The Payment Card Industry Data Security Standard (PCI DSS) was established by major credit card brands to define security standards that banks and retailers must use to protect the personally identifiable information (PII) of credit card users.
The PCI DSS standard says that cardholder data (CHD) must be stored, transmitted, and processed in a secure environment to protect the data from breaches. Such data includes the primary account number, the cardholder’s name, credit card expiration date, service code, and other pieces of information.
What Is Required for PCI Compliance?
PCI compliance requires a merchant that processes credit card transactions to establish an information security policy, which must assure that card-sensitive data is stored on a secure network separate from public networks. Non-compliance with PCI DSS can bring considerable monetary fines and other penalties, all the way up to a company losing its right to process credit card transactions.
The PCI DSS standard is organized as a set of 12 basic principles, which then contain 78 more specific standards and 281 more precise controls. Not every business needs to implement all 281 controls, but every business does need to follow the 12 basic principles, and then implement those controls that make sense for its operations.
Some of the 12 PCI compliance principles include:
- Install firewalls to safeguard data.
- Use suitable password security, such as two-factor authentication.
- Use antivirus and anti-malware software to safeguard transmitted cardholder data, regularly update software and maintain security systems.
- Limit who may access cardholder info and card transactions.
- Give unique identifiers to those with data access.
- Limit physical access to storage of data
- Make and keep track of access logs.
- Conduct frequent tests of security mechanisms.
- Make a rule spelled out in writing that everyone may obey.
How Does PCI Compliance Happen?
To achieve PCI DSS compliance, a merchant should first determine which level of compliance it needs to achieve. PCI DSS has four levels, determined by the volume of credit card transactions you process annually; and the level you must achieve then determines how many PCI controls and processes you must have in place.
- Level 1: more than 6 million transactions
- Level 2: 1 million to 6 million transactions
- Level 3: 20,000 to 1 million transactions
- Level 4: fewer than 20,000 transactions
Merchants in the Level 1 category must have their PCI compliance program reviewed annually by an independent “Qualified Security Auditor” (QSA). Merchants in the lower levels can perform this review themselves using a Self-Assessment Questionnaire (SAQ). The SAQ determines what information the merchant collects and where the merchant stores, transmits, and processes that data.
A PCI Self-Assessment Questionnaire must be finished as part of your yearly compliance procedures. You must respond to several yes-or-no questions on each PCI DSS criteria while completing your SAQ. If you answer “no” to a question, you could be required to elaborate on your reasoning or the current state of your remediation efforts.
Next, the company creates a series of security parameters that establish access control measures. These measures can include security systems limiting physical access, firewall configurations, strong system passwords, antivirus software, and a vulnerability management program.
Once your SAQ and all remediation are complete, you must submit a “certificate of compliance” to the PCI Security Standards Council.
Compliance Management With Reciprocity ZenComply
PCI compliance is a long, complex journey; making that journey with spreadsheets and manual processes is a fool’s errand that will leave your efforts plagued with mistakes and inefficiency. Compliance officers need a better, automated way forward. ZenComply from Reciprocity is such a way.
Our state-of-the-art governance, risk, and compliance management system offers dashboards that show you how to close compliance gaps rapidly and update automatically. ZenComply also examines the security controls around your cardholder data environment (CDE) while doing internal audits as quickly and frequently as possible.
To find out more about how ZenComply could benefit your compliance management program, schedule a demo.
Thank you for subscribing to the Risk Insiders newsletter!
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.
