If your company handles credit card data and is not following PCI compliance standards, you could face large penalties if these regulations aren’t corrected.
What does PCI compliance mean? Payment card industry compliance is a set of requirements created by the PCI Security Standards Council that call for any company handling credit card data to follow certain rules to protect consumer information.
What Is PCI DSS?
The Payment Card Industry Data Security Standard is a cybersecurity and privacy framework targeting any organization accepting credit or debit card payments, either in person or online. Originally conceived and released in December 2004 by the major credit card provider networks (American Express, Discover, JCB International, Mastercard, and Visa), PCI was created as a way for these networks, and anyone processing credit cards from these providers, to manage customer data privacy, prevent fraud, and protect consumer information from unauthorized disclosure.
It is also intended to streamline the disparate information security programs that many of these companies had already implemented. Unlike some other cybersecurity frameworks, PCI DSS is not regulated or required by any government laws.
While there are criminal penalties for acts of theft and fraud, PCI represents the technical and administrative requirements that payment processors must meet in order to participate in credit card transactions. The credit card providers create, update, and enforce these requirements. Penalties for noncompliance are also managed by these companies.
Some of the penalties levied against merchants and processors for noncompliance include the following:
- Continued Noncompliance: Fees ranging from $5,000 to $100,000 per month, based on the volume of transactions processed by a business annually.
- Increased Transaction Fees: High-risk merchants and processors may face increased fees for transactions based on noncompliance and breach threats.
- Loss of Merchant Account: For severe cases of breach, theft, or fraud related to continuing noncompliance, credit card companies can opt to revoke an organization’s ability to process transactions.
These penalties are only directly related to PCI DSS. Breaches related to noncompliance can also place a business under legal liability if sued by attorneys general or as part of a class-action lawsuit.
Currently operating under version 3.2.1, PCI DSS is set for a major update, version 4.0, in Q1 of 2022. According to the PCI Security Standards Council (PCI SSC), this update is a significant revision that will add new requirements to support increased online commerce and purchase processing on mobile devices.
What Are the 12 PCI DSS Requirements?
PCI data security calls for payment processors to handle customer data using the appropriate technical and administrative measures. These measures apply to several broad goals, including building secure networks, protecting data, implementing access controls, monitoring and testing systems, and maintaining security policies.
To address these goals, PCI DSS offers 12 unique requirements for data cybersecurity:
- Install and maintain a firewall configuration to protect cardholder data: This is rather self-explanatory—install and maintain firewall technology as a perimeter around a device or system storing or transmitting consumer credit information.
- Do not use vendor defaults for system passwords: The practice of keeping plain, vendor-provided passwords for cloud tools, software, or Software-as-a-Service (SaaS) applications is unfortunately quite prevalent. PCI DSS requires that organizations use unique passwords, usernames, and any other moves away from default security parameters.
- Protect stored cardholder data: Provide encryption for data at rest in a server, including from point of sale software or through PCI-compliant file sharing and email.
- Encrypt transmission of cardholder data across open, public networks: Provide encryption in transit between devices and servers across networks where they can be read.
- Use and regularly update antivirus software: Systems holding customer or credit data must have up-to-date antivirus/anti-malware software in place.
- Develop and maintain secure systems and applications: This is a wide-ranging requirement. Generally speaking, it refers to the requirement of using and developing secure software for use with credit information, performing system and code reviews where necessary, maintaining security policies for system upgrades and changes, and implementing security measures to block common attacks.
- Restrict access to cardholder data by business need to know: In short, this involves blocking access to credit data based on roles within the organization. Minimizing information access minimizes the potential for theft or accidental disclosure.
- Assign a unique ID to each person with computer access: An organization should assign unique IDs to all registered users to support tracking and accountability for all user actions. It also ensures the integrity of the system and what happens on it.
- Restrict physical access to cardholder data: Maintain security controls for access to data centers, workstations, or other devices storing cardholder data. This can include cameras and keypad access to servers or multi-factor authentication and encryption on laptops with network access.
- Track and monitor all access to network resources and cardholder data: Perform regular and ongoing network monitoring to trace user events, system access events, and any interactions with cardholder information.
- Regularly test security systems and processes: Perform standardized and regular vulnerability scans (in shorter iterations) and penetration testing.
- Maintain a policy that addresses information security for employees and contractors: Enshrine security policies, procedures, governance requirements, and security practices in official company documentation.
What Are the Components of PCI DSS Requirements?
The PCI Security Standards Council mandates PCI DSS reporting levels based on merchant payment processing volume:
- Level 4: Businesses with less than 20,000 credit card transactions annually
- Level 3: Businesses with 20,000 to one million credit card transactions annually
- Level 2: Businesses with one to six million credit card transactions annually
- Level 1: Businesses with over six million credit card transactions annually
Depending on the level of an organization, regulatory compliance requirements can change:
- Organizations at Levels 2-4 must complete a Self-Assessment Questionnaire (SAQ), a self-driven assessment through a guided questionnaire released by the Security Standards Council. The SAQ helps the organization understand its security posture and change to meet compliance.
- Organizations at Level 1 must, on top of their SAQ, complete an annual Report on Compliance (ROC), constituted by an audit conducted by a third-party Qualified Security Assessor (QSA). Assuming changes were made to meet compliance, the organization must complete a Formal Attestation of Compliance (AOC). Finally, the organization must work with an Approved Scanning Vendor (ASV) to receive regular vulnerability scanning at least once every 90 days.
After completing the SAQ, ROC, QSA, and AOC, and working with an ASV, the organization provides the documentation to their acquiring bank (who manages their merchant account) to demonstrate compliance.
Any business that processes credit card payments must meet PCI DSS compliance even when using third-party or cloud payment service providers. Even while a third party may process the payments, that information will almost invariably flow through company systems.
Accept Cardholder Payments Without Interruption With PCI DSS Compliance
Even though PCI DSS is not enforced at the government level, no organization can maintain a payment processing or retail system without compliance. The penalties are steep, and credit card networks can make it difficult, if not impossible, to do business unless you meet security standards.
Get email updates with our latest blogs news