The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards intended to keep the global payment card ecosystem trustworthy. Developed and maintained by the PCI Security Standards Council (PCI SSC), PCI DSS is meant to secure debit and credit card transactions, to prevent cybersecurity issues like data theft or fraud.
Any merchant or business that accepts payment cards from customers and processes this data must comply with PCI DSS requirements. The latest version of PCI DSS is V4.0, which includes 12 requirements. To understand these 12 requirements and the costs of PCI compliance and non-compliance, read onward.
What Is PCI DSS?
Since its introduction in 2004, PCI DSS has evolved into a globally accepted security standard. Any business entity that stores, processes, or transmits cardholder data (CHD) or sensitive authentication data (SAD) must comply with PCI DSS standards. Covered businesses include:
- Payment processors
- Card issuers
- Other service providers
Businesses that could affect the security of the cardholder data environment (CDE) must also comply with the PCI DSS.
As defined by PCI DSS, cardholder data includes:
- Primary Account Number (PAN)
- Cardholder name
- Expiration date
- Service code
Sensitive authentication data includes:
- Full track data (magnetic-stripe data or equivalent on a chip)
- Card verification code
- PINs and PIN blocks
The latest version of the standard (V4.0) was released in 2022. PCI DSS v3.2.1 will remain valid until March 31, 2024, when it will be retired. Until that retirement date, either PCI DSS version 3.2.1 or 4.0 can be used for assessments.
What Is PCI Compliance?
PCI-compliant organizations are those that have successfully implemented the necessary technical and operational safeguards mandated by the standard’s 12 requirements. These safeguards enable businesses to secure CHD from hackers and earn customers’ trust and loyalty.
PCI DSS compliance is divided into four levels, based on the number of card transactions a business processes every year. That level determines what steps the company must undertake to achieve and maintain PCI DSS compliance.
|PCI DSS Level||# of Transactions / Year||Action for Business|
|1||6 million or more||
|2||1 million to 6 million||
|3||20,000 – 1 million||
|4||Less than 20,000||
6 Principles of PCI DSS
The six major principles of the PCI DSS help to create a robust security environment for businesses that process card transactions. These principles are:
- Build and maintain a secure network to prevent the unauthorized use of CHD.
- Protect CHD whether that data is stored locally or transmitted to a remote server or service provider.
- Maintain a vulnerability management program with appropriate security procedures, policies, internal controls, and penetration testing.
- Implement strong access control measures on a business need-to-know basis.
- Regularly monitor and test physical and wireless networks to find and fix exploitable vulnerabilities.
- Maintain a strong information security policy and inform employees about their responsibilities to protect CHD.
The standard then has 12 requirements for PCI DSS compliance, which collectively align with the above six principles.
The 12 Requirements of PCI DSS
The 12 requirements under PCI DSS v4.0 are described below.
Install and maintain network security controls
All merchants must maintain a secure network through network security controls (NSCs), such as physical or virtual firewalls, routers, strong access control measures for the cloud, and so forth. The NSCs must control network traffic between logical or physical network segments (or subnets) based on predefined policies or rules. The goal is to protect the cardholder data environment (CDE) – considered a sensitive area within a business entity’s network under PCI DSS.
Apply secure configurations to all system components
PCI DSS v4.0 adds new requirements for roles and responsibilities regarding secure configurations for wireless networks. By applying these configurations to system components, businesses can reduce the potential attack surface and decrease the probability of system compromise by a threat actor.
Examples of such configurations include:
- Configure firewalls properly
- Change default passwords and other vendor default settings
- Remove unnecessary software, functions, and accounts
- Disable or remove unnecessary services
Protect stored account data (SAD)
Businesses must implement protection methods such as encryption, truncation, masking, and hashing to protect SAD.
They should also minimize risk by:
- Not storing SAD unless necessary
- Truncating cardholder data if full PAN is not required
- Not sending unprotected PANs using end-user messaging technologies such as email or instant messaging
SAD encryption is not required if the data is in non-persistent or volatile memory like RAM. SAD should, however, be removed from the volatile memory once the business purpose is complete. Also, if SAD storage becomes persistent, all PCI DSS requirements will apply, including encryption.
Protect cardholder data with strong cryptography during transmission over open, public networks
Requirement 4 focuses on “strong cryptography” to protect the transmission of cardholder data and maintain its confidentiality, integrity, and non-repudiation. To avoid data compromise, all PAN transmissions must be encrypted by:
- Encrypting the data before it is transmitted
- Encrypting the session over which the data is transmitted
Further, the business must evaluate its network security parameters against applicable PCI DSS requirements if the network stores, processes, or transmits CHD.
Protect all systems and networks from malicious software
PCI DSS v4.0 replaces “anti-virus software” with “anti-malware software” to incorporate a broader range of security technologies to protect systems and networks. Under this requirement, entities must implement anti-malware solutions to secure their systems from current and evolving malware threats, including:
- Malicious code, scripts, links
Develop and maintain secure systems and software
Businesses must apply software patches to all system components to prevent the exploitation and compromise of account data by malicious individuals or malware. This requirement applies to all system components, except for section 6.2, which applies only to bespoke and custom software used on any system component. For bespoke software, PCI DSS mandates the application of software lifecycle (SLC) processes and secure coding techniques.
All code repositories that store application code, system configurations, or other configuration data that can affect the security of account data or the CDE are in scope for PCI DSS assessments.
Restrict access to system components and cardholder data by business need to know
This requirement specifies the controls businesses must implement to assure that critical data can be accessed only by authorized personnel. To this end, businesses must deploy systems and processes to limit access based on need-to-know and job responsibilities and prevent unauthorized access.
Identify users and authenticate access to system components
Requirement 8 specifies the processes required to identify users and authenticate their access to system components. Proper identification is essential to assure accountability and traceability for actions performed by that identity.
Both a unique ID and authentication factors must be in place to assure that an authorized user can access the rights and privileges assigned to him or her. These requirements apply to all accounts on all system components, including POS accounts, accounts with admin access, and system and application accounts.
Restrict physical access to cardholder data
Merchants and other businesses must restrict physical access to any systems that store, process, or transmit CHD. The goal is to prevent individuals from accessing or removing systems or hard copies containing CHD, resulting in a breach or loss of cardholder privacy.
Log and monitor all access to system components and cardholder data
Requirement 10 focuses on audit logs, system components, and CHD. Logs and user activity tracking in the CDE and on system components will create audit trails and allow tracking, alerting, and analysis in case of a system compromise. This requirement applies to all user activities, including those by employees, contractors, consultants, and internal and external vendors.
Test system and network security regularly
Under this requirement, businesses must regularly test all system components, processes, and bespoke and custom software to confirm that controls can adequately deal with the changing threat landscape.
Support information security (IS) with organizational policies and programs
Per this requirement, all businesses must implement an information security policy that informs personnel about the sensitivity of payment card data and their responsibilities for protecting it.
The Costs of PCI Compliance and Non-Compliance
Card processors typically pass on their PCI compliance and non-compliance fees to merchants. These fees vary by provider since there are no industry standards governing the minimum or maximum a business must pay to maintain PCI compliance.
Many providers impose annual PCI compliance charges of around $120. These fees compensate the provider for the services they provide to help a merchant achieve PCI compliance. These services include:
- Data security scans conducted by an ASV
- Customer support and education
- Cyber liability or data breach insurance
Paying the PCI fees does not mean that the provider will maintain the merchant’s PCI DSS compliance or that the merchant doesn’t have to do anything to maintain compliance. If anything, the merchant must complete the annual SAQ and satisfy other applicable requirements to remain compliant.
Businesses that fail to provide proof of PCI DSS compliance may have to pay a non-compliance penalty of $20 to $30 per month to the card processor. The penalty is imposed for not meeting the requirements in the contract between the merchant and the processor. In severe cases, the provider may also terminate the merchant’s account if the merchant can’t achieve compliance within a required timeframe.
Legal Enforceability of PCI DSS
PCI DSS is not enforced by any government. Rather, the PCI SSC designs its rules and drives adoption to assure safe payments worldwide. The PCI SSC does not have any legal authority to compel compliance. Nonetheless, the standard is a mandatory requirement for any business that accepts or processes credit or debit cards, regardless of its business type or location.
Put simply: if you want to process credit card transactions, you must do it on the PCI SSC’s terms.
7-Step Process to Achieve PCI Compliance
The focus of PCI DSS is to protect CHD and an organization’s CDE from fraud and breaches. The Payment Card Industry Data Security Standard: Requirements and Testing Procedures is the official document that specifies the controls and processes merchants must implement to achieve PCI compliance.
If your organization is aiming for PCI compliance, this step-by-step process will be useful:
- Determine PCI level. Compliance requirements depend on the number of transactions, so you should first determine how many transactions you process annually.
- Map CHD flows. Find out where CHD moves through your applications, systems, and people.
- Fill out the SAQ. Your SAQ will be used to validate if your business meets all 12 requirements and is therefore PCI compliant.
- Fill out the Attestation of Compliance (AOC). This document ensures that you have completed every step to achieve PCI compliance.
- Conduct a vulnerability scan. Based on SAQ results, you can either do the scan yourself or hire an ASV.
- Complete and submit documents. Submit the SAQ, AOC, and ASV reports to the credit card brands you support (or will support).
- Monitor. Monitor compliance regularly and hire a security team to respond to vulnerabilities and threats.
Click here to access a more detailed PCI compliance checklist
Meet the 12 Requirements of PCI DSS with Reciprocity ZenComply
PCI DSS compliance can feel overwhelming for experienced compliance teams, and even more so for teams that rely on manual processes, spreadsheets, and email communication. Reciprocity ZenComply brings a faster, easier, and smarter path to PCI DSS compliance.
ZenComply is an advanced compliance and audit management solution that will give you a unified, real-time view of risk and compliance. It will also accelerate onboarding and give you the insights you need to improve risk assessments and keep your organization secure.