Understanding PCI DSS Compliance

What is PCI DSS Compliance?

PCI DSS (Payment Card Industry Data Security Standard) is a set of standards developed to protect cardholder information from misuse and fraud. The standard was developed by the PCI Security Standards Council, made up of American Express, Discover Financial Services, JCB International, MasterCard, and Visa, in response to the growth of payment card fraud. Any organisation that accepts payment cards or transmits, processes, or stores payment card data must comply with the requirements. This means handling and maintaining cardholder's information including card details in a way that keeps it secure.

Why is PCI DSS Important?

PCI DSS compliance helps organisations apply best practices to mitigate a data breach. The measures taken to comply with the standard protect sensitive information falling into the hands of cybercriminals. Being PCI compliant, a business demonstrates its commitment to protecting their customers personal information and this helps to build trust and loyalty.

What If I'm Not PCI Compliant?

There is no legal requirement to comply with PCI DSS requirements. However each of the Security Standards Council (PCI SSC) card company members can define their own requirements, definitions, and penalties for noncompliance. If a breach does occur and the business is not compliant, the business is responsible for not only paying back customers, but also face significant penalties. If, as a consequence of the breach, cardholder data is compromised and account numbers are used fraudulently, there are even greater consequences.  These include potentially heavy fines and, in the case of persistent noncompliance, a business could lose the right to accept payment cards or face account suspension. These reasons highlight just how important it is for a business to achieve and maintain PCI compliance.

How to Achieve PCI DSS Compliance

There are different levels of PCI compliance. The relevant level for an organisation is based on the volume of credit card transactions processed annually. 

• Level 1: Merchants that process over 6 million card transactions annually.
• Level 2: Merchants that process 1 to 6 million transactions annually.
• Level 3: Merchants that process 20,000 to 1 million transactions annually.
• Level 4: Merchants that process fewer than 20,000 transactions annually.

Level 1 organisations require an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). Level 2, 3 and 4 organisations complete a self-assessment questionnaire (SAQ) and do not require an external audit. 

To evaluate PCI compliance with PCI DSS Standards, the auditor (external in the case of Level 1 organisations) looks at how card data is handled by the organisation and identifies potential vulnerabilities that could put cardholder data at risk so they can be addressed. The standard focuses on the controls that store, transmit and process cardholder data through 12 requirements.

What are the 12 Requirements of PCI Compliance?

The PCI DSS 12 Requirements are a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS). The 12 requirements deal with network security and internal controls.

PCI DSS was initially introduced in December 2006 but has been regularly updated to reflect current best practices. The changes are based on feedback gathered from the global payments industry to ensure that the standard remained aligned to the complex challenges of payment security. 

When it was introduced, version 3.2.1 included updates to reflect the impact of technology changes, including changes to approved technologies for Point of Service (PoS) Point of Interaction (PoI). PCI DSS v4.0 is the next evolution of the standard and was published in March 2022 replacing version 3.2.1. This version addresses emerging threats and technologies and enables innovative methods to combat these new threats. 

• PCI DSS version 3.2.1, includes 12 requirements for PCI compliance that mirror security best practices – falling under goals for these requirements. PCI DSS v3.2.1 was published in May 2018 and will be retired on 31 March 2024.
• PCI DSS v4.0 In this update the PCI Security Standards Council had the goal to  “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information.

The updates look to promote security as a continuous process with greater flexibility in the methods that organisations can use to meet security objectives and improve validation methods. 

PCI DSS version 3.2.1

PCI DSS v4.0 Build and Maintain a Secure Network and Systems

• Requirement 1: Install and Maintain Network Security Controls
• Requirement 2: Apply Secure Configurations to All System Components

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Account Data

• Requirement 3: Protect Stored Account Data
• Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Protect Cardholder Data

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open or public networks

Maintain a Vulnerability Management Program

• Requirement 5: Protect All Systems and Networks from Malicious Software
• Requirement 6: Develop and Maintain Secure Systems and Software

Maintain a Vulnerability Management Program

• Requirement 5: Protect all systems against malware and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
• Requirement 8: Identify Users and Authenticate Access to System Components
• Requirement 9: Restrict Physical Access to Cardholder Data

Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need to know
• Requirement 8: Identify and authenticate access to system components
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
• Requirement 11: Test Security of Systems and Networks Regularly

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

• Requirement 12: Support Information Security with Organisational Policies and Programs

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security for all personnel

Conclusion

If cardholder is compromised, the trust that customers have in the merchants and financial institutions involved can be lost. The reputations of these businesses can be damaged significantly and if there are fines involved the outcome can be worse. Achieving and maintaining PCI compliance is good practice. It protects the business and the customers – which is essential for growth and long term success.

Learn more about how Security Awareness Training helps to support an organisation-wide culture of security and ensure that all employees understand the PCI standard and are aware and able to spot fraud and report possible issues. Applications that process card data must be secure. PCI Secure Development training can provide developers with the knowledge and skills to code defensively and meet the secure coding and application security standards required by PCI DSS.