The beginners guide to PCI DSS compliance
How PCI DSS started
In 2006, five major credit card companies formed a PCI organization. Part of its organizational structure was a Security Standards Council (SSC). Their responsibility was to create standards to secure electronic card payments.
Today, the council publishes standards for merchants, software application providers, card issuers, and service providers. PCI DSS applies to anyone accepting electronic card payments, including retailers, nonprofit organizations, and ecommerce merchants. PCI DSS compliance requires merchants to ensure that their providers follow PCI dat
Why is PCI DSS important?
Cybercrime is a big business. Hackers are no longer individuals hiding in basements. They are organized syndicates, offering their skills to the highest bidder. Cybercrime will cost businesses $6 trillion by 2025. To put that number into perspective, cybercrime has the third largest economy in the world based on Gross Domestic Product (GDP). Only China and the U.S. have a larger GDP.
For acquirers of card payments, those statistics translate into a cyberattack every 11 seconds. With that frequency, it's only a matter of time before a business becomes a target. If an attack turns into a successful data breach, the consequences can be catastrophic.
What are the costs for non-compliance?
Mastercard, VISA, Discover Financial Services, American Express, and JCB International make up the PCI organization. These credit card companies assess fines and penalties. They do not publish amounts except to indicate that they range from $5,000 to $100,000 per month until the company becomes compliant. Although financial consequences can be significant, the IBM report found that non-compliance was the primary factor in increasing data breach costs.
Larger corporations may have resources to counter the costs of a data breach, but the costs can be catastrophic for smaller businesses. The consequences are so severe that 60% of SMBs fail within six months of a data breach.
Understanding the requirements
The SAQ corresponds to the 12 PCI DSS requirements published by the PCI SSC. An overview of the requirements is given below.
Requirement 1: Secure the network
Portable devices should have personal firewalls if they access an internal network from the internet. Remote users should not have permission to alter firewall settings to prevent possible compromise.
Merchants must document all policies and procedures regarding firewall management.
Requirement 2: Replace default passwords and security settings
To ensure compliance, merchants should maintain an inventory of all system components that store or process card transactions. As with Requirement 1, merchants must document the policies and procedures for managing vendor defaults.
Requirement 3: Protect stored cardholder data
Businesses should never store authentication data. If stored, they need to make the primary account number (PAN) or card number unreadable and mask the PAN when displayed or printed.
Companies accepting card payments receive encryption keys. These keys are a series of randomly generated values used to send and receive credit card data during transaction authorization.
Documented key management processes are essential to data security because anyone with access to encryption keys can access sensitive data.
Requirement 4: Encrypt transmitted cardholder data
No one should send an unencrypted PAN using messaging technologies. PANs sent unencrypted or in the clear can be compromised, enabling hackers to steal cardholder information. Again, documentation of security policies and procedures is the merchant's responsibility.
Requirement 5: Update antivirus software or programs
Merchants must have security controls in place to ensure that antivirus solutions are operational and cannot be disabled without management approval. Documenting all processes is the merchant's responsibility.
Requirement 6: Develop and maintain secure systems
The PCI DSS Council has requirements for software development practices. Many businesses may incorrectly assume that these do not apply; however, ecommerce sites use web applications. If a merchant has a website that accepts credit card payments, parts of the website may fall under this requirement.
Merchants with public-facing web applications must schedule vulnerability assessments and testing at least once a year. The assessments and testing help identify new cybersecurity threats for mitigation. Merchants should document their security policies for developing and maintaining applications or ensure that the third-party developers provide the equivalent documentation.
Merchants must use SAQs every year to evaluate their security risk. These PCI-generated assessments highlight weaknesses that require improvement.
Requirement 7: Restrict access to cardholder data
Inventorying system components according to Requirement 2 enables merchants to identify where on the network critical information is stored and restrict access based on a business need-to-know policy.
Requirement 8: Assign unique identifiers
- One user account per person, including third-party vendors who may access the system
- Remove accounts that are inactive for 90 days
- Log off users if inactive for more than 15 minutes
- Lock accounts after six failed login attempts and maintain the lock for at least 30 minutes
The latest standards (4.0) provide more guidance regarding multi-factor authentication (MFA) for administrative access. All documented policies regarding passwords, MFA, and user authentication are the merchant's responsibility.
Databases contain the most crucial cardholder data, and only administrators should have direct access. All other interactions between users and databases should be through programs.
Requirement 9: Restrict physical access to cardholder data
The mandate requires video cameras and electronic monitoring of entrances and exits from physical locations that store data. This data must be kept for at least 90 days.
Acquirers must distinguish between staff and visitors and document policies on monitoring movements related to the data environment.
When removing or deleting card or transaction data, merchants must make media unreadable. The standards provide specific recommendations on data protection of sensitive data.
Requirement 10: Track and monitor the network
Requirement 11: Regularly test security systems
- Detect and identify authorized access at wireless access points and delete all unauthorized usage
- Conduct internal and external vulnerability scans each quarter or after significant changes to the network's infrastructure
- Perform penetration testing that conforms to published standards such as NIST SP800-115
- Monitor all traffic to detect and prevent intrusions, especially from the perimeter where sensitive data first enters the network.
- Create a change detection methodology that alerts personnel to unauthorized changes to the network
Requirement 12: Maintain an information security policy
- Use of policies for critical technologies
- Definition of information security responsibilities
- Security awareness program for all personnel
Determining Your Compliance Level
Getting Started with PCI DSS
- PCI DSS Checklist
- Set up a firewall.
- Replace vendor default passwords and settings.
- Establish a PCI-compliant process for collecting, managing, and disposing of sensitive data.
- Document strong security measures for card number encryption, masking, and key management.
- Ensure that encryption keys or protocols are used over private and public networks when sending transaction authorization requests.
- Install antivirus software on all hardware and software.
- Deploy only PCI-certified hardware and software.
- Ensure developers follow PCI requirements.
- Install all software updates or patches within 30 days of release.
- Limit access to sensitive data.
- Consider implementing a least privilege permissions model to reduce the chance of accidental internal compromises.
- Assign unique user identifiers.
- Revise authentication practices to include MFA.
- Control physical access to locations storing cardholder data.
- Install surveillance equipment.
- Create policies that distinguish personnel from visitors.
- Delineate how to destroy physical devices, including flash drives.
- Set up system-wide network monitoring that ties devices to users and provides an audit trail for review.
- Assess the security logs regularly to identify suspicious activities and maintain strong access control measures.
- Identify PCI-approved companies that can perform vulnerability and penetration testing.
- Find an approved scanning vendor (ASV) to test all public-facing IP addresses or ranges.
- Designate individuals responsible for creating and maintaining information security policies.
Self Assessment Questionnaire
- SAQ A is for merchants that outsource all processing card-not-present transactions such as ecommerce and telephone or mail orders to a PCI DSS-validated third party.
- SAQ EP is for ecommerce merchants that outsource all payment processing to a PCI-validated third party and do not store cardholder data. However, the merchant's operational model may impact transaction security.
- SAQ B is for merchants with imprint, stand-alone, or dial terminals that do not use electronic data storage.
- SAQ B-IP applies to merchants using approved standalone payment terminals that connect to a payment processor without storing cardholder data.
- SAQ C applies to merchants with payment application systems using an internet connection without electronic storage of sensitive data.
- SAQ C-VT is for merchants that enter transactions via a virtual terminal from a PCI validated third party.
- SAQ P2PE-HW applies to merchants using PCI SSC-listed P2PE solutions with certified hardware and no electronic storage.
- SAQ D applies to all other merchants.
Attestation of compliance
Merchants submit an attestation of compliance (AOC) to their payment processor to indicate they comply with PCI DSS. They may request an AOC from providers to ensure they are also in compliance. The AOC form is included in the SAQ documents on the PCI website.
PCI DSS Audits and Certifications
A PCI DSS certification documents that an organization was PCI compliant for the certified period. To achieve certification, businesses work with qualified auditors who verify that the standards are being met. Depending on the business size and transaction volume, the audit process can take months. Level 1 businesses must perform internal audits.
Ready to upgrade your payment processing and make sure that you're business is following PCI DSS compliance?
Heartland helps nearly 1,000,000 entrepreneurs make and move money, manage employees, and engage customers with human-centered technology solutions that allow them to rise above the daily grind and lead their businesses into a brighter future. Learn more at heartland.us.