, etc.).

The PCI Council, formed by American Express, Discover Financial Services, JCB International, Visa, and Mastercard, manages information security in the evolving payment processing industry.

Since credit card and online payments have become the norm over the past several decades, the PCI Council was formed to address the technical and compliance safeguards that merchants and payment processors can put into place to protect customer data, prevent theft and fraud, and maintain consumer confidence in credit card payment processing.

More importantly, these companies realized the importance of interoperability and recognized their power in the private sector to implement important safety and security controls that benefit businesses and consumers. While each member had, at one point or another, attempted to field a more comprehensive approach to payment processing security, these combined efforts eventually translated into the first edition of PCI DSS, version 1.0, released in December 2004.

PCI DSS is not a legal requirement to handle payments. Instead, it is instituted by the PCI Council at the behest of the major credit card providers. These providers control the payment networks and have authority over the requirements a merchant or payment processor must meet to use those networks. Merchants or other processors that do not follow PCI DSS can face increasingly punitive penalties or even completely lose their ability to accept credit cards as payments.

The latest version of PCI DSS is version 3.2.1 (colloquially referred to as "three-two-one"). Implemented in May 2018, this version addressed the rise in prominence of online shopping and sophisticated credit card theft scams. However, there are some limitations to the applicability of standards based on new technologies like mobile devices and digital wallets.

The newest version of PCI, version 4.0, is expected to publish in Q1 of 2022.

What Are PCI Levels and How Do They Impact Audits?

All merchants or payment processors expecting to accept credit card payments must have a Report on Compliance demonstrating compliance. The Report on Compliance is required annually via compliance audits. Audits are investigations undertaken either internally or by a Qualified Security Assessor (QSA) registered and certified by the PCI Council. Whether or not a business must undergo a third-party audit versus an internal audit depends on the organization’s rating under PCI metrics.

The four levels of compliance are based on the volume of transactions published annually and are as follows:

• Level 4: The lowest level, merchants at Level 4 only process fewer than 20,000 transactions per year.
• Level 3: At this stage, merchants process between 20,000 and 1 million transactions.
• Level 2: At Level 2, merchants process between 1 and 6 million transactions per year.
• Level 1: The largest retailers and merchants, Level 1 applies to merchants processing over 6 million transactions per year.

Merchants at Level 1 are required to undergo third-party assessments from QSAs. However, those at Levels 2, 3, and 4 can complete a self-assessment, along with a Self-Assessment Questionnaire. Merchants at Levels 3 and above that suffer a security breach may be required to meet the requirements of higher levels for an interim period of time.

What Are the 12 Requirements of PCI DSS?

The core of compliance is the adherence to 12 primary requirements. These requirements are as follows:

1. Use Firewalls: An IT perimeter must have an appropriate security firewall to protect against unauthorized access. Compliance requires merchants and processors to implement and maintain firewalls.
2. Password Protection: Organizations must have secure and compliant identity and access management and/or secure access tools to control how users interact with their infrastructure. This includes protecting passwords and implementing some formal role-based access control.
3. Protect Cardholder Data: Organizations must use encryption and cryptography to protect user data in transit and at rest. 
4. Encrypting Transmitted Data: Specifically, merchants must encrypt any payment information transmitted over networks, and data should never be sent to an unknown location.
5. Use Anti-malware Software: While anti-malware software is great to use in any scenario, PCI DSS requires anti-malware on payment devices, point-of-sale (POS) systems, or any infrastructure containing payment or customer information.
6. Properly Updated Software: Firewalls, anti-malware, and any other system software or firmware must be updated regularly.
7. Restrict Data Access: Merchants must have logical restrictions against unauthorized data access. This includes restricted access from outside the organization to segmented access internally.
8. Unique Access IDs: Any user accessing payment information should have a unique and secure ID used for authentication, authorization, and monitoring.
9. Restrict Physical Access: On top of restricted digital access, compliance also expects merchants to monitor and restrict physical access to systems containing payment information. This means securing data centers and workstations, monitoring access on all devices, and using cameras and security keypads to maintain accountability.
10. Maintain Access Logs: Any interaction with payment information should include permission from the system or a higher-up. PCI DSS, however, requires businesses to implement logging tools to track all user events, including data access.
11. Implement Vulnerability Scanning and Penetration Testing: Compliance includes regular vulnerability scanning and penetration tests to ferret out weaknesses.
12. Use Documentation: While a compliant business might have logging tools in place, they must also have documentation policies in place. These include documenting policies and procedures around compliance, upgrades, and malfunctions.

What Are the Penalties for PCI DSS Noncompliance?

It is important to note that PCI DSS is not a legal requirement for doing business. However, it is a requirement to accept credit card payments.

PCI DSS penalties themselves are not published or made public, but noncompliance (especially breaches that result from noncompliance) can result in heavy fines.

Penalties can include the following:

• Fines of between $5,000 and $100,000 per month for repeated violations. Larger, Level 1 merchants with significant problems may see more scrutiny and higher penalties. 
• Damage to Merchant Account. A business can find it difficult or expensive to continue accepting credit card payments because of higher fees or a challenging risk profile.
• Suspension or Loss of Payment Processing. Card companies can decide that the breach of regulations is severe enough to merit complete loss of privileges.

What Are the Benefits and Best Practices for PCI DSS Compliance?

Merchants working on meeting or maintaining their compliance can follow a few best practices:

• Use a PCI-compliant Vendor for Payment Processing: When a business is not handling its own processing to sell goods or services, the best first step is to work with a compliant provider. Providers like Square or PayPal can give even smaller businesses simple and secure payment processing.
• Use PCI-compliant File Sharing and Storage: Companies that do handle their payment processing are advised to use compliant file-sharing services. Vendors providing compliant document management services, file transfer features like PCI-compliant managed file transfer or secure file transfer protocol, and secure email can streamline compliance and allow business and IT leaders to focus on more important things.
• Include Training and Education on Compliance: Unfortunately, the weakest link of most security and compliance systems is the people, and this is due largely in part to a lack of understanding of protocols. A compliant business must have thorough, complete, and evolving education programs to support team members and teach them how to keep the organization within regulations.
• Maintain Regular Security Testing and Monitoring: Any business handling customer credit data, whether for storage or processing, must also have a regular testing program. This includes continuous monitoring, vulnerability scanning, and penetration testing. Annual tests, at a minimum, can support compliance.

Thinking Ahead to PCI DSS Compliance

While many organizations don’t think they are responsible for compliance, the rise of online shopping and ecommerce, where credit card payments are predominant, is pushing more and more organizations to learn about PCI requirements.

If you want to learn more about PCI DSS and how cloud technology can support compliance, take a look at our blogs on the topic of PCI Compliance. Or, simply sign up for a short demo of the Kiteworks platform to learn how it unifies, tracks, controls, and secures all of your content communications.

 

Back to Risk & Compliance Glossary