PCI DSS, or the Payment Card Industry Data Security Standard, is the set of requirements for organizations who process card payments. Sounds simple enough, right? But PCI compliance can pose a major challenge to organizations if they’re not equipped with the proper knowledge and tools. Let’s take a quick look at the basics of PCI compliance, what the actual requirements consist of and methods organizations can use to both pass their PCI audits and maintain a strong cybersecurity posture. After all, the point of PCI isn’t to tick a checkbox that says you’re compliant—it’s to protect cardholder data from malicious actors.
What Is PCI Compliance?
When the credit card industry moved into the digital space, it quickly realized the need to protect itself from digital fraud. Merchants and those responsible for handling the data needed to protect it in the same way they would protect physical currency. Then, like now, there was a lack of cybersecurity expertise; credit card handlers knew they had to protect the data, but they didn’t necessarily know how. The major credit card companies had a vested interest in helping companies protect the data, and so each developed their own security standards. At first, credit card companies came up with their own internal information security programs. The introduction of a centralized requirement helped unite these disparate programs under one umbrella. Version 1.0 was first introduced in 2004. Its current iteration, 3.2.1, was released in 2018. The PCI Security Standards Council, founded in 2006, is now a global organization with far-reaching say on how business is done in the digital age. In addition to helping cardholders’ data stay in the right hands, PCI also helps card issuers and banks limit their liability in the event a merchant suffers losses from a breach.
The PCI DSS has established itself as a proven and time-tested framework for payment security with benefits for organizations that extend beyond the protection of payment data. A survey of Verizon’s PCI customers found that almost half (49%) were leveraging PCI DSS compliance efforts to meet other security requirements of data protection regulations, such as the European Union (EU) General Data Protection Regulation (GDPR). Verizon 2018 Payment Security Report
Compliance Doesn’t Equal Security
Being PCI compliant doesn’t automatically guarantee that your organization is secure—it’s much more than a box to check. But it is a major step in the right direction. Make sure your internal security and compliance teams don’t lose the forest for the trees and make PCI compliance a part of (but not all of) your overall cybersecurity program. Because of the complex nature of compliance enforcement on the scale of global retail, there are several pervasive PCI myths to be wary of. Understanding how PCI compliance works can help your organization get a clear picture of your threat vectors and the state of your security posture.
Who Needs to Be PCI Compliant
If your organization processes, stores or transmits credit card data, you’re required to be PCI DSS compliant.
The 4 Levels of PCI Compliance
Of course, a breach at a small business with little digital footprint has far less potential for public damage than a breach at a giant, international retailer. Because of this disparity in the size of the datasets that could be compromised, there are four levels of PCI compliance that an organization can fall into. Level 1: Any merchant processing 6 million+ transactions per year across all channels or any merchant that has had a data breach. Credit card companies can also upgrade any merchant to Level 1 at their discretion. Level 2: Any merchant processing between 1-6 million transactions per year across all channels. Level 3: Any merchant processing between 20,000 and 1 million e-commerce transactions per year. Level 4: Any merchant processing less than 20,000 e-commerce transactions per year or any merchant processing up to 1 million regular transactions per year. The levels more or less explain themselves in that the more transactions you process, the higher the tier. But it is also important to be aware of the ways e-commerce merchants can go straight from Level 4 to Level 2, bypassing Level 3, depending on the growth rate of business and the number of transactions.
PCI DSS 3.2 Requirements and Security Standards
Build and Maintain a Secure Network and Systems Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know. Requirement 8: Identify and authenticate access to system components. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel.
Proving PCI Compliance to an Auditor
Proof of compliance is a process that generally involves four main components, each with their own handy acronym: QSA, ISA, ROC, and SAQ.
- Qualified Security Assessor (QSA): QSAs are certified to perform PCI audits on organizations. Organizations’ annual PCI QSA assessments are the primary events where all the continuous work for proof of compliance comes into play.
- Internal Security Assessor (ISA): ISAs are in charge of compliance efforts within the organization. They also receive certification through PCI. This person is trained in doing PCI self-assessments.
- Report on Compliance (ROC): ROCs are only required for level 1 organization—merchants with more than 6 million annual transactions. It’s a form issued by the PCI regulatory body.
- Self-Assessment Questionnaire (SAQ): SAQs help organizations understand where they stand on PCI compliance. This is mandatory for any organization that falls under the purview of PCI. The type of SAQ you’ll require is dependent on what type of merchant you are and how you handle credit card payments. (For example, if you outsource payment processing to a PCI DSS-compliant third party.)
Tripwire Tip: Use the Center for Internet Security’s CIS Controls to help you align your organization with PCI standards and strengthen your cybersecurity posture.
Curious about how Tripwire can keep you PCI compliant? Download the white paper PCI DSS Compliance with Tripwire Solutions to learn more.
