Modern-day transactions have almost completely migrated to the online and digital landscape. Gone are the days when the security of your financial information depended on how well you guarded your wallet. Yet, security remains more critical (and complex) than ever for consumers and businesses alike.
One tap of a card or click of a button, and you’re good to go – but what happens to the cardholder data once the payment goes through?
This whitepaper looks at the holy grail of securing payments and cardholder data – PCI DSS and how the mandatory compliance framework ensures secure payments and data privacy. However, not without due diligence from businesses like yours.
Here’s everything you need to know about securing payments and cardholder data and The Payment Card Industry Data Security Standard.
PCI DSS stands for The Payment Card Industry Data Security Standard, which was born out of a need for a global security standard to uniform the safety of card transactions for businesses and customers. The founding members of the security standard are known as The Payment Card Industry Security Standards Council (PCI SSC), consisting of the five major payment card brands; American Express, Discover Financial Services, JCB International, Mastercard, and Visa.
Before the establishment of the council and the PCI DSS, Visa was the first significant payment card company to establish its own set of security standards for businesses accepting payments online in 2001. Other payment companies quickly followed suit, each creating its own security standards.
As merchants struggled to understand the novel compliance requirements per payment company and as security threats became a growing concern, the council was created to best secure payments and cardholder data in a way that’s globally standardized.
Depending on the specific merchant level that your organization falls under (which we’ll get into later), PCI DSS compliance may either require you to take a self-assessment questionnaire (SAC) or an on-site audit (Report on Compliance).
It’s also important to keep in mind that although PCI DSS compliance is not a regulatory requirement (mandated by law), it is still required and mandatory by the contract for those handling cardholder data.
So, apart from merchants sealing the deal with their payment card brand of choice, what are the benefits of PCI DSS compliance?
The fear, uncertainty and doubt that come along with unprotected cardholder data should ideally be a significant enough source of motivation to prioritize PCI DSS compliance. However, with up to 91% of attacks failing to generate an alert, most businesses have very little visibility into their threats. Out of sight, out of mind? Well, just because a business can’t identify their threats and vulnerabilities, doesn’t mean clients and malicious attackers can’t.
Apart from the enhanced safety and reduced risk of security breaches that PCI compliance brings to the table, there are a myriad of alternate benefits that come with getting (and staying) PCI DSS compliant, mainly because of the significant advantages it holds regarding client trust, brand loyalty, competitiveness and overall business performance. Here’s what you need to know.
The primary reason for becoming PCI DSS compliant and the overarching reason for the existence of the PCI DSS is to protect businesses and clients against data breaches. With cyber threats and data breaches becoming increasingly frequent, no company is under the radar or unexposed to security attacks.
PCI DSS requirements ensure that all businesses that handle cardholder data implement due diligence through annual security assessments of systems and proof of remediation in case of any vulnerabilities. In addition, these requirements, including penetration tests for PCI DSS compliance, guarantee a safe network infrastructure, ensuring that nothing slips through the cracks.
Your average customer may not be too phased about the nitty-gritty details of PCI DSS compliance. However, that doesn’t mean that they are oblivious to what it means regarding data and information security. Customers are far more likely to do business with merchants that can prove they’re securing payments – and PCI DSS compliance is the epitome of trustworthiness and due diligence regarding information security. According to the Cisco 2022 Consumer Privacy Survey, 76% of respondents say they would refrain from buying from a company they do not trust regarding data security and privacy.
Becoming PCI DSS compliant helps create an organization’s sound compliance and security-conscious culture. Due to the specific requirements and security controls of PCI DSS, companies create a common baseline for other compliance frameworks, such as ISO 27001, SOC 2, HIPAA or GDPR. Meaning, there are several overlaps between some requirements and controls of PCI DSS and other frameworks and regulations. This can significantly reduce the costs, time and resources needed when implementing additional frameworks, as a business already has a compliance baseline with several common controls implemented already.
To say that PCI DSS compliance has a large scope would be somewhat of an understatement. In fact, if you’re a service provider that processes, accepts, transmits or stores debit card or credit card information – tag, you’re it. However, the process of becoming compliant isn’t standardized across the board and depends on your specific PCI DSS merchant level.
Each of the merchant levels of PCI DSS compliance includes specific thresholds. Four overarching merchant levels determine the process required to get compliant. However, all merchants from level two to level four must complete a PCI DSS Self Assessment Questionnaire (SAQ) that the company’s senior management team must sign off on.
Merchant Criteria: Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by an Approved Scanning Vendor (ASV). (3). Attestation of Compliance Form.
Merchant Criteria: Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by an Approved Scanning Vendor (ASV). (3). Attestation of Compliance Form.
Merchant Criteria: 1 million – 6 million Visa or MasterCard transactions annually (all channels).
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by an Approved Scanning Vendor (ASV). (3). Attestation of Compliance Form.
Merchant Criteria: (1). Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year. (2). Any merchant that has had a data breach or attack that resulted in an account data compromise. (3). Any merchant identified by any card association as Level 1.
Validation Requirements: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by an officer of the company. (2). Quarterly network scan by an Approved Scanning Vendor (ASV). (3). Attestation of Compliance Form.
Although PCI DSS isn’t a regulation, there is still a range of penalties and fines to ensure that businesses comply with the PCI DSS guidelines. It’s important to note that these penalties are not published by the PCI SCC, but rather, fines and penalties are charged by the credit card brands.
Fines and penalties significantly vary based on the severity of the breach, non-compliance history, and payment volumes of the merchant. However, the general range of penalties can go from $5 000 all the way to $100 000 per month for violating PCI DSS, rising over time within that bracket. Penalties can also rise to the point of termination, where businesses lose the option to accept payment cards. In severe cases, businesses can also become liable for any losses their customers may have suffered in the event of a breach due to negligence.
Although The Payment Card Industry Data Security Standard (PCI DSS) has been the gold standard for protecting cardholder data worldwide, most organizations have continually struggled to achieve or maintain compliance. This is primarily due to the complexities of implementing the correct control requirements, especially if you do not have the relevant experience or expertise.
One of the most common misconceptions about PCI DSS compliance is that small businesses don’t have to comply with PCI DSS. Unfortunately, this is not the case. PCI compliance exempts no one. However, that doesn’t mean getting (and staying) compliant has to drain your resources and patience. Here are the most essential things to keep in mind regarding PCI DSS compliance.
From a high-level point of view, a business must typically do three things in order to become (and remain) PCI DSS compliant.
However, implementing these three overarching objectives is much simpler when organizations keep the following steps in mind.
The entire compliance process will hinge on your specific merchant level (as mentioned previously). Merchant levels are determined by particular sales thresholds, whether or not you’ve suffered from a data breach or any additional criteria. Once you’ve confirmed your level, you’ll know which course of action to take in order to ensure compliance.
As a business, knowing which applications, systems, people and processes are exposed to cardholder data is critical. As an organization, to best protect your cardholder data, you must be able to highlight where it needs protecting. It’s crucial to map out where cardholder data moves through (and is stored) in your applications, systems, and people.
This is where the heavy lifting comes into play, which is why most businesses leverage professionals. This step involves implementing the twelve PCI DSS requirements and remediating any vulnerabilities.
Depending on your merchant level, you may have to complete a SAQ (merchant levels 2-4). A SAQ, available on the PCI Security Standards Council website, includes a series of questions designed to determine whether your business meets PCI Data Security Standard requirements. For merchants under level 1, a Report on Compliance (RoC) is necessary, and is used to verify that a merchant is compliant with PCI DSS.
The AoC is a declaration of your organization’s compliance with PCI DSS. It serves as documented evidence that your organization’s security practices effectively protect against threats to cardholder data.
You may be compliant today but tomorrow? Who knows. The final step of getting compliant is making sure that you stay compliant. This means that you’re required to consistently monitor security controls and implement continuous risk management to ensure there are no areas of exposure.
It’s important to keep in mind that the journey to compliance heavily depends on your specific merchant level. For example, as you know, if you’re a level one merchant, you’re required to undergo annual 3rd-party audits.
If you’re reaching annual audit time, be sure that you’re clued up on how to prepare for your audit to ensure compliance.
Twelve high-level requirements guide PCI DSS compliance. These requirements were developed and are maintained by The PCI Security Standards Council (SSC). These 12 requirements are all security controls businesses must implement to protect credit card data. Organizations must meet all twelve requirements in order to achieve and maintain compliance. The PCI DSS security controls can be segmented into six overarching control objectives. The control objectives and requirements include the following;
Build and maintain a secure network to prohibit unauthorized access to cardholder data.
Safeguard and protect CHD if stored locally or transmitted to a remote server or service provider.
Create and maintain a vulnerability management program that includes security procedures, policies, internal controls, and penetration testing.
Implement strong access control measures on a business need-to-know basis.
Continuously monitor and test physical and wireless networks to find and remediate vulnerabilities.
Maintain a strong information security policy and inform employees about their responsibilities to protect CHD.
1. Install firewalls and web filtering to protect cardholder data.
2. Change default or vendor-supplied device security configurations.
3. Protect cardholder data stored on company servers or networks.
4. Encrypt and protect cardholder data transmitted over open and public networks.
5. Use and keep up-to-date antivirus and malware software to protect cardholder data.
6. Develop and maintain secure systems and applications. Use secure protocols in all applications.
7. Restrict access to cardholder data by need-to-know.
8. Restrict all access to cardholder data to authenticated users and assign a unique ID to each person with access.
9. Limit physical access to cardholder data through physical hardware and devices.
10. Monitor all access to network resources and especially cardholder data.
11. Regularly evaluate and test the effectiveness of existing security systems and processes.
12. Maintain a policy that addresses information security, is accessible, and appealing to all personnel.
Although the overall objectives and intent per requirement may seem relatively simple at first glance, as with all things compliance, things tend to get more complicated beneath the surface. So if you’re looking for a more in-depth look into what each requirement entails and what that means for your specific organization, here’s everything on PCI DSS requirements and what your business needs to know.
As the security landscape evolves and threats change along with it, it’s critical that security standards adapt at the same time (preferably quicker). With that in mind, PCI DSS has a new version update – PCI DSS v4.0. This updated version is set to become effective in Q1 of 2024 and has 63 new requirements. However, the PCI SCC has allowed a grace period for adjustment, confirming that some requirements are effective immediately, but the bulk will only become mandatory in March 2025.
The latest version of the PCI DSS is the most significant version update since its original release. Some of the changes include mandatory authenticated vulnerability scans, enforcing multifactor authentication and more frequent scope validation.
Businesses are encouraged to start prepping processes and systems as soon as possible to align with the upcoming version update.
It’s no secret that a shifting workforce and limited budgets have left many compliance teams feeling overwhelmed. In fact, 87% of organizations have reported zero additional capacity to proactively prevent data breaches, monitor compliance or track controls due to being understaffed. Even compliance experts can no longer afford to play catch-up and often drain critical resources simply performing day-to-day compliance-related tasks. The problem? This leaves zero room for actively mitigating risk or keeping threats from slipping through the cracks. What’s the solve? Automation.
In most cases, compliance is non-negotiable and a critical component of your business’s longevity. So naturally, handing over the entire process to an automated platform may feel too risky. However, when it comes to deciding whether you’re going to automate or stick to manual processes, staying as-is also counts as a significant risky bet as you’re essentially settling for the increased costs, work, error and resources that come paired with manual processes.
Needless to say, PCI DSS is no exception to the tedious processes that require all hands on deck when it comes to compliance management. Keeping up with PCI DSS compliance can be a complex and laborious process, leaving very little room for teams to focus on other core business objectives.
So, if compliance management requires such a resource-intensive approach, how are businesses getting compliant up to 90% faster than their competitors? Cue automation – the saving grace when it comes to guaranteeing compliance in a whirlwind of complex requirements.
As compliance is far from a one-time task, automating PCI DSS processes allows businesses to save tons of time on collecting evidence, preparing for audits, and managing their workflows in a centralized platform.
Compliance automation takes a look at the core issues regarding manual processes and how they perpetuate a greater risk of data breaches and non-compliance. Through automation of the PCI DSS compliance journey, businesses can meet all their obligations in one centralized place while simultaneously managing workflows, control evaluations, testing, employee security awareness and remediation plans.
Some of the core benefits include:
Organizations spend more than 15,000 hours completing risk assessments each year. More importantly, most businesses don’t have excess employee time to spare, especially employees with in-depth compliance know-how. Automation streamlines the entire process without having to compromise on accuracy. By replacing manual compliance processes with automated software, businesses can continuously monitor compliance and implement due diligence in one centralized place, improving efficiency and reducing resource-intensive manual tasks that are also prone to human error.
PCI DSS compliance doesn’t only apply to businesses that have designated compliance teams – the scope is extensive and includes small businesses that may not have access to compliance professionals. Automation platforms democratize the process and shorten the learning curve. Through easy-to-navigate dashboards and functionalities, businesses can gain a holistic view of all business processes and controls without having to navigate the complexities of compliance by themselves.
The cost of non-compliance can drastically affect a business’s reputation, growth and profitability. Manual processes drain resources and are prone to human error, frequently leading to vulnerabilities that are hard to spot but easy to exploit. In addition, in the event of a data breach, not only can your business be subject to PCI DSS fines and penalties, but the reputational loss significantly impacts business opportunities moving forward. The right automation platform can not only get you compliant up to 90% faster but helps businesses mitigate risk, eliminate human error, protect their reputation, and free-up valuable resources to focus on other critical business objectives – all improving the bottom line.
Ready for a quick pop quiz? No worries, we won’t put you on the spot. However, to best navigate the process of PCI DSS compliance, there are a few things all businesses need to make sure that they’re aware of.
PCI DSS compliance is mandatory as per the contract between merchants and payment companies. However, it is not a regulatory requirement. This means that in order to process payments via card brands (Visa, MasterCard, etc.) and the relevant banks that handle the payment processing, your business must be PCI DSS compliant. If you’re non-compliant, you can still face heavy financial penalties, although no civil charges will apply.
Yes. Debit cards, along with any credit and prepaid cards issued by one of the five PCI SSC members (Visa, MasterCard, Discover, American Express and JCB International), must comply with PCI DSS.
Good question! Generally, no. Unless a bank account number is also a PAN (permanent account number) or contains the PAN. Other bank account information is not considered Payment Card Information and does not have to comply with PCI DSS. This includes branch identification numbers, bank account numbers, sort codes, routing numbers, etc.
Yikes, that’s not the case. Regardless of whether or not you store credit card data, if you accept credit or debit cards as a form of payment, then PCI DSS compliance applies to you.
According to the PCI Security Standards Council (SSC), PCI DSS constitutes the full Primary Account Number (PAN) or the full PAN along with any of the following:
Cardholder name, Expiration date, Service code, as well as all sensitive authentication data such as the full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs and PIN blocks.
PCI DSS compliance applies to entities that process, accept, transmit or store payment card information – irrespective of its size or the transaction volume. This means that PCI DSS applies to merchants, issuers, acquirers, and processors.
Do you have more questions about PCI DSS that we didn’t cover? Then, fire away – our compliance experts have your back.
Whether you’re new to PCI DSS or whether you’ve been playing compliance catch-up for years, it’s time to stop settling for processes that drain valuable time, resources and energy. Instead, simplify your PCI DSS compliance with everything you need to get PCI DSS compliant in one place and 90% faster.
Start breaking down complicated PCI DSS processes one click at a time, with PCI DSS risk assessments, security awareness training, automated evidence collection and control monitoring and policy builders.
Take back control and compliance without the hassle.
