The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) is a set of rules and processes that are designed to protect cardholders’ sensitive data from data breaches and fraud. Basically, it tells merchants how to handle their customers’ credit card information safely and securely, so it doesn’t fall into the wrong hands.
The PCI DSS was first introduced in the USA in December 2004. The 5 major credit card companies that created the standard then formed the Payment Card Industry Security Standards Council (PCI SSC) as the governing body. The PCI SSC oversees the administration and further development of the PCI DSS.
The standard continues to evolve and is currently on version 4.0, released in March 2022.
Who does the PCI DSS apply to?
The PCI DSS applies globally to all entities that process, transmit or store cardholder data, no matter the size or number of transactions.
In layman’s terms, if you are an organization or company that handles credit or debit cards with the logos of at least one of the 5 member companies, the PCI DSS applies to you. Acquiring banks, online and offline merchants, and service providers all need to comply with PCI.
It isn’t, however, a one-size-fits-all situation. There are 4 levels of compliance that do indeed depend on the number of the transactions processed by a company.
Other criteria are taken into account, too, like if a business has experienced a data breach before or the manner in which they accept card payments (only offline vs. an online payment gateway).
Each card issuing company has its own table with exact criteria for each level, but in general, it looks like this:
- Level 1: More than 6 million transactions per year regardless of acceptance channel
- Level 2: Between 1 and 6 million transactions per year regardless of acceptance channel
- Level 3: 20,000 to 1 million e-commerce transactions per year
- Level 4: Less than 20,000 e-commerce transactions per year or up to 1 million transactions regardless of acceptance channel per year
Each level will have different requirements for PCI validation and reporting – the larger the business, the more burdensome the requirements.
The basics of complying with the PCI DSS
The PCI DSS is a comprehensive set of guidelines that are meant to protect credit card data from being leaked or stolen from a merchant or organization. There are 12 general requirements. We’ll talk about those below.
It’s important to realize that keeping up with the PCI DSS is a continuous effort, not a one-time hurdle. To maintain compliance, assessments and reports are submitted annually, and system scans are performed even more often.
The specific testing and validation procedures vary from level to level.
In general, all organizations subject to PCI DSS guidelines are required to complete an annual self-assessment. This will indicate how secure their card processing and storing practices are.
The assessment form can be as short as 9 pages and relatively easy to complete, or it can be an 80-page undertaking that requires third-party assistance. There are only ‘yes’ and ‘no’ questions on the forms, which may seem simple, but the technical and increasingly demanding nature of the questions can lead to uncertainty. Businesses are also required to address any ‘noes’ before submitting the form, which adds another level of difficulty.
Other PCI validation requirements might include providing proof of passing an approved vulnerability scan or completing an attestation of compliance.
What are the 12 requirements of the PCI DSS?
Even though complying with the PCI DSS can be quite a burden on a company, it is basically a list of (mandatory) best practices that aren’t too far-fetched. Each of the 12 requirements are then elaborated into 3 sections: definition, testing process and a purpose explanation.
The 12 requirements of PCI are, in brief:
- Install and maintain a firewall. A firewall is a prevention system that blocks incoming traffic from accessing private data in a business’s computer system.
Configure security settings and passwords. Every piece of hardware, such as routers or POS systems, comes with a factory-set password and settings. Always make sure to change these defaults.
Protect stored cardholder data. Encrypt stored data using industry-accepted algorithms. Regularly scan storage systems to reveal unencrypted data.
Protect cardholder data transmitted over open, public networks. Encryption has to be used to protect data traveling through open networks.
Use and regularly update antivirus software. All systems that can be affected by malware need to have up-to-date antivirus software installed on it.
Regularly update and patch security systems. Update software regularly and implement any patches as soon as they are released to prevent hacker access through a recently discovered vulnerability.
Restrict access to cardholder data to a need-to-know basis. Everyone within an organization who does not need access to cardholder data should not have access to it. Those who do need to be well documented.
Assign a unique ID to anyone with access to the system for accountability purposes. Each person with access to critical data systems must have their own ID and password and all instances of access must be logged.
Secure and restrict physical access to cardholder data. Data must be kept in a secure location, be it physical or digital, to prevent unauthorized access and removal of data or hardware.
Track and monitor all access to cardholder data through logging mechanisms. Keep and review logs of access to computer systems and all user activities relating to the access of data. Processes must be put in place to ensure a proper response to any anomalies.
Regularly test security of systems and conduct vulnerability scans. All systems and processes need to be regularly tested for vulnerability and penetration to uncover potential security issues.
Maintain an information security policy. Document company security policies, plans and procedures. Maintain documentation with an inventory of software, hardware, personnel access information and logs.
Risks of PCI DSS non-compliance
If a company is subject to PCI but isn’t compliant or violates the terms set out in their contract, they will face consequences. These can range from penalties imposed by credit card companies to natural consequences.
What are some of the risks of PCI non-compliance?
- PCI non-compliance fee
A company can be charged a “PCI non-compliance fee” of hundreds of thousands of USD per month depending on the size of the business. No matter how you look at it, this fee is a recurring fine. It will be charged every month until the business complies with the PCI standards.
- Suffering a data breach
Naturally, if you’re not complying with the PCI standards, you increase your company’s risk of data breach. Even though the PCI requirements don’t guarantee that a business’s cardholder data will remain safe from attacks, they do significantly lower the chance of a successful breach.
- Forensic audit
A forensic audit will need be carried out at the expense of the company that was compromised in order to assess the cause of the data breach.
- Additional costs following a breach
If customer credit card data does get compromised, the company will incur additional costs such as compensating customers, liability costs or fines per each cardholder’s data that has been stolen or endangered and possible increased rates charged by banks or credit card companies after the breach.
It is not unheard of for a lawsuit to follow a security breach, in which case the costs could multiply quickly.
- Brand damage
Any company that loses or endangers cardholder data will suffer in their customers’ eyes. The inevitable damage to a brand can make earning back customers’ trust an impossible task. Many businesses have gone out of business following a data breach.
Examples of PCI DSS violations
Ignoring the technically more complicated requirements of the PCI DSS is an obvious example of breaking compliance. But there are instances where a violation is purely unintentional. Here are some examples:
- Storing credit card information on unencrypted storage or endpoints
- Allowing anyone in the organization to access credit card data
- Losing track of where the credit card data is and moves within the organization
- Sending cardholder information by email within the company.
- Not requiring employees to log on to the system with a unique ID and password.
- Only securing data after business hours mistakenly thinking this is when most hack attempts happen.
A lot of times, the lack of understanding of or attention to the PCI guidelines is all it takes to not implement the processes correctly, or in some cases at all.
Making sure a company’s personnel is properly trained on PCI DSS is an important part of the process as well.
Is the PCI mandated by law?
No. The governing and administering entity for the PCI DSS is the PCI SSC. Requirements of the PCI DSS are enforced based on contracts between a business and its bank and credit card company.
Some states in the USA have incorporated the PCI DSS into their state laws, mostly in the sense that companies that are PCI DSS compliant are shielded from liabilities in the case of a data breach.
In Europe, the PCI DSS is a widely-used standard that has been promoted more and more in recent years. Just like in the US, the PCI is not mandated by law.
How Safetica helps with PCI DSS compliance
- Sets Company Security Policies
PCI requires you to create and implement well-defined, aligned, and up-to-date information security policies to secure sensitive cardholder data. With Safetica you can monitor user operations across the entire organization, and have an overview of how personal information is processed. Safetica can enforce security policies to make sure that personal information is always protected.
- Encrypts and protects cardholder information
Business owners who store cardholder information are obligated to protect and encrypt it. Safetica automatically classifies PHI data and enforces related security policies and manages storage encryption across the entire organization.
- Overview of your sensitive data
It is crucial to know where your sensitive cardholder and other data are stored and how your employees process such data. Safetica provides an overview of the information flows and sensitive data storage.
- Notifies you in case of data leakage
To minimize the impact of data leakage, you need to be informed immediately. Safetica offers a real-time alert system that makes sure that you can take follow-up actions right away.