If you are a company that processes debit or credit card payments online or in person, you may have heard of “PCI DSS” or the “PCI SSC.” These terms are related to security controls for sensitive data – specifically, the controls a retailer or payments processor should have to ward off cybersecurity threats and keep payment card data protected.
But what exactly is PCI DSS? What are the security requirements of PCI? How can you know whether you must comply with these information security standards?
What Does PCI DSS Refer to?
The Payment Card Industry Data Security Standard (PCI DSS) was established by the PCI Security Standards Council (PCI SSC). The standard applies globally to any organization that stores, processes or transmits payment card information. Regardless of size, a business must be PCI DSS compliant to avoid fines and continue to accept payment cards for transactions.
The PCI Security Council’s members include financial institutions, credit card companies, and issuers such as American Express, Discover Financial Services, JCB International, Visa, and Mastercard. Cardholder Data (CHD) includes the Primary Account Number (PAN) and the cardholder’s name, credit card expiration date, or service code.
PCI also requires businesses that collect sensitive authentication data to be compliant. Sensitive authentication data generally includes card validation codes, tracking data from a magnetic stripe or card chip, PINs, PIN blocks, or any payment card data used to authenticate cardholders or authorize payment transactions.
Some businesses might be intimidated by the PCI data security standard, but the requirements are scaled based on an organization’s transaction volume and how the data is handled. The practical upshot: if you are a small business that doesn’t store card numbers and credit card data, PCI doesn’t have to be scary.
What is the Purpose of PCI DSS?
PCI DSS’s primary purpose is to protect and improve the security of sensitive cardholder data, such as credit card numbers, expiration dates, and security codes. The security rules in the standard assist organizations in reducing the risk of data breaches, fraud, and identity theft.
PCI DSS compliance also assures that organizations process, store, and transmit credit card data following industry best practices. As a result, PCI DSS compliance increases consumer and stakeholder confidence.
What Does PCI DSS Apply to?
PCI DSS requirements define the physical access, anti-virus software, security systems, public networks, and network segmentation controls necessary to maintain compliance. The PCI SSC established four PCI compliance levels, dependent on the number of card transactions a merchant handles each year.
For example, a Level 4 merchant has less than 1 million transactions annually and, therefore, only needs to perform a Self-Assessment Questionnaire (SAQ) each year.
In contrast, a Level 1 merchant processes more than 6 million transactions and must have an external audit and on-site evaluation by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor) in addition to the SAQ.
Any point-of-sale technology (including websites), line-busting technology, or WLAN used to store, process, or transmit cardholder data falls under PCI requirements.
If a business outsources the PCI DSS requirements to a third party, the merchant must ensure that the third party meets PCI standards and consistently complies with the standard.
Likewise, e-commerce merchants must use PCI-validated third parties when they choose to outsource payment processing. Additionally, these merchants must ensure that no electronic storage, processing, or transmission of cardholder data remains on their systems or premises.
There are eight versions of the SAQ questionnaire. Merchants choose which questionnaire to complete based on how they process card transactions. For instance, merchants that use imprint machines have a different questionnaire from e-commerce merchants.
The most straightforward SAQ questionnaire is only 22 questions; it applies to e-commerce merchants that fully outsource card processing.
Of course, the merchants need to ensure that they are working with a PCI-compliant third party, and the third party will be subject to a more extensive questionnaire.
The most detailed questionnaire comprises 329 questions and requires a vulnerability scan and penetration testing evidence.
It applies to e-commerce merchants that store card data electronically and to service providers. Service providers are the third parties that process, store, or transmit cardholder data on behalf of another entity.
Did PCI DSS Become Mandatory?
Whether you are a start-up or a big organization, the Payment Card Industry Data Security Standard (PCI DSS) is required by contract for those who handle cardholder data.
Your company must constantly be compliant, and compliance must be confirmed annually. Credit card businesses often require it, as in credit card network agreements.
What Type of Data Does PCI DSS Protect?
The PCI DSS safeguards two types of data: cardholder information and sensitive authentication data. Cardholder data includes details involving primary account numbers, cardholder names, card expiration dates, and service codes.
Meanwhile, sensitive authentication data comprises complete track data (magnetic-stripe data or its chip counterpart), PINs and PIN blocks, and card verification values (CAV2/CVC2/CVV2/CID).
What Are the Three Main Steps of PCI Compliance?
Although PCI DSS compliance may seem overwhelming, the requirements can be reduced to three core elements that guide a continuous process of data protection measures. To avoid non-compliance, it’s imperative to assess, remediate, and report constantly.
A risk assessment helps to identify the risks and vulnerabilities that may affect the cardholder data, either in its processing, transmission, or storage. It should describe the IT infrastructure related to this information and determine the flow of sensitive data from start to finish of the transaction process.
Remediation tries to resolve vulnerabilities and mitigate risks within the organization. This stage includes prioritizing risks and vulnerabilities, defining the patching process for software and Operating Systems (OS), modifying unsafe practices, deploying access control measures, and verifying the effectiveness of mitigation activities.
The reporting component consists of the annual SAQ and audit based on the merchant’s volume of transactions. Merchants that process more than 1 million transactions annually must also submit a Report on Compliance (ROC) to the banks that process their payments. Finally, all PCI-compliant businesses must complete the Attestation of Compliance.
ZenGRC Can Help With Your PCI DSS Compliance
Regardless of the compliance concerns you face, data and cybersecurity must be integrated into all company activities. Standards such as PCI DSS are not designed to burden organizations. Rather, they’re meant to help secure networks and web applications to protect us from hackers and the repercussions of a data breach.
Instead of using spreadsheets to manage your compliance requirements, adopt ZenGRC to streamline evidence and audit management for all your compliance frameworks. ZenGRC’s compliance, risk, and workflow management software is intuitive and straightforward.
ZenGRC is preloaded with various compliance frameworks and standards for quick implementation, including PCI, HIPAA, SOC, and so forth.
Compliance management has never been easier with One-to-many control mapping, which streamlines mapping internal controls to multiple standards so that you can manage PCI DSS compliance simultaneously with other frameworks.
ZenGRC also works as a single source of truth that assures your organization is always compliant and audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.
Contact us for a demo to see how ZenGRC can streamline compliance and vulnerability management.