PCI Compliance Overview: Requirements, Standards & Solutions

If your company handles credit card data and is not following PCI compliance standards, you could face large penalties if these regulations aren’t corrected.

What does PCI compliance mean? Payment card industry compliance is a set of requirements created by the PCI Security Standards Council that call for any company handling credit card data to follow certain rules to protect consumer information.

What Is PCI Compliance?

PCI compliance is a set of security standards designed to ensure that businesses that process, store, or transmit credit card information maintain a secure environment. It requires businesses to adhere to a list of security requirements, including the installation of firewalls, encryption, and regular testing of systems. Failure to comply with these standards can lead to hefty fines and other penalties.

Benefits of PCI Compliance

Organizations that commit to PCI compliance cite many business benefits. These are just a few:

1. Security of Payment Card Data: Adhering to the PCI DSS requirements helps protect customer payment card data from security threats and vulnerabilities.
2. Increased Customer Confidence: Meeting and maintaining PCI DSS compliance demonstrate that your business is taking steps to protect customer payment card data and increase customer confidence.
3. Fraud Prevention: PCI compliance helps reduce the risk of fraud by making it harder for criminals to access payment card data.
4. Reduction of Noncompliance Penalties: If your business is found to be noncompliant with PCI DSS standards, you may be subject to costly fines and penalties. Proactively meeting and maintaining PCI compliance can help reduce the risk of noncompliance penalties.
5. Improved Efficiency: Adopting and following the PCI DSS requirements can help to streamline and improve processes related to payment card data handling.

Requirements for PCI Compliance

The requirements to achieve PCI compliance, while numerous and onerous, are nevertheless attainable. Here are a few key requirements that will get you and your organization on the road to PCI compliance:

1. Establish a secure network: All cardholder data and other sensitive information must be kept in a secure network environment that is protected from security threats. This should include firewalls, intrusion detection systems, and other measures designed to protect the cardholder data.
2. Protect stored data: All stored cardholder data must be encrypted and maintained in a secure environment.
3. Maintain a vulnerability management program: Organizations must have a program in place to identify and address any vulnerabilities or weaknesses in their system. This includes regularly updating antivirus and anti-malware software, as well as implementing security patches to address any identified vulnerabilities.
4. Implement strong access control measures: Access to cardholder data and other sensitive data must be restricted to only those employees who need access to do their jobs. Organizations must have a system of access control in place that includes authentication, authorization, and monitoring of employee activities.
5. Regularly monitor and test networks: Organizations must monitor all network traffic and regularly test their security measures to identify any potential vulnerabilities or weaknesses. This should include both internal and external scanning of all systems to detect any unauthorized access.
6. Maintain an information security policy: Organizations must have an information security policy in place that outlines their security measures and procedures. All employees and third-party providers must be familiar with this policy and adhere to its requirements.
7. Ensure compliance: Organizations must ensure that they are compliant with all applicable laws and regulations related to payment card security. This includes PCI DSS (Payment Card Industry Data Security Standard) compliance.

What Is PCI DSS?

The Payment Card Industry Data Security Standard is a cybersecurity and privacy framework targeting any organization accepting credit or debit card payments, either in person or online. Originally conceived and released in December 2004 by the major credit card provider networks (American Express, Discover, JCB International, Mastercard, and Visa), PCI was created as a way for these networks, and anyone processing credit cards from these providers, to manage customer data privacy, prevent fraud, and protect consumer information from unauthorized disclosure.

It is also intended to streamline the disparate information security programs that many of these companies had already implemented. Unlike some other cybersecurity frameworks, PCI DSS is not regulated or required by any government laws.

While there are criminal penalties for acts of theft and fraud, PCI represents the technical and administrative requirements that payment processors must meet in order to participate in credit card transactions. The credit card providers create, update, and enforce these requirements. Penalties for noncompliance are also managed by these companies.

Some of the penalties levied against merchants and processors for noncompliance include the following:

• Continued Noncompliance: Fees ranging from $5,000 to $100,000 per month, based on the volume of transactions processed by a business annually.
• Increased Transaction Fees: High-risk merchants and processors may face increased fees for transactions based on noncompliance and breach threats.
• Loss of Merchant Account: For severe cases of breach, theft, or fraud related to continuing noncompliance, credit card companies can opt to revoke an organization’s ability to process transactions.

These penalties are only directly related to PCI DSS. Breaches related to noncompliance can also place a business under legal liability if sued by attorneys general or as part of a class-action lawsuit.

Currently operating under version 3.2.1, PCI DSS is set for a major update, version 4.0, in Q1 of 2022. According to the PCI Security Standards Council (PCI SSC), this update is a significant revision that will add new requirements to support increased online commerce and purchase processing on mobile devices.

What Are the 12 PCI DSS Requirements?

PCI data security calls for payment processors to handle customer data using the appropriate technical and administrative measures. These measures apply to several broad goals, including building secure networks, protecting data, implementing access controls, monitoring and testing systems, and maintaining security policies.

To address these goals, PCI DSS offers 12 unique requirements for data cybersecurity:

1. Install and maintain a firewall configuration to protect cardholder data: This is rather self-explanatory—install and maintain firewall technology as a perimeter around a device or system storing or transmitting consumer credit information.
   
2. Do not use vendor defaults for system passwords: The practice of keeping plain, vendor-provided passwords for cloud tools, software, or Software-as-a-Service (SaaS) applications is unfortunately quite prevalent. PCI DSS requires that organizations use unique passwords, usernames, and any other moves away from default security parameters.
3. Protect stored cardholder data: Provide encryption for data at rest in a server, including from point of sale software or through PCI-compliant file sharing and email.
4. Encrypt transmission of cardholder data across open, public networks: Provide encryption in transit between devices and servers across networks where they can be read. 
5. Use and regularly update antivirus software: Systems holding customer or credit data must have up-to-date antivirus/anti-malware software in place.
6. Develop and maintain secure systems and applications: This is a wide-ranging requirement. Generally speaking, it refers to the requirement of using and developing secure software for use with credit information, performing system and code reviews where necessary, maintaining security policies for system upgrades and changes, and implementing security measures to block common attacks.
7. Restrict access to cardholder data by business need to know: In short, this involves blocking access to credit data based on roles within the organization. Minimizing information access minimizes the potential for theft or accidental disclosure.
8. Assign a unique ID to each person with computer access: An organization should assign unique IDs to all registered users to support tracking and accountability for all user actions. It also ensures the integrity of the system and what happens on it.
9. Restrict physical access to cardholder data: Maintain security controls for access to data centers, workstations, or other devices storing cardholder data. This can include cameras and keypad access to servers or multi-factor authentication and encryption on laptops with network access.
10. Track and monitor all access to network resources and cardholder data: Perform regular and ongoing network monitoring to trace user events, system access events, and any interactions with cardholder information.
11. Regularly test security systems and processes: Perform standardized and regular vulnerability scans (in shorter iterations) and penetration testing.
12. Maintain a policy that addresses information security for employees and contractors: Enshrine security policies, procedures, governance requirements, and security practices in official company documentation.

What Are the Components of PCI DSS Requirements?

The PCI Security Standards Council mandates PCI DSS reporting levels based on merchant payment processing volume:

• Level 4: Businesses with less than 20,000 credit card transactions annually
• Level 3: Businesses with 20,000 to one million credit card transactions annually
• Level 2: Businesses with one to six million credit card transactions annually
• Level 1: Businesses with over six million credit card transactions annually

Depending on the level of an organization, regulatory compliance requirements can change:

• Organizations at Levels 2-4 must complete a Self-Assessment Questionnaire (SAQ), a self-driven assessment through a guided questionnaire released by the Security Standards Council. The SAQ helps the organization understand its security posture and change to meet compliance.
• Organizations at Level 1 must, on top of their SAQ, complete an annual Report on Compliance (ROC), constituted by an audit conducted by a third-party Qualified Security Assessor (QSA). Assuming changes were made to meet compliance, the organization must complete a Formal Attestation of Compliance (AOC). Finally, the organization must work with an Approved Scanning Vendor (ASV) to receive regular vulnerability scanning at least once every 90 days.

After completing the SAQ, ROC, QSA, and AOC, and working with an ASV, the organization provides the documentation to their acquiring bank (who manages their merchant account) to demonstrate compliance.

Any business that processes credit card payments must meet PCI DSS compliance even when using third-party or cloud payment service providers. Even while a third party may process the payments, that information will almost invariably flow through company systems.

Accept Cardholder Payments Without Interruption With PCI DSS Compliance

Even though PCI DSS is not enforced at the government level, no organization can maintain a payment processing or retail system without compliance. The penalties are steep, and credit card networks can make it difficult, if not impossible, to do business unless you meet security standards.

To discover the Kiteworks platform and how it can support PCI-compliant managed file transfer, contact us for a free, tailored demonstration.

 

Back to Risk & Compliance Glossary