beginners guide to PCI DSS compliance - person inserting a credit card into a reader

The beginners guide to PCI DSS compliance

Wednesday, November 12, 2014
If your business accepts or plans to accept credit card payments, you've probably heard of the Payment Card Industry Data Security Standards (PCI DSS) Council. You've probably also heard how overwhelming it is to sort through hundreds of pages of documentation. That's why this beginner's guide exists – to help acquiring merchants navigate the process to become and remain PCI compliant.
 

How PCI DSS started

In 2006, five major credit card companies formed a PCI organization. Part of its organizational structure was a Security Standards Council (SSC). Their responsibility was to create standards to secure electronic card payments.

Today, the council publishes standards for merchants, software application providers, card issuers, and service providers. PCI DSS applies to anyone accepting electronic card payments, including retailers, nonprofit organizations, and ecommerce merchants. PCI DSS compliance requires merchants to ensure that their providers follow PCI dat

 

Why is PCI DSS important?

Cybercrime is a big business. Hackers are no longer individuals hiding in basements. They are organized syndicates, offering their skills to the highest bidder. Cybercrime will cost businesses $6 trillion by 2025. To put that number into perspective, cybercrime has the third largest economy in the world based on Gross Domestic Product (GDP). Only China and the U.S. have a larger GDP.

For acquirers of card payments, those statistics translate into a cyberattack every 11 seconds. With that frequency, it's only a matter of time before a business becomes a target. If an attack turns into a successful data breach, the consequences can be catastrophic.

What are the costs for non-compliance?

According to IBM's latest report, the cost of a data breach averages about $4 million. For mega breaches with more than a million compromised records, the cost is just over $400 million. Based on executive input, small to mid-sized businesses’ (SMB) costs average around $200,000. 

Mastercard, VISA, Discover Financial Services, American Express, and JCB International make up the PCI organization. These credit card companies assess fines and penalties. They do not publish amounts except to indicate that they range from $5,000 to $100,000 per month until the company becomes compliant. Although financial consequences can be significant, the IBM report found that non-compliance was the primary factor in increasing data breach costs.

Larger corporations may have resources to counter the costs of a data breach, but the costs can be catastrophic for smaller businesses. The consequences are so severe that 60% of SMBs fail within six months of a data breach. 
 

Understanding the requirements

Businesses must pass an initial compliance review using the 12 PCI data security standards. After passing the initial assessment, merchants are responsible for an annual risk assessment using the self-assessment questionnaire (SAQ).

The SAQ corresponds to the 12 PCI DSS requirements published by the PCI SSC. An overview of the requirements is given below.

Requirement 1: Secure the network

The official standard requires firewall and router configurations that protect cardholder data. When setting up a firewall, merchants must secure their internal network to restrict connectivity between external networks and protected data. 

Portable devices should have personal firewalls if they access an internal network from the internet. Remote users should not have permission to alter firewall settings to prevent possible compromise.

Merchants must document all policies and procedures regarding firewall management.

Requirement 2: Replace default passwords and security settings

PCI DSS follows best practices for strong security controls. The security requirement states that merchants must change ALL vendor-supplied default passwords and settings, including default accounts.

To ensure compliance, merchants should maintain an inventory of all system components that store or process card transactions. As with Requirement 1, merchants must document the policies and procedures for managing vendor defaults.
 

Requirement 3: Protect stored cardholder data

Minimizing the amount of stored cardholder data reduces the risks associated with a data breach. That's why the PCI standards recommend data retention and disposal plans that limit what data is stored and for how long.

Businesses should never store authentication data. If stored, they need to make the primary account number (PAN) or card number unreadable and mask the PAN when displayed or printed.  

Companies accepting card payments receive encryption keys. These keys are a series of randomly generated values used to send and receive credit card data during transaction authorization. 

Documented key management processes are essential to data security because anyone with access to encryption keys can access sensitive data.

Requirement 4: Encrypt transmitted cardholder data

Sending a transaction to a processor, gateway, or network for authorization requires encrypted payment information using trusted encryption keys or certificates. This requirement applies to wireless and satellite transmissions as well.

No one should send an unencrypted PAN using messaging technologies. PANs sent unencrypted or in the clear can be compromised, enabling hackers to steal cardholder information. Again, documentation of security policies and procedures is the merchant's responsibility.

Requirement 5: Update antivirus software or programs

Businesses must deploy antivirus software on all systems, especially desktops, laptops, and servers. They are responsible for keeping all software current and performing periodic scans to detect possible vulnerabilities. The programs must generate and retain audit logs.

Merchants must have security controls in place to ensure that antivirus solutions are operational and cannot be disabled without management approval. Documenting all processes is the merchant's responsibility.

Requirement 6: Develop and maintain secure systems

Whether a company manages its network or contracts with a third party, a system must be in place to identify security vulnerabilities and assign risk ratings. Merchants must apply vendor-supplied security patches to all hardware and software within one month of release.

The PCI DSS Council has requirements for software development practices. Many businesses may incorrectly assume that these do not apply; however, ecommerce sites use web applications. If a merchant has a website that accepts credit card payments, parts of the website may fall under this requirement.

Merchants with public-facing web applications must schedule vulnerability assessments and testing at least once a year. The assessments and testing help identify new cybersecurity threats for mitigation. Merchants should document their security policies for developing and maintaining applications or ensure that the third-party developers provide the equivalent documentation.

Merchants must use SAQs every year to evaluate their security risk. These PCI-generated assessments highlight weaknesses that require improvement.

Requirement 7: Restrict access to cardholder data

Limiting the number of people who can access sensitive data minimizes the risk of a data breach. When granting access, merchants should set all user accounts to “deny all”. Only those individuals who must have access to perform their job functions should receive explicit permissions.

Inventorying system components according to Requirement 2 enables merchants to identify where on the network critical information is stored and restrict access based on a business need-to-know policy. 

Requirement 8: Assign unique identifiers

PCI standards have specific requirements regarding user passwords and authentication. Regardless of company policy, merchants should ensure that their access control measures adhere to the following:
 
  • One user account per person, including third-party vendors who may access the system
  • Remove accounts that are inactive for 90 days
  • Log off users if inactive for more than 15 minutes
  • Lock accounts after six failed login attempts and maintain the lock for at least 30 minutes
The document also includes requirements on password length, password changes, and reusable passwords. Acquirers should review the details under Requirement 8 to ensure compliance.

The latest standards (4.0) provide more guidance regarding multi-factor authentication (MFA) for administrative access. All documented policies regarding passwords, MFA, and user authentication are the merchant's responsibility.

Databases contain the most crucial cardholder data, and only administrators should have direct access. All other interactions between users and databases should be through programs.
 

Requirement 9: Restrict physical access to cardholder data

Physical security is as important as virtual protection. If bad actors can walk into a facility unchecked, they can quickly copy volumes of card data without anyone's knowledge. That's why merchants must implement some form of access control to all facilities housing sensitive data.

The mandate requires video cameras and electronic monitoring of entrances and exits from physical locations that store data. This data must be kept for at least 90 days.

Acquirers must distinguish between staff and visitors and document policies on monitoring movements related to the data environment.

When removing or deleting card or transaction data, merchants must make media unreadable. The standards provide specific recommendations on data protection of sensitive data.

Requirement 10: Track and monitor the network

Acquirers should implement automated audit trails to link access to system components to individual users. Audit logs should contain the user, event, and the time and date. Staff must not be able to alter audit logs, and accessing them should be limited to a business need-to-know policy. Reviewing system activity logs can help identify vulnerabilities early on to be addressed before they become part of a successful cyberattack.

Requirement 11: Regularly test security systems

Putting mechanisms in place to secure payment card information is only part of the compliance process. Frequent testing and remediation are the other half of maintaining a secure network. Requirement 11 suggests the following:
 
  • Detect and identify authorized access at wireless access points and delete all unauthorized usage
  • Conduct internal and external vulnerability scans each quarter or after significant changes to the network's infrastructure
  • Perform penetration testing that conforms to published standards such as NIST SP800-115
  • Monitor all traffic to detect and prevent intrusions, especially from the perimeter where sensitive data first enters the network.
  • Create a change detection methodology that alerts personnel to unauthorized changes to the network
Regular testing is critical for maintaining compliance. Because cybercriminals are continuously inventing new threats, testing is the only way to ensure system security.
 

Requirement 12: Maintain an information security policy

Employees and suppliers cannot adhere to security standards that they do not have access to. Merchants must establish, publish, maintain, and distribute a company-wide security policy that discusses the following:

  • Use of policies for critical technologies
  • Definition of information security responsibilities
  • Security awareness program for all personnel
Although not mandated for acquirers, retailers should perform scheduled reviews of their security policies and procedures to keep them up to date.
 

Determining Your Compliance Level

Requirements vary depending on the number of transactions processed per year. Based on transaction volume, organizations fit into one of the following levels.

Level 4

Level 4 businesses are merchants processing less than 20,000 ecommerce transactions and less than one million of all other transactions annually. Once certified, Level 4 businesses must complete an annual SAQ and possibly participate in quarterly PCI scans.

Level 3

Mid-sized merchants that process between 20,000 and one million transactions per year fall into the Level 3 category. Their annual compliance requirements are the same as those for Level 4.

Level 2

Organizations that process between one and six million transactions annually operate at Level 2. They must conduct an annual risk assessment. They may optionally participate in PCI scans.

Level 1

Large corporations typically fall into Level 1. To be at Level 1, enterprises must process a minimum of six million transactions per year. They must have an internal audit performed by a PCI-qualified security assessor every year. They may also participate in PCI scans.
 

Getting Started with PCI DSS

The first step is to ensure that all systems meet the PCI data security standards. Sorting through the payment card industry data security standards can be a lengthy process; however, the checklist below may help.The PCI website is an excellent source for information on PCI-related topics. It includes a document for a prioritized approach for PCI DSS compliance that can help set priorities.
  • PCI DSS Checklist
  • Set up a firewall.
  • Replace vendor default passwords and settings.
  • Establish a PCI-compliant process for collecting, managing, and disposing of sensitive data.
  • Document strong security measures for card number encryption, masking, and key management.
  • Ensure that encryption keys or protocols are used over private and public networks when sending transaction authorization requests. 
  • Install antivirus software on all hardware and software. 
  • Deploy only PCI-certified hardware and software.
  • Ensure developers follow PCI requirements.
  • Install all software updates or patches within 30 days of release.
  • Limit access to sensitive data. 
  • Consider implementing a least privilege permissions model to reduce the chance of accidental internal compromises.
  • Assign unique user identifiers.
  • Revise authentication practices to include MFA.
  • Control physical access to locations storing cardholder data.
  • Install surveillance equipment.
  • Create policies that distinguish personnel from visitors.
  • Delineate how to destroy physical devices, including flash drives.
  • Set up system-wide network monitoring that ties devices to users and provides an audit trail for review. 
  • Assess the security logs regularly to identify suspicious activities and maintain strong access control measures.
  • Identify PCI-approved companies that can perform vulnerability and penetration testing.
  • Find an approved scanning vendor (ASV) to test all public-facing IP addresses or ranges.
  • Designate individuals responsible for creating and maintaining information security policies.
     

Self Assessment Questionnaire

Acquirers need to determine which SAQ applies from the following list.

Ecommerce merchants

  • SAQ A is for merchants that outsource all processing card-not-present transactions such as ecommerce and telephone or mail orders to a PCI DSS-validated third party.
  • SAQ EP is for ecommerce merchants that outsource all payment processing to a PCI-validated third party and do not store cardholder data. However, the merchant's operational model may impact transaction security.

Merchants

  • SAQ B is for merchants with imprint, stand-alone, or dial terminals that do not use electronic data storage.
  • SAQ B-IP applies to merchants using approved standalone payment terminals that connect to a payment processor without storing cardholder data.
  • SAQ C applies to merchants with payment application systems using an internet connection without electronic storage of sensitive data.
  • SAQ C-VT is for merchants that enter transactions via a virtual terminal from a PCI validated third party.
  • SAQ P2PE-HW applies to merchants using PCI SSC-listed P2PE solutions with certified hardware and no electronic storage.
  • SAQ D applies to all other merchants.

Attestation of compliance

Merchants submit an attestation of compliance (AOC) to their payment processor to indicate they comply with PCI DSS. They may request an AOC from providers to ensure they are also in compliance. The AOC form is included in the SAQ documents on the PCI website.

PCI DSS Audits and Certifications

A PCI DSS certification documents that an organization was PCI compliant for the certified period. To achieve certification, businesses work with qualified auditors who verify that the standards are being met. Depending on the business size and transaction volume, the audit process can take months. Level 1 businesses must perform internal audits.

 


Ready to upgrade your payment processing and make sure that you're business is following PCI DSS compliance?  

Heartland helps nearly 1,000,000 entrepreneurs make and move money, manage employees, and engage customers with human-centered technology solutions that allow them to rise above the daily grind and lead their businesses into a brighter future. Learn more at heartland.us.