Introduction: What is PCI DSS?
PCI DSS, or the Payment Card Industry Data Security Standard, is a set of information security standards governed by the PCI SSC, or Payment Card Industry Security Standards Council.
The goal of these standards, established in 2004, is to protect card users against data theft and fraud related to credit and debit cards.
Interestingly, the PCI SSC does not have the legal authority to compel compliance, it does require that any business that processes a card transaction is PCI DSS compliant.
Not only is customer data protected when a business has PCI certification, but the business also can protect its reputation as a reliable and safe vendor with consumers.
A business’ compliance is validated on a regular schedule based on the volume of transactions that business processes according to the following levels:
Level 1 compliance is required for businesses that process over 6 million transactions on an annual basis. Their compliance is validated through an audit conducted by an authorized PCI auditor each year. Level 1 businesses must also undergo a PCI scan conducted by an Approved Scanning Vendor, or ASV, once every quarter.
Level 2 compliance is required for those businesses that process between 1 and 6 million transactions each year. These businesses must take a Self-Assessment Questionnaire, or SAQ, each year, as well as a PCI scan each quarter.
Level 3 compliance is for merchants who process less than 1 million but more than 20,000 e-commerce transactions in a year. As with level 2, these businesses need to do the annual SAQ, but are only required to run quarterly scans under certain circumstances.
Finally, Level 4 compliance is for any vendor that processes fewer than 20,000 e-commerce transactions annually or up to 1 million real-world transactions annually. Again, an annual SAW is necessary, but the quarterly PCI scan occurs on an “as needed” basis.
PCI DSS Requirements
The PCI SSC has defined 12 requirements split across six categories for businesses that handle cardholder data and maintain a payment processing network. Any business that wishes to be in compliance must meet all of these requirements.
- Maintaining a Secure Network – The first category of requirement relates to the maintenance of a secure network, and requires that a business:
- Installs and maintains a firewall
- Utilizes original, customer-selected passwords on customer data and not vendor-supplied passwords
- Securing cardholder data – The second category addresses how business secure cardholder data and requires that a business:
- Protects any stored cardholder data
- Encrypts any data that is transmitted across public networks
- Managing vulnerability – the third category involves how a business manages vulnerabilities in its network and requires that a business:
- Use and regularly updates its anti-virus software
- Develops and maintains secure systems and apps
- Controlling access – The fourth category oversees how businesses control access to data and requires that a business:
- Limits business access to cardholder data to a “need-to-know” basis
- Assigns a unique ID to every business user with computer access
- Restricts physical access to cardholder data
- Monitoring and testing the network – The fifth category of requirements addresses how a business monitors and tests their network and requires that the business:
- Tracks and monitors all access to cardholder data and resources on the network
- Tests security systems and protocols on a regular basis
- Securing information – Finally, the sixth category of PCI DSS requirements addresses how a business secures information and requires that a business:
- Maintains a policy that addresses specific protocols and practices related to information security
How to Get PCI DSS Certification
Getting PCI DSS certification is a multi-step process. As a first step, a business should analyze its current compliance level. Assess:
- How you handle data
- How you process customer transactions
- With which banks you work
- Your volume of transactions
Cross-reference this with PCI general standards to understand how the business currently performs in terms of these standards.
Next, a business should take the self-assessment questionnaire that is a regular part of the PCI compliance process. There are several different versions of the SAQ so businesses should make sure that they are using the one that is right for their business type. Taking the SAQ will further highlight the areas where a business needs improvement in order to be in compliance.
As a next step, a business should take the steps needed to enhance data and transactional security at the company. This can include working with a provider that utilizes data tokenization to secure customer credit card data.
Once these improvements are in place, a business should complete and submit a formal attestation of compliance (AOC).
As with the SAQ, different AOCs are used for different business types. A QSA can then perform a review of a business’ compliance and generate a report to validate compliance. These documents can then be submitted to credit card companies and banks to confirm a business’ compliance.
PCI DSS Compliance Checklist / Questionnaire
The following is a checklist that can help a business determine whether or not they are in compliance with PCI DSS requirements:
- Is the system that stores and transmits customer data protected by a firewall or similar security?
- Does the business run regular maintenance and upgrades on that firewall?
- Are strong passwords used in lieu of default passwords?
- Does the business protect cardholder data in internal systems with sufficient security controls?
- Is in-transit cardholder data secured, including using approved encryption methods and protecting it in open networks?
- What antivirus software does the business use? Is it sufficient given the high stakes of cardholder data?
- Is any virus protection program used updated on a regular basis?
- How secure are your systems and applications?
- How often does the business run maintenance and updates on your systems and applications?
- What are the business’ plans for securing systems so that they are in compliance with PCI DSS?
- Is the business currently restricting internal access to cardholder data?
- Do internal restrictions on credit card data limit access on a “need to know” basis?
- Does the need to execute a task with cardholder data outweigh the risk to that data?
- Are all users at the company using a unique user ID when logging into the system?
- Does a system administrator oversee and manage permissions and controls for those user IDs?
- Are all permissions aligned with the “need to know” data policy?
- Are all visits to a facility that houses systems containing credit card data logged and monitored?
- What processes does the business utilize to review its network and ensure data security?
- Are any processes used logged and stored to create a valid audit trail?
- How often does the business test systems for vulnerabilities?
- Are any identified vulnerabilities addressed as quickly as possible?
- When new software or configurations are introduced, are they subjected to vulnerability testing?
- Does the business monitor critical system files regularly to make sure they have not been accessed or modified outside the scope of regular business?
- Has the business developed an information security policy for the company and distributed it to all users?
- If an information security policy is in place, is it reviewed on an annual basis or when system changes occur?
- Does the information security policy include sections that address PCI compliance and service providers?
- If a breach occurs, does the business have an emergency response plan in place?
The Bottom Line
Becoming PCI DSS compliant may be overwhelming for some businesses, but it is a necessity.
It is a relatively straightforward process when approached systematically, and the downside of not being in compliance far outweighs the cost and trouble of getting in compliance.
Businesses that are found to not meet PCI requirements can be sanctioned and left unable to accept payment online, cutting off a business’ primary stream of revenue. When financial death for a business is a possibility, it seems clear that becoming PCI compliant should be a priority for any and all businesses.