If your company accepts credit cards or debit cards as payment for goods or services, you need to be compliant with Payment Card Industry Data Security Standards (PCI DSS). Founded to secure credit card payments and customer data by the five leading card brands, PCI DSS requirements mandate that organizations holding or processing payment card data establish and maintain information security measures to protect their cardholder data environment (CDE). To meet the PCI DSS standards, companies need to understand their unique compliance requirements, their payment applications, payment processing workflows, and the system components and sensitive data that makes up their CDE.
Payment card data is an appetizing target for many hackers and bad actors, and FICO’s investigations show that, while credit card companies have tightened their security systems in the wake of COVID-19, credit card fraud continues to be a huge problem. Nilson reported that payment card fraud cost a collective $32 billion internationally in 2021. Over the next 10 years, card fraud is projected to cause losses of $397 billion worldwide — a staggering figure that affects consumers and small businesses as much as enterprises and credit card companies. The PCI Security Standards Council (PCI SSC) introduced the Data Security Standards (PCI DSS) to drive better payment card security controls and combat the mounting costs of fraudulent activity.
Now, PCI compliance is crucial for maintaining relationships with payment card brands and acquiring banks, avoiding hefty non-compliance fees, and safeguarding your clients’ payment information. Read on to learn how to be PCI compliant — we’ll cover the basics of the PCI DSS requirements and present you with a nine-step guide for getting and staying compliant.
What Does it Mean to Be PCI Compliant?
As with all things compliance, the Payment Card Industry (PCI) likes its acronyms. To be compliant with PCI means meeting the security requirements and access control measures mandated by the Data Security Standards (DSS) created by the Payment Card Industry Security Standards Council. PCI compliance zeroes in on payment card data specifically, including primary account numbers (PAN), debit and credit card numbers, and even CVVs. The standard asks organizations to consider their information security policies, including physical access, authentication data, validation, and the transmission of card data over public networks. Secure network configuration and management is key to CDE segmentation and protection.
Depending on the level of PCI DSS the company must comply with, which is largely based on the number of card transactions the company processses on an annual basis (with more transactions requiring more stringent compliance), an organization may need to undergo a formal third-party PCI DSS assessment performed by a Qualified Security Assessor (QSA). Even organizations that do not have to meet this mandate must perform quarterly vulnerability scans through an Approved Scanning Vendor (ASV) and conduct an annual PCI Self-Assessment Questionnaire (SAQ).
The most recent version of the PCI Data Security Standards released is version 4.0, but many organizations are still in the process of updating their PCI programs from version 3.2.1.
History of the PCI Security Standards Council (SSC) and the Data Security Standards (DSS)
The PCI SSC consists of a coalition of the five largest credit card companies (American Express, Discover , JCB International, Mastercard, and Visa). The council originally convened to fight credit card fraud in the early 2000s when online purchases were just becoming the norm. PCI DSS was created in December 2004 to help standardize practices around the handling of cardholder data and to strengthen cybersecurity practices whenever a consumer’s credit card information is transmitted, processed, or stored. PCI DSS aims aimed to stay up to speed with new cybersecurity issues as they arise, and has adopted security requirements related to the evolution of mobile transactions, contactless payments, virtual cards, and more. The PCI SSC is not responsible for monitoring compliance; payment card brands individually determine how to handle matters of non-compliance.
The PCI Security Standards Council focuses on being industry-driven, forward-looking, and collaborative, with an overall goal to “help protect the people, processes, and technologies across the payment ecosystem to help secure payments worldwide.”
Who Needs to Be PCI Compliant?
Any organization that will be accepting payment via credit card, serving as a payment processor, or storing credit card data as part of their business needs must be PCI compliant. Even retailers’ point-of-sale (POS) terminals are subject to some PCI DSS oversight. In other words, if your company has anything to do with payment cards or payment card information, there’s a good chance that the PCI DSS affects you.
What are the PCI DSS Requirements?
There are twelve (12) principal PCI DSS requirements that are aimed at protecting cardholder data (CHD), safeguarding the organization’s cardholder data environment (CDE), preventing security breaches, and providing a common baseline and guidance companies must adhere to. These twelve requirements are:
- Install and Maintain Network Security Controls – Firewalls, access controls, transmission protocols, and network segmentation can be used to achieve this objective.
- Apply Secure Configurations to All System Components – Developing secure baseline configurations for all infrastructure and systems, and using configuration orchestration toolsets can facilitate meeting this goal.
- Protect Stored Account Data – Using encryption, role-based access control, and segmenting data can help companies reach this objective.
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks – Ensure that cryptographic mechanisms and algorithms are up-to-date to meet this goal.
- Protect All Systems and Networks from Malicious Software – Install anti-malware and anti-virus software on information systems and perform remediation upon discovering malware to meet this objective.
- Develop and Maintain Secure Systems and Software – Implement change management controls, code reviews, and third-party risk management processes to reach this goal.
- Restrict Access to System Components and Cardholder Data by Business Need to Know – Use unique IDs, access restrictions, and role-based access control to achieve this goal.
- Identify Users and Authenticate Access to System Components – Associate unique IDs with individuals and restrict the use of group or default accounts to achieve this objective.
- Restrict Physical Access to Cardholder Data – Establish role-based physical access controls to reach this goal.
- Log and Monitor All Access to System Components and Cardholder Data – Utilize various types of monitoring tools and software to monitor activity, access, performance, and anomalies across sensitive systems to attain this objective.
- Test Security of Systems and Networks Regularly – Undergo periodic penetration testing, incident response testing, backup testing, and risk assessment procedures to achieve this goal.
- Support Information Security with Organizational Policies and Programs – Document information security measures and procedures and train the workforce on these practices periodically to support this objective.
How to Become PCI Compliant: 9 Steps You’ll Need to Follow
Understanding how to be PCI compliant does not have to be overwhelming, but the details will differ depending on the size and context of your organization. Here is a basic 9-step guide to becoming and staying PCI compliant:
Step #1: Determine Your PCI Compliance Level
PCI has set different levels of compliance with the Data Security Standard depending on how many credit card transactions a company handles annually. You’ll want to determine your organization’s level before beginning PCI compliance assessments, because the level will determine whether your organization qualifies for any of the self-assessment questionnaires (SAQs), and what actions need to be taken to become PCI compliant. The levels are summarized as follows:
- Level 1: Over 6 million transactions annually.
- Level 2: 1 to 6 million transactions annually.
- Level 3: 20,000 to 1 million e-commerce transactions annually.
- Level 4: Fewer than 20,000 e-commerce transactions annually or any merchant processing up to 1 million visa transactions annually.
It’s notable that American Express uses different transaction numbers to delineate their PCI levels, and defines a Level 1 merchant, for example, as processing over 2.5 million American Express card transactions annually.
Step #2: Create a PCI Compliance Team
Convene a PCI DSS committee or team designated to keep track of your organization’s PCI compliance needs. Designate members of the committee to take on different PCI DSS compliance roles, like PCI compliance project manager. Since the payment card industry has so many facets, take an interdepartmental approach. Involve staff from IT, data security, finance, and legal; a group with diverse perspectives will develop a robust understanding of PCI compliance together.
Step #3: Complete a Self-Assessment Questionnaire (SAQ)
Depending on the size of your company, you may want to start out with one of the self-assessment questionnaires (SAQs) — the PCI SSC offers a chart that outlines which questionnaire to take depending on how your company processes card payments. All organizations that process card payments should document the appropriate SAQ on an annual basis and retain it for their records. Some organizations will not qualify for a self-assessment and instead need to use a third-party assessment to demonstrate PCI compliance. The SAQ or third-party audit will culminate in documentation that can be submitted to payment card brands to demonstrate PCI compliance.
Step #4: Secure Your Network
A firewall ensures that there is a secure boundary between your organization and the public internet, providing a defensive perimeter for your company’s IT environment.. Installing a firewall — and making sure all card readers and third-party vendors have firewalls in place — is a crucial step to preventing data breaches. Some credit card processors come with a pre-installed firewall, but are careful to acknowledge that merchants are ultimately responsible for ensuring their own PCI compliance. Don’t assume your organization is PCI compliant just because your partners or service providers are.
Step #5: Strengthen Passwords
Ensure all passwords are changed from defaults automatically generated upon the creation of accounts, and that your operating system only allows users to create passwords that adhere to IT best-practices. If you’re looking for solid standards on password creation, the National Institute for Standards and Technology (NIST) has updated their password standards.
Step #6: Implement Access Controls
Only employees and partners who absolutely need to access credit card data should have it. Cardholder data should only be available through certain devices and user accounts, and all access should be properly authenticated. Employees should each have unique user IDs to log-in to your IT system; log their activity and restrict access to employees who are directly involved in managing credit card transactions and accounting.
Step #7: Encrypt Cardholder Data
Cardholder data should always be encrypted when it is being transmitted — either internally or externally. Your company should invest in proper encryption tools when planning how to prevent cybersecurity breaches; the right practices will ensure that card numbers cannot be identified when the data is in motion. PCI doesn’t endorse any particular product, but does offer asearch tool for finding point-to-point encryption (P2PE) solutions.
Step #8: Protect Stored Data
In PCI Compliance, cybersecurity specialists Anton A. Chuvakin, Branden R. Williams, and Derek Milroy joke that the best way to protect your cardholders’ data is not to store it at all. However, if you are storing credit card data, whether that’s for future purchases or short-term accounting needs, make sure that data is locked down. Protecting stored data includes taking measures to protect access to physical devices and servers, regularly monitoring firewalls, and keeping close watch for any suspicious activity on network logs.
Step #9: File Paperwork with Payment Card Brands
As part of the SAQ process, PCI automatically generates an Attestation of Compliance (AoC). An AoC can be used to demonstrate to credit card companies and banks that you have taken the proper steps to ensure PCI compliance. If you are audited by a third-party Qualified Security Assessor (QSA), they will prepare a Report of Compliance (RoC) to share with credit card companies and banks. All major credit card companies require sellers and vendors to maintain PCI compliance and assess a monthly or annual fee to cover the costs of compliance from their end.
How Much Does It Cost to Be PCI Compliant?
The cost of maintaining PCI compliance is very little compared to the costs of being non-compliant. The costs will depend upon the size of your organization and your PCI level. The credit card companies and banks that you partner with typically assess an annual or monthly PCI compliance fee, which will be approximately $10 per month ($120 per year), and the costs for audits will depend on whether your company is eligible for a self-assessment questionnaire (SAQ). For smaller organizations, PCI compliance costs can be as low as $1000 per year and for larger, more complex organizations with a higher number of credit card transactions per annum, costs can be in the tens of thousands. PCI compliance fees are used by payment card brands to help merchants maintain compliance, mitigate data breaches when they do occur, and contribute to the development of PCI DSS.
What Happens If I Don’t Comply with PCI DSS?
While PCI compliance can be costly, it is much less than the costs of a data breach. According to a 2020 report by the Center for Strategic International Studies (CSIS) and McAfee, cybercrime cost companies upwards of 1 trillion dollars in 2020. Credit card fraud and credit card data breaches are extremely costly to both providers and consumers — Equifax settled its 2017 cardholder data breach for $575 million with the FTC, Consumer Financial Protection Bureau and 50 US states. While your organization is unlikely to face a data breach of this magnitude, IBM estimates the average cost of a data breach to be $3.86 million dollars.
Even if you avoid a data breach, PCI non-compliance will cost your company money. Depending on the non-compliance fees of the particular payment card brand, the period of non-compliance, and your PCI level, the fees can be significant.American Express, for example, states that data incidence non-compliance could cost a company a fee “not exceeding $100,000 a month.” Visa states that the merchant’s acquiring bank is responsible for any PCI non-compliance fees and penalties. However, banks typically pass the fine along until it still becomes the responsibility of the merchant. Penalties can also prevent your organization from processing card payments and your acquiring bank may sever ties. Vendors, banks, and customers may also lose trust in your company — that lost trust can lead to lost customers, lost partnerships, and lost profits.
Ultimately, it pays to be PCI compliant.
Boost Your PCI DSS Program
Learning how to be PCI compliant can be challenging, especially if your organization hasn’t started the process or finds itself scaling up and entering a higher PCI compliance level. It helps to invest in software that keeps track of the details, freeing up time and resources for the decisions that are most important to your company. AuditBoard’s compliance software can help you keep track of your SAQs, audits, and documentation, as well as PCI compliance fees and schedules. Get started with our compliance management software today to streamline your PCI compliance journey, make sure you’re keeping track of fees, minimizing your costs, and protecting your clients’ credit card data.
Justin Toro, CISA, is a Commercial Account Executive at AuditBoard. Prior to joining AuditBoard, Justin spent 6 years with KPMG in Atlanta specializing in information technology audits, SOX/ICFR, and SOC Reporting across a variety of industries. Connect with Justin on LinkedIn.