Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a paramount priority for any company that processes credit card data. Why? Because while e-commerce and digital point-of-sale systems have been incredible innovations for both vendors and consumers, the potential for security breaches and data theft is high.
So it’s crucial for your company to understand the PCI Data Security Standards, determine which requirements apply to your organization, and then both prove and maintain your compliance. By following the requirements created by the PCI Security Standards Council (PCI SSC) you’ll protect your company from fines and lawsuits, and assure that your business can continue to process credit card payments in the future.
Familiarize Yourself With The PCI DSS
The PCI SSC was formed by the large credit card companies (Visa, MasterCard, American Express, and Discover) to reduce the threat of security breaches that might harm cardholder data (CHD). That council then adopted the first PCI DSS standard in 2004, and since then PCI DSS has provided a series of guidelines for vendors and organizations to help those businesses keep CHD secure. The standards aren’t required by law, but since the PCI council consists of all major credit card service providers, non-compliance can result in the loss of your processing privileges.
Over the years the PCI standards have been updated and expanded to address new advances in both payment processing and cybercrime. The PCI council is currently working on version 4.0 of PCI DSS, which has incorporated an unprecedented level of feedback and requests from companies that process card transactions. This new version is anticipated to go into effect in the latter half of 2022.
Determine Which Requirements Apply To Your Company
PCI compliance is not an overnight process, and navigating the requirements can be an intimidating task. The first step is to consider the 12 primary requirements:
- Protect all credit card information with a well-maintained firewall configuration.
- Change all system passwords to unique, individual passwords; do not use the default passwords supplied by the vendor.
- Any stored customer data must be protected.
- Data transmission must be encrypted across open networks.
- Antivirus software should be used and updated regularly.
- Create secure applications and systems and make sure they are maintained.
- Cardholder data should be shared with staff on a need-to-know basis.
- Each employee with access should have his or her own unique ID.
- Physical access to CHD should be restricted as much as possible.
- Staff access to CHD should be monitored and tracked.
- All security processes should be tested on a regular basis.
- Company policy should address and inform staff about information security.
Within these 12 initial requirements are 281 sub-requirements—but not all sub-requirements will necessarily apply to all businesses. To find which ones are required of your particular organization, you must determine your “merchant level.” These levels are defined by the volume of credit card transactions your company performs in a year.
- Level 1 merchants process more than 6 million transactions each year.
- Level 2 merchants process 1 million to 6 million transactions each year.
- Level 3 merchants process 20,000 to 1 million transactions each year
- Level 4 merchants process fewer than 20,000 transactions each year.
Organizations that have a higher transaction volume will have security concerns that don’t apply to small business owners. You can make the compliance process less daunting by concentrating on the specific requirements with which your company needs to comply.
Identify Your Scope And Examine Existing Controls
Once you’ve pinpointed the portions of the PCI DSS that apply to your organization, you can focus on the areas of your company that need improvement for you to achieve compliance. Reducing your scope (that is, all networks and equipment that are involved in the transmission of cardholder data) can close potential security gaps and help you identify weaknesses in your network.
You should also consider the testing systems you have in place for your network. Are your tests effective against data breaches? Should they be performed more frequently? Is the documentation of testing fully up to date? Minimizing your scope and streamlining the control process will make compliance much more manageable.
Some companies may also need to submit to a vulnerability scan performed by an approved scanning vendor (ASV). This process will examine any portion of your network that has access to cardholder data and determine your areas of greatest security risk.
Complete an Audit or SAQ
Depending on your company’s merchant level, you will either need to submit to an audit or submit a Self-Assessment Questionnaire (SAQ) to be fully compliant.
Level 1 merchants must submit to a full audit from a Qualified Security Assessor (QSA). During the audit, your QSA will carefully examine and test every aspect of your credit card processing system. These tests could include your point-of-sale system, wireless networks, applications, and data storage; any element that comes into contact with cardholder data will need to be audited. The QSA must also ensure that your documentation is correct and that your security controls are working as intended. If your company is deemed compliant, the QSA will submit a passing Report on Compliance (ROC) on your behalf.
Smaller merchants need to submit a Self-Assessment Questionnaire. These self-assessments are no less rigorous, but as the name implies, they don’t require an auditor. PCI DSS has eight different merchants SAQs, plus a separate set of criteria for service providers. Which SAQ you should complete depends on how you process CHD and the equipment you use to do so.
SAQs consists of a series of questions regarding the PCI DSS requirements for your organization as well as an Attestation of Compliance (AOC) which you will file with your bank.
Maintain Compliance Over Time
PCI DSS compliance is an ongoing process. As technology continues to evolve, there are frequent advances in the tools used to process cardholder data — and in the tools used by those who would steal that data. Compliance should be built into your day-to-day security procedures and considerations. Create a company culture where your staff is aware of compliance standards and security protocols, and assign responsibilities for data security where appropriate. Test your controls frequently, be aware of cybercrime advancements, and make sure your documentation is current.