Getting Started with PCI DSS
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements designed to ensure that companies that process, store, or transmit credit and debit card information maintain a secure environment. Adhering to PCI DSS is mandatory for any business that handles payments.
The PCI DSS requirements apply to all entities that store, process, and/or transmit cardholder data. This includes merchants, payment processors, financial institutions, service providers, and other organizations. The requirements are designed to protect cardholder data and apply to all payment channels, including retail (brick-and-mortar stores), e-commerce, mail/telephone orders, and more.
Key Takeaways
- PCI DSS stands for Payment Card Industry Data Security Standard and is a set of security requirements for handling credit/debit card data.
- Adhering to PCI DSS is mandatory for any business that processes, stores, or transmits payment card information.
- The standard applies to merchants, processors, financial institutions, service providers, and any entity handling card data.
- There are 12 main requirements organized into 6 logically related groups aimed at protecting cardholder data.
- Requirements cover security controls like firewalls, encryption, access controls, policies, procedures, network architecture, software design, and more.
- Businesses must undergo annual assessments by a PCI SSC-approved assessor to validate compliance.
What is PCI DSS
PCI DSS consists of 12 core requirements for securing payment card data. These requirements were developed by the PCI Security Standards Council (PCI SSC), which was founded by the major payment card brands (Visa, Mastercard, American Express, Discover, JCB).
The PCI SSC is responsible for managing the security standards, while individual payment brands enforce compliance. If an organization is not PCI compliant, the card brands have the ability to impose fines, raise processing costs, revoke card acceptance rights, and damage the organization’s reputation.
There are four different levels of PCI DSS compliance that businesses are categorized into depending on their transaction volume. Requirements become stricter as volume increases.
Objectives of PCI DSS
The overarching objectives of PCI DSS are to:
- Build and maintain secure payment card transaction networks.
- Protect cardholder data
- Ensure all companies processing payments maintain security controls.
- Increase public confidence in payment system security.
By adhering to PCI standards, businesses ensure the safe handling of account information, authentication controls, transaction verification, network security, and other critical data protection measures.
How PCI DSS Works
PCI DSS provides a baseline set of 12 requirements that represent a common, global security standard. New versions aim to address the latest payment industry threats and protect merchants from breaches.
Key elements include:
- Published requirements: The PCI Council publishes documentation clearly defining the 12 PCI DSS requirements.
- Self-assessment: Businesses must complete annual self-assessments to validate compliance using SAQs.
- External assessments: Organizations processing over 6 million transactions annually must be assessed by an external Qualified Security Assessor (QSA).
- Compliance validation: Businesses demonstrate compliance with the payment brands and acquiring banks.
- Enforcement: The payment card brands enforce compliance, issuing penalties for non-compliance. Fines and other disciplinary actions provide motivation.
- Feedback and updates: The standards are updated regularly based on new threats, technology, and industry feedback.
What are the Benefits of PCI Compliance
While PCI standards impose additional workloads, costs, and complexities onto merchants and processors, the benefits of compliance are substantial:
- Improved security: Comprehensive controls protect cardholder data from compromise, minimizing the risk environment.
- Compliance assurance: Validated compliance provides assurance to customers that payment systems are secure.
- Risk reduction: Decreased threats, losses, and liabilities related to payment card breaches and fraud.
- Revenue protection: Ongoing credit card acceptance abilities ensure no disruptions to sales revenue.
- Cost avoidance: No fines or penalties from card brands for non-compliance. Also, avoidance of breach investigation, remediation, and lawsuit costs.
- Trust building: Compliance demonstrates a commitment to the security and protection of client information. This builds trust and credibility.
12 PCI DSS Requirements
The PCI DSS requirements are organized into the following 6 groups, with each containing underlying requirements:
Build and Maintain a Secure Network
- Install and maintain firewalls to protect data: Firewalls must restrict connections between untrusted networks and any system with cardholder data. Access to systems with card data must be limited.
- Change vendor-supplied defaults: All system passwords and security parameters must be changed from default settings to protect systems from malicious attacks.
Protect Cardholder Data
- Protect stored data: Cardholder data must be protected wherever it is stored to prevent breaches. Specific measures include data encryption, truncation, masking, and access control.
- Encrypt data sent across networks: All cardholder data transmitted over networks is rendered unreadable by encryption and other controls.
Maintain a Vulnerability Management Program
- Protect systems with antivirus and updates: Systems must have current antivirus software and security patches to protect against malware and vulnerabilities.
- Develop secure systems: Security must be incorporated throughout systems via coding techniques, access controls, encryption, and account monitoring.
Implement Strong Access Control Measures
- Limit access to data: Access to systems with card data is limited to only those individuals who require it for business purposes. Authentication via unique IDs must be used.
- Control physical access to data: All systems storing card data must be physically secured to prevent unauthorized access.
Regularly Monitor and Test Networks
- Track access and changes: Access to network resources and cardholder data is logged and monitored for anomalies. Processes must detect and report unauthorized activities.
- Test security controls: Vulnerability scanning, penetration testing, and security control assessments must be conducted regularly to identify vulnerabilities and failures before criminals do.
Maintain an Information Security Policy
- Implement policies to manage information security: Comprehensive information security policies must be established, published, and distributed to all employees and relevant parties.
- Monitor and control all access to data: Formal processes must be implemented to monitor and control all access to cardholder data and track access to network resources.
Who Must Comply with PCI DSS?
PCI DSS applies to any business that accepts, processes, stores, or transmits payment card data. This includes:
- Merchants: All merchants processing transactions with payment cards must comply. This includes brick-and-mortar retailers, ecommerce sites, mail order/telephone businesses, hospitality companies, and more.
- Payment Processors: Third party service providers that process transactions, manage credit card information or provide payment services must be PCI compliant.
- Issuing Banks: Financial institutions that issue payment cards and acquire card transaction data from merchants must comply.
- Service Providers: Any vendors that come into contact with card data as part of supporting merchants or processors must comply. This includes data storage providers, shopping carts, payment gateways, hosting providers and more.
- Government Agencies: Federal, state, and local government agencies that handle payments must comply with PCI DSS.
Even companies that do not directly handle credit card transactions may still come into contact with payment card data at some point in business operations. For this reason, PCI DSS takes a broad view of entities that must comply for the protection of consumers worldwide.
PCI DSS Compliance Levels and Requirements
There are four levels of PCI DSS compliance that entities are categorized into based on the number of transactions processed annually.
The volume of transactions impacts the level of assessment effort and documentation needed to validate compliance.
Level 1
Over 6 million Visa transactions or 2.5 million Mastercard transactions annually.
Requirements:
- Annual onsite assessment by a Qualified Security Assessor (QSA)
- Quarterly network security scan by an Approved Scanner Vendor (ASV)
- Completed Self-Assessment Questionnaire (SAQ)
Level 2
1 million to 6 million Visa transactions or 50,000 to 2.5 Mastercard transactions annually.
Requirements:
- Annual SAQ
- Quarterly network security scan by an ASV
Level 3
20,000 to 1 million Visa e-commerce transactions annually.
Requirements:
- Annual SAQ
- Quarterly network security scan by an ASV
Level 4
Less than 20,000 Visa e-commerce transactions and up to 1 million total transactions annually.
Requirements:
- Annual SAQ
- Quarterly network security scan by an ASV
How to Become a PCI Compliant
Achieving and maintaining PCI compliance involves a multi-step process for businesses:
- Determine applicability: Assess which PCI DSS requirements apply to your business based on the services provided.
- Assess environment: Thoroughly evaluate your full technical infrastructure, data storage, vendors, processes, controls, and any area relating to card data.
- Identify gaps: Compare your environment against PCI requirements to identify any vulnerabilities or non-compliant areas.
- Remediate issues: Create an action plan for closing gaps and becoming fully compliant by addressing vulnerabilities through new controls.
- Implement controls: Roll out new policies, processes, software, physical controls, and measures to become fully compliant.
- Monitor compliance: Maintain compliance through regular audits, tests, policy reviews, control validation, and updates as needed.
It is essential to involve stakeholders across your organization including leadership, finance, legal, IT and operations when pursuing PCI compliance. By making it an organizational initiative with shared accountability, businesses can effectively meet PCI standards.
Consequences of Non-Compliance
Failing to comply with PCI DSS exposes businesses to substantial risk in the form of fines, legal liabilities, reputational damage, and loss of card processing abilities. Consequences may include:
- Fines and penalties: Payment card brands and acquiring banks can issue fines and penalties for non-compliance. Costs can range from $5,000 to $100,000 monthly.
- Loss of card acceptance: Card brands may prohibit non-compliant businesses from accepting their cards until validated as compliant. This can severely impact revenue.
- Higher processing fees: Ongoing fees for card processing can be increased for businesses that do not meet compliance standards.
- Loss of customers: Customers losing confidence in a company’s security practices may take business elsewhere if PCI non-compliance becomes known.
- Investigation costs: Forensic investigation, legal, and public relations costs can tally into the millions after a breach.
- Lawsuits: Class action lawsuits may arise, with settlements costing hundreds of millions in some cases. Equifax’s 2017 breach resulted in a $700 million settlement for consumers.
For retailers that depend on payment card transactions, sanctions and penalties for non-compliance can be operationally crippling. The costs easily justify appropriate investments to meet and maintain PCI standards.
Achieving Ongoing PCI Compliance
Compliance with PCI DSS is not a one-time event but rather an ongoing process requiring constant vigilance. To maintain compliance, businesses should:
- Communicate standards: Publish and distribute PCI requirements to all personnel and train staff for awareness.
- Monitor continuously: Log, monitor, and audit all systems handling card data to detect issues.
- Update systems: Keep payment applications, POS devices, databases and systems updated per PCI guidelines. Perform testing before changes move to production.
- Review policies and controls: Check that policies, procedures, and controls remain compliant with updated standards.
- Conduct risk assessments: Periodically perform assessments on vulnerabilities, threat vectors, and security controls.
- Maintain validation: Complete annual SAQs and security assessments by QSAs to maintain approved compliance status.
By taking a proactive approach to maintaining PCI DSS adherence rather than reacting only when audits occur, merchants remain resilient against evolving threats.
PCI DSS Versions
PCI DSS standards are updated every 3 years to address emerging threats and technology changes. Key PCI DSS versions include:
- PCI DSS 1.0: Released in December 2004, the original standard established a common baseline for securing payment card data.
- PCI DSS 1.1: Minor revisions in September 2006, prior to a major update.
- PCI DSS 1.2: Major update in October 2008 to enhance clarity, flexibility and security.
- PCI DSS 2.0: Released in October 2010 to improve management of evolving threats and risk mitigation tactics.
- PCI DSS 3.0: Launched in November 2013 to address changes in the threat landscape due to increased data breaches. Added cloud computing guidance.
- PCI DSS 3.1: Released in April 2015. Updated requirement 11 regarding penetration testing methods.
- PCI DSS 3.2: Released in April 2016. Enhanced multi-factor authentication requirements and application security.
- PCI DSS 4.0: Launched in March 2022. Updates for emerging technologies like artificial intelligence and quantum computing. New requirements for service providers.
PCI DSS will continue evolving to address new vulnerabilities introduced by changing technologies and provide the most effective standards for protecting cardholder data.
PCI DSS Compliance Certification
Merchants are required to prove they comply with PCI DSS standards on an annual basis. Validation typically involves two key elements:
PCI Self-Assessment Questionnaire (SAQ)
Merchants must complete an SAQ based on their business model and transaction volumes. The SAQ covers all applicable PCI requirements and relevant testing procedures for the individual business.
There are different SAQ versions (A, A-EP, B, B-IP, C, C-VT, D, P2PE). Merchants choose the version that aligns with their operations. The completed SAQ and any evidence of compliance are submitted to the acquiring bank.
Network Vulnerability Scans
External vulnerability network scans must be completed quarterly by an Approved Scanning Vendor (ASV). The ASV scans the cardholder data environment for vulnerabilities. Passing scan reports are submitted to the acquiring bank as evidence of a secure network.
For most smaller merchants, the SAQ and clean vulnerability scans are adequate for validating PCI compliance. Larger merchants and processors face additional assessment requirements.
Roles for PCI Compliance
Various stakeholders participate in the PCI compliance process:
- Merchants: Submit SAQs, meet relevant PCI requirements, complete vulnerability scans, and implement controls and policies.
- Acquiring Banks: Sponsor merchants in card brand programs, collecting and submitting compliance documentation. May assist merchants with compliance.
- Card Brands: Control PCI standards, require compliance, collect validation documentation, and impose penalties for non-compliance.
- QSAs: Conduct onsite assessments for larger merchants and service providers to validate PCI compliance.
- ASVs: Scan networks and applications to identify vulnerabilities impacting PCI compliance.
- Forensic Investigators: Conduct investigations after breaches to determine the root cause of PCI compliance failures and assist with remediation.
Best Practices for PCI Compliance
Organizations aiming to successfully obtain and maintain PCI compliance should consider the following best practices:
- Obtain buy-in from leadership and build a cross-functional PCI compliance team.
- Inventory all systems and data flows that handle card data to fully understand the scope.
- Implement the minimum data retention period required for business needs. The less stored, the better.
- Classify data and implement strong access controls such as role-based access and multi-factor authentication.
- Encrypt cardholder data anywhere it moves, including over internal networks.
- Use white-list firewall rules to only allow required traffic, blocking everything else.
- Never store card security codes (like CVV codes) or magnetic stripe data. These are prohibited.
- Monitor systems with audit logging to obtain visibility into any changes or unauthorized access attempts.
- Keep systems patched and updated to avoid vulnerabilities. Test patches before deployment.
- Work with QSAs and/or ASVs early in the process for compliance insights.
- Include PCI compliance in vendor contracts to ensure service providers also adhere to requirements.
Avoiding common mistakes and misconceptions around PCI compliance will help ensure a smooth assessment process and the achievement of obligatory standards for customer data security.
Common PCI Compliance Mistakes
Businesses aiming to comply with PCI standards often make the following common missteps:
- Not keeping compliant: Neglecting to maintain PCI compliance after validation leads to lapses in controls until the next assessment.
- Improper scoping: Only including a subset of systems that interact with card data rather than all components within scope.
- Weak access controls: Failing to properly control access with unique credentials, role restrictions, and multi-factor authentication.
- Insecure remote access: Allowing insecure methods like RDP for remote system management outside the network.
- Vulnerable web apps: Running outdated web apps rife with vulnerabilities that provide paths to compromise cardholder data.
- Unencrypted data transfers: Not encrypting card data in transit and at rest or relying on weak encryption algorithms.
- Incomplete logging: Not implementing thorough logging of access and changes to in-scope systems storing card data.
- Missed vendor risks: Allow vendors access to systems and card data to operate outside of PCI controls.
- Lack of testing: Not performing penetration tests, vulnerability scans and firewall audits to validate controls.
Avoiding these common pitfalls and diligently meeting all applicable PCI requirements is critical for organizations that handle sensitive cardholder data.
PCI DSS Future Direction
As payment technologies and data threats continue evolving, PCI standards will adapt to the changing landscape. Some areas of future focus include:
Increasing Flexibility
Future PCI DSS versions are likely to build in more flexibility on controls, allowing for alternative safeguards using different tools that still satisfy the intent of requirements. This will accommodate diverse merchant environments.
Emerging Technologies
Standards will continue addressing risks around new technologies like blockchain, cryptocurrency, mobile wallets, artificial intelligence/machine learning and quantum computing for payments.
Cloud Environments
Additional guidance for card data in Software-as-a-Service (SaaS) models, cloud access security and unique risks in cloud deployments will be provided.
Data-Centric Approach
There will be a growing emphasis on data discovery, classification, and monitoring to augment existing system/network controls. Data loss prevention and rights management techniques will gain focus.
Third-Party Risks
More rigorous standards will likely apply to service providers that access merchant systems and cardholder data. Managing third-party risks will be an increased priority across the industry.
Evolving PCI DSS to address emerging payment technologies and methodologies will strengthen consumer protection and enable innovation to occur securely.
Final Thoughts
In conclusion, PCI DSS (Payment Card Industry Data Security Standard) is a set of comprehensive requirements designed to enhance payment card data security and reduce the risk of data breaches. It mandates organizations handling cardholder data to implement robust security measures, such as implementing firewalls, encrypting data transmissions, and regularly testing systems for vulnerabilities.
Compliance with PCI DSS is not just a one-time exercise but an ongoing process that requires continuous monitoring, vulnerability management, and adherence to best practices.
By achieving and maintaining PCI DSS compliance, organizations can safeguard sensitive payment data, build customer trust, avoid hefty fines and penalties, and protect their reputation in the marketplace.
Frequently Asked Questions (FAQ) About PCI DSS
What types of businesses need to be PCI compliant?
Any business that accepts, processes, transmits, or stores payment card data must comply. This includes brick-and-mortar retailers, ecommerce sites, hotels, car rental agencies, restaurants, and any merchant with a credit card terminal.
What happens if my business is not PCI compliant?
Consequences can include fines, increased processing fees, revocation of card acceptance rights and damage to your reputation. Lawsuits and investigation costs after a breach can also result.
Does PCI DSS compliance guarantee I will not be breached?
No. While PCI DSS aims to secure card data, compliance does not guarantee immunity from breaches. Maintaining control and vigilance is critical.
How often do I need to validate PCI DSS compliance?
Every 12 months, merchants must complete new SAQs and pass vulnerability scans to maintain validated compliance. Large merchants undergo more frequent and stringent assessments.
What are the costs of PCI compliance and non-compliance?
Costs vary based on business size and risk. Typical compliance costs include technology changes, audits, personnel training, and professional services. Non-compliance fines can exceed $100,000 monthly.
Can I rely on service providers for PCI compliance?
No. Merchants using third-party processors or software are still responsible for PCI compliance within their own environment. Providers only cover their own compliance.
What is more costly: maintaining compliance or suffering a breach?
Breaches cost substantially more. The average cost of a breach is $4.24 million, according to IBM’s Cost of a Data Breach Report. Investing appropriately in compliance is wise.
Does PCI DSS protect against all breaches?
No. While PCI aims to secure card data, risks like social engineering attacks against employees and insider threats may still lead to breaches if controls are bypassed. Compliance does not guarantee total security.
How long after validation is my compliance certification valid?
One year. Annual validations are required to account for any changes in the business that may impact security controls and compliance with evolving standards.
Can I be PCI compliant while still using end-of-life software?
No. Running deprecated operating systems and software that are no longer supported and do not receive security patches violates PCI compliance requirements.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.