Financial information, including cardholder data, is a top target for bad actors. If your company processes payment transactions, operating without strong security measures could be catastrophic. Not only are there regulatory implications, but damage to your reputation and wallet is sure to follow.
According to IBM and the Ponemon Institute, the average data breach cost in 2022 was $4.35 million.
How can you be sure your security is properly implemented? This article will walk you through the steps required to keep your cardholder information secure through PCI compliance.
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI-DSS) is an actionable framework created to ensure a minimum level of technical and operational security for organizations that process, store, or transmit card payments. The goal of PCI-DSS is to prevent theft and fraud when using credit, debit, and cash cards.
PCI-DSS v1.0 was introduced in 2004. As payment fraud was rising, leaders in the payment industry came together to create a set of security standards to help. The founding members of PCI include American Express, Discover Financial Services, JCB International, Mastercard, and Visa.
As of March 31, 2024, v4.0 will be the only recognized version.
Why Should I Become PCI Compliant?
PCI compliance helps protect your customers' data. Implementing PCI requirements reduces the potential for data breaches and adds to the credibility of your business. For organizations that store, process or transmit payment cards, all major credit card companies require it.
If you choose not to comply, you can be fined, held liable for fraudulent charges, or your business can even have credit card processing privileges revoked. Fines differ based on the merchant agreement you have. From our experience, they can range anywhere from $5,000 - $100,000 per month of non-compliance and $50 - $90 per customer affected by a data breach.
PCI Compliance Levels
Each payment card brand has its own compliance thresholds for merchant levels. PCI has four levels based on the number of payment transactions a company processes annually. Below is an example of how Visa and MasterCard define these merchant levels:
- Level 1 - above 6 million annual transactions, or any business that has experienced a data breach
- Level 2 - between 1 and 6 million transactions
- Level 3 - between 20,000 and 1 million transactions
- Level 4 - less than 20,000 transactions
The requirements for Level 1 businesses are more rigorous than those for Levels 2-4. Level 1 businesses are required to have an annual third party PCI DSS assessment done by a Qualified Security Assessor (QSA) firm. The business is responsible for remediating any vulnerabilities that are found during the audit prior to receiving a PCI certification.
Businesses that fall into Levels 2-4 are required to complete a PCI Self Assessment Questionnaire (SAQ) on a yearly basis.
PCI-DSS Requirements
PCI-DSS consists of 12 requirements and 300 sub-requirements. These include security systems, organizational processes, testing, and policies that help protect payment transaction data. Organizations can reduce the amount of controls they must comply with by qualifying for a different SAQ. This can be accomplished by using third parties to handle portions of the payment process.
- Install and maintain network security controls - Properly securing your network using firewalls and proper access controls allows cardholder data to remain secure within your network.
- Apply secure configurations to all system components - For example, don’t use default passwords! Reduce your potential attack surface by keeping your systems lean and removing unused software.
- Protect stored account data - Don’t store data unless you have a business need to do so. When data must be stored, use encryption and proper key management processes.
- Protect cardholder data with strong cryptography during transmission over open, public networks - Encrypt cardholder data. Utilize encryption whenever possible.
- Protect all systems and networks from malicious software - Use and regularly update antivirus software on all systems interacting with cardholder data.
- Develop and maintain secure systems and software - Develop new applications using secure coding and development practices. Use change management and vulnerability scanning on all systems and software.
- Restrict access to system components and cardholder data- Follow the “least privilege” mindset for systems and people.
- Identify users and authenticate access to system components - Ensure that each person with access has a unique ID that can be traced to any action. Use multi-factor authentication (MFA) to enhance access security.
- Restrict physical access to cardholder data - Again, follow “least privilege.” No one should have access to physical cardholder data that doesn’t need it.
- Log and monitor all access to system components and cardholder data - Log and monitor all activities. This will allow for anomaly detection and be important in forensic analysis.
- Test security of systems and networks regularly - Frequently check for new vulnerabilities, as they’re always evolving. Run scans on a regular basis.
- Support information security with organizational policies and programs - A robust security policy sets the tone for an organization. Company policies and programs should make clear the importance of protecting sensitive cardholder data.
The PCI Assessment Process in 6 Steps
1. Scope
Determine which level of compliance your company needs to achieve. Doing so will ensure you complete the correct documents and involve the proper auditing process and authorities.
The scope of PCI-DSS requirements applies to the cardholder data environment and any components, people, or software that could impact its security. Think of this as anything that has access to, touches, or sees cardholder data or systems that process cardholder data in any way. This includes all IT assets and any associated business processes.
It’s important to have a solid understanding of your environment and the systems which need to be included in your assessment. Keeping the cardholder data environment isolated and condensed will reduce the blast radius in the event of a breach and make the assessment process simpler.
If you’re using a Third Party Service Provider (TPSP), you’ll need to be conscientious of how they are doing business and ensure proper agreements are in place. If a TPSP has the ability to impact your cardholder data environment security in any way, their compliance will impact your compliance. Therefore, it’s your responsibility to monitor their compliance status.
2. Assess
After you have an inventory of all systems and processes associated with your payment processing, it’s time to assess. Here is where the PCI requirements come into play. All in-scope system components should be examined for compliance with each PCI-DSS control required by their SAQ version.
3. Report
Complete the appropriate Self-Assessment Questionnaire (SAQ). The required documentation will be different depending on the SAQ needed. This report includes all findings, remediation plans, compensating controls, and any requirements that were met using the customized approach.
4. Remediate
If there are any unmet requirements, a remediation plan should be crafted and your environment updated accordingly. This can include addressing any gaps in security controls, fixing vulnerabilities, removing any unnecessary data, and improving the security of business processes. You must be in compliance with all required controls prior to achieving PCI compliance.
5. Submit
Submit the SAQ and any other supporting documentation reports to the requestor, generally the company’s acquiring bank. For service providers, the requestor is usually the payment brand.
6. Monitor & Maintain
Although certification only happens once a year, PCI requires that the controls are properly maintained and managed throughout the year. PCI is an ongoing process and aims to create a culture of security to keep best-practice security controls in place and up to date.
Admittedly, these 12 requirements and 6 steps are highly simplified. If you’d like to take a deeper dive, the PCI Document Library has in-depth documentation breaking down the 300 sub-requirements.
If you need more personalized assistance, let us know! ScaleSec has a proven track record of helping others become PCI compliant, and we can help you too.