Financial information, including cardholder data, is a top target for bad actors. If your company processes payment transactions, operating without strong security measures could be catastrophic. Not only are there regulatory implications, but damage to your reputation and wallet is sure to follow.
According to IBM and the Ponemon Institute, the average data breach cost in 2022 was $4.35 million.
How can you be sure your security is properly implemented? This article will walk you through the steps required to keep your cardholder information secure through PCI compliance.
The Payment Card Industry Data Security Standard (PCI-DSS) is an actionable framework created to ensure a minimum level of technical and operational security for organizations that process, store, or transmit card payments. The goal of PCI-DSS is to prevent theft and fraud when using credit, debit, and cash cards.
PCI-DSS v1.0 was introduced in 2004. As payment fraud was rising, leaders in the payment industry came together to create a set of security standards to help. The founding members of PCI include American Express, Discover Financial Services, JCB International, Mastercard, and Visa.
As of March 31, 2024, v4.0 will be the only recognized version.
PCI compliance helps protect your customers' data. Implementing PCI requirements reduces the potential for data breaches and adds to the credibility of your business. For organizations that store, process or transmit payment cards, all major credit card companies require it.
If you choose not to comply, you can be fined, held liable for fraudulent charges, or your business can even have credit card processing privileges revoked. Fines differ based on the merchant agreement you have. From our experience, they can range anywhere from $5,000 - $100,000 per month of non-compliance and $50 - $90 per customer affected by a data breach.
Each payment card brand has its own compliance thresholds for merchant levels. PCI has four levels based on the number of payment transactions a company processes annually. Below is an example of how Visa and MasterCard define these merchant levels:
The requirements for Level 1 businesses are more rigorous than those for Levels 2-4. Level 1 businesses are required to have an annual third party PCI DSS assessment done by a Qualified Security Assessor (QSA) firm. The business is responsible for remediating any vulnerabilities that are found during the audit prior to receiving a PCI certification.
Businesses that fall into Levels 2-4 are required to complete a PCI Self Assessment Questionnaire (SAQ) on a yearly basis.
PCI-DSS consists of 12 requirements and 300 sub-requirements. These include security systems, organizational processes, testing, and policies that help protect payment transaction data. Organizations can reduce the amount of controls they must comply with by qualifying for a different SAQ. This can be accomplished by using third parties to handle portions of the payment process.
Determine which level of compliance your company needs to achieve. Doing so will ensure you complete the correct documents and involve the proper auditing process and authorities.
The scope of PCI-DSS requirements applies to the cardholder data environment and any components, people, or software that could impact its security. Think of this as anything that has access to, touches, or sees cardholder data or systems that process cardholder data in any way. This includes all IT assets and any associated business processes.
It’s important to have a solid understanding of your environment and the systems which need to be included in your assessment. Keeping the cardholder data environment isolated and condensed will reduce the blast radius in the event of a breach and make the assessment process simpler.
If you’re using a Third Party Service Provider (TPSP), you’ll need to be conscientious of how they are doing business and ensure proper agreements are in place. If a TPSP has the ability to impact your cardholder data environment security in any way, their compliance will impact your compliance. Therefore, it’s your responsibility to monitor their compliance status.
After you have an inventory of all systems and processes associated with your payment processing, it’s time to assess. Here is where the PCI requirements come into play. All in-scope system components should be examined for compliance with each PCI-DSS control required by their SAQ version.
Complete the appropriate Self-Assessment Questionnaire (SAQ). The required documentation will be different depending on the SAQ needed. This report includes all findings, remediation plans, compensating controls, and any requirements that were met using the customized approach.
If there are any unmet requirements, a remediation plan should be crafted and your environment updated accordingly. This can include addressing any gaps in security controls, fixing vulnerabilities, removing any unnecessary data, and improving the security of business processes. You must be in compliance with all required controls prior to achieving PCI compliance.
Submit the SAQ and any other supporting documentation reports to the requestor, generally the company’s acquiring bank. For service providers, the requestor is usually the payment brand.
Although certification only happens once a year, PCI requires that the controls are properly maintained and managed throughout the year. PCI is an ongoing process and aims to create a culture of security to keep best-practice security controls in place and up to date.
Admittedly, these 12 requirements and 6 steps are highly simplified. If you’d like to take a deeper dive, the PCI Document Library has in-depth documentation breaking down the 300 sub-requirements.
If you need more personalized assistance, let us know! ScaleSec has a proven track record of helping others become PCI compliant, and we can help you too.