According to The Privacy Rights Clearing House, a firm that analyses data and security breach reports affecting customers from 2005, more than 11 billion consumer records have been compromised from 8,500 reported data breach cases. Increasing cases of data breaches and lurking cybercriminals looking for system vulnerabilities led to the creation of minimum standards of data security in the payment ecosystem.
Following this, MasterCard, Visa, Discover, American Express, and JCB came together in 2006 to form the Payment Card Industry Security Standards Council (PCI DSS). This body was tasked with administering and managing security standards for all businesses handling consumer credit card data.
That said, if your business model requires storage and handling of card data, you should meet the more than 300 security guidelines provided by PCI DSS. This guide outlines some important things you should know about the PCI DSS.
PCI DSS Compliance Overview: What Is It?
As mentioned, PCI DSS was developed by founding payment brands, including MasterCard, American Express, Visa International, Discover Financial Services, and JCB, with a common goal. Basically, these payment brands wanted to define security standards, policies, and technologies that businesses and organizations using these payment systems should meet to prevent security breaches and compromised cardholder data.
Payment cards within the scope of PCI DSS are credit, pre-paid, and debit cards branded with either of the five mentioned brand logos. Unlike previous risk-based policies, such as the ISO 27001, PCI DSS controls for those within the scope are compulsory. Businesses using these payment systems can be assessed by an external specialist or can self-assess using a questionnaire.
Note that even if your business has outsourced payment system handling, you are responsible for ensuring that the third party complies with PCI DSS provisions. Failure to comply with these standards can attract several penalties, including losing the ability to use these payment cards. Other sanctions include monthly penalties and increased transaction fees until compliance is achieved.
That aside, a data breach will subject your business to scrutiny from shareholders, damaged reputation, and loss of trust by cardholders. Additionally, if the data breach involves personally identifiable information, your business will be investigated and fined by the Information Commissioner’s Office.
That said, businesses should view PCI DSS compliance as an ongoing journey and not a one-time project. Even if assessment by external specialists or completing an SAQ is done once, PCI DSS compliance is an ongoing process. This is because the assessment takes a snapshot of your situation at a specific point in time while you have continuous obligations from clients using their payment cards in your business.
What are the 12 PCI DSS Compliance Requirements?
With a proper understanding of the origin of PCI DSS, this section outlines the 12 technical and operational provisions of this policy that businesses handling cardholder data should comply with.
Note that while PCI DSS identifies 12 control standards, they are categorized into six control objectives designed to protect cardholder’s data.
What are the 6 core requirement as PCI DSS?
The control objectives and compliance requirements include;
Control Objective 1: Maintain a Secure Network and System
PCI DSS requirements 1 and 2 aim at helping businesses build and maintain a secure network system. They state as follows;
PCI DSS Compliance Requirement 1 – Install and maintain a firewall configuration
Requirement 1 specifically focuses on building and maintaining a secure network and systems. It deals with the installation and maintenance of a firewall configuration to protect cardholder data. Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks.
The requirement is often broken down into several sub-requirements that detail what is needed to properly configure firewalls, routers, and other network devices to ensure the security of the network and the sensitive data it carries. This includes guidelines on how to review and maintain those configurations, document changes, and ensure that any connections to the Internet or other external networks are properly secured.
Here are some of the key sub-requirements often found under PCI DSS Requirement 1:
- 1.1: Establish and implement firewall and router configuration standards.
- 1.2: Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment.
- 1.3: Prohibit direct public access between the Internet and any system component in the cardholder data environment.
- 1.4: Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network and also access the cardholder data environment.
It’s important to note that the above is a simplified overview and the actual requirements can be more detailed and specific. Organizations that are subject to PCI DSS compliance should consult the official documentation and consider seeking expert advice to ensure that they are in full compliance with the standard.
Requirement 2 – Do not use vendor-provided defaults for network passwords and other security parameters
This requirement aims at ensuring that all other devices are configured safely. Devices can include desktops, servers, smartphones, and laptops. The control objectives are the same as those of requirement 1, as they focus on ensuring that businesses observe secure configuration standards for secure functionality.
Control Objective 2: Protect Cardholder Data
PCI DSS requirements 3 and 4 were developed to protect cardholder data. They are as follows;
Requirement 3 – Protect stored cardholder data
This requirement focuses on how businesses store collected cardholder data. It stipulates several guidelines on how businesses should encrypt cardholder data when stored. However, due to the complicated nature of encryption technology, this requirement begins with a disclaimer that “if you don’t need customer data, don’t store it.”
Requirement 4 – Encrypt transmission of cardholder data across open or public networks
This requirement outlines guidelines to observe when transmitting cardholder data. The controls include using strong cryptography, sending data through secure wireless networks, and limiting technologies used to transmit cardholders’ data.
Control Objective 3: Maintain a Vulnerability Management Program
Requirements 5 and 6 were set to ensure that organizations maintain a vulnerability management program. They include;
Requirement 5 – Protect all network systems from malware and update anti-virus software and programs regularly.
This requirement requires organizations to protect their systems against malware and other forms of data breaches by updating their programs and anti-virus software regularly. This doesn’t leave much for the imagination.
Requirement 6 – Develop and maintain secure systems and applications
This requirement provides guidelines for secure software development and patch management. It highlights the patching frequency and guides for developing secure software. This includes observing secure coding policies, reviewing codes, training developers, using firewalls, and more.
Control Objective 4: Implement Strong Access Control Measures
PCI DSS formulated requirements 7, 8, and 9 to oversee this control objective. They include;
Requirement 7 – Restrict access to cardholder data to need to know basis
This requirement targets the administrative part of access control. It has controls that define who can access what information. The requirement uses the “need to know” and “least privilege” best practices to control data access.
Requirement 8 – Identify and authenticate access to systems components
Unlike requirement 7, this requirement leans towards the technical aspect of access control. It outlines several controls designed to restrict user access, such as password complexity and strength, two-factor authentication, accountability and tracking user actions, and restricting the use of shared accounts.
Requirement 9 – Restrict physical access to cardholder data
As it states, this requirement restricts physical access to user data. It specifies access controls, including visitor entrance procedures, entry records, and control of physical media, such as paper records and USB drives.
Control Objective 5: Regularly Monitor and Test Networks
Requirements 10 and 11 are categorized under the 5th control objective. They state as follows;
Requirement 10 – Track and Monitor access to network resources and cardholder data
Most businesses find it challenging to comply with this requirement since it involves collecting and monitoring access logs from every company device under the PCI DSS scope. All-access logs should be stored for analysis during an incident management process in case of security pitfalls.
Requirement 11 – Regularly test security systems and processes
This is a resource-intensive requirement that requires businesses to perform regular network vulnerability scans and penetration tests. This can be done by in-house IT teams or external experts.
Control Objective 6: Maintain an Information Security Policy
Requirement 12 – Maintain a policy that addresses information security for all personnel
This is the only requirement under the 6th control objective, which requires businesses under PCI DSS scope to maintain an information security policy. It highlights all policies and procedures that should be followed, such as annual risk assessment, conducting regular security awareness training, and disaster response plans.
Benefits of PCI DSS Compliance
Essentially, complying with PCI DSS standards is the best way of reducing the impact on payment card data breaches. That aside, achieving compliance also helps your business avoid the following;
- Loss of Revenue
A large-scale data breach can lead to loss of clients, which can significantly hurt your revenue. For instance, one of the largest data breaches involved Target Corporation in 2013, and the company incurred $18.5 million in fines due to a data breach that affected over 41 million customers. Apart from the fine, the breach resulted in more than $440 million loss in revenue for the company.
- Damaged Reputation
A damaged reputation is a serious consequence of failing to comply with these standards with long-lasting and irreparable impact. Exposing your customer’s payment cardholder data will not only attract hefty financial penalties but also damages your brand reputation by breaking customer’s trust that took years to build. It will be difficult for customers to believe and trust your business once your security systems have been compromised.
- Restrictions to Use Payment Card Transactions
Apart from the loss of revenue, the high chances are that brands under the PCI DSS scope will slap a hefty fine on your business as well. That aside, the worst consequence is being denied the ability to process transactions using payment cards, especially in the current era where most people prefer using them. This will make it almost impossible to run your business.
- Legal Consequences
You should also expect litigation if any cardholder information is lost or endangered. To confirm this, TJX suffered this impact in 2007 after being a victim of a data breach that exposed over 100 million bank details. The company had to part with $40.9 million.
- The Aftermath
A 2018 study found that recovering from a data breach that risks less than 100,000 records costs more than $3.86 million, while recovering from mega-breach affecting between 1M and 50M records costs between $40 and $350 million.
Evidently, the cost of achieving PCI DSS compliance is less compared to these fines and distressing domino effects of a data breach, especially if there are proven elements of non-compliance with PCI DSS standards.
How to Achieve PCI DSS Compliance
With such devastating impacts of failing to achieve PCI DSS compliance, below is a step-by-step guide on how to achieve PCI DSS version 3.2.1 compliance.
- Know Your Scope and Requirements
The best place to begin is getting to know PCI DSS requirements that apply to your business or organization. PCI DSS standards are applied in four compliance levels determined by the volume of your card transactions within a 12-month period. The levels include;
- Level 1 – applies to organizations that process more than $6 million transactions using Via or MasterCard or above $2.5 million using American Express cards. Businesses that have suffered a data breach before are also under this group. Requirements for this level include an annual report on compliance, quarterly network scan, an attestation of compliance for businesses that use onsite assessments.
- Level 2 – applies to businesses that transact between 1 and 6 million within 12 months. Requirements for this level also apply to levels 3 and 4 and include annual PCI DSS SAQ (Self-Assessment Questionnaire), quarterly network scans, and attestation of compliance.
- Level 3 – This level applies to businesses that process online transactions from 20,000 to 1 million annually or less than 1 million in total.
- Level 4 – it applies to organizations that handle less than 20,000 online transactions or less than 1 million total annual transactions.
Note that levels 2, 3, and 4 have varying SAQs depending on payment integration used by businesses. Also, PCI DSS requirements standards keep changing. Therefore, it is best to get regular updates on new certification requirements and how to comply with them.
- Map Your Business Data Flows
Before you formulate systems to protect customer data, you should know where this data is stored and how it gets there. Therefore, you should formulate a detailed map including various systems, networks, and applications that credit card data pass through in your organization. This requires that you work with IT specialists and data security teams.
The first step is identifying all consumer-facing areas in your business that use card payments. This includes payments done through online shopping, in-store card payment terminals, and orders placed via phone calls. The next step is identifying how cardholder data is handled in your business.
Lastly, identify various internal systems and underlying technologies that interact with these transactions. These might be data centers, cloud platforms, or network systems.
- Assess Your Business Security Protocols and Controls
After mapping out all the touchpoints for customer card data in your organization, let your security and IT teams assess and ensure that all security protocols and configurations are met. You can use the 12 PCI DSS security requirements mentioned above as a guide. Countercheck to ensure that these practices also meet GDPR standards and HIPAA provisions.
- Monitor and Maintain
As mentioned, PCI DSS compliance standards aren’t a one-time event. It should be an ongoing process to ensure that organizations remain compliant with cardholder security as data flow and touchpoints evolve. This is why most payment card brands require businesses to submit quarterly or annual reports and complete onsite assessments, especially for level 1 businesses.
That said, continuous management of PCI DSS compliance requires inter-departmental collaboration between various teams. Your team should include a cybersecurity professional, a payments expert, a finance officer, and a legal expert to maneuver various legal obstacles that come with PCI DSS compliance.
Using a pragmatic and tailored approach is the best way to ensure that your business meets the utmost PCI DSS compliance. Complete a gap analysis, reduce CDE scope, assist in completing SAQs, and ensure that your business overcomes other complicated PCI DSS standards.