All You Need to Know about PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps organizations protect their payment systems from breaches, fraud, and theft of cardholder data. It resulted from a need to standardize and align the security requirements of the world’s biggest card brands: American Express, Discover, JCB, MasterCard, and Visa. Together, the five companies created the Payment Card Industry Security Standards Council (PCI SSC) tasked with supervising the evolution and development of PCI DSS.
While not legally binding, the PCI Data Security Standard was adopted as a general standard by financial institutions across the world which means that compliance is required for any organization wishing to accept credit or debit card payments, whether in person, over the phone or online.
The latest version of PCI DSS, issued in May 2018, is made up of twelve core compliance requirements and nearly 250 associated security controls. They include both basic security measures such as the use of firewalls, antivirus software, and changing default passwords and more complex ones that involve the development and maintenance of secure networks, systems, and applications.
Who does PCI DSS apply to?
PCI DSS applies to all entities involved in card payment processing, including merchants, processors, acquirers, issuers, and service providers. Organizations that store, process or transmit card information and/or sensitive authentication data also fall under its incidence.
Organizations that outsource their operations to third-party payment processors are responsible for ensuring that credit card data continues to be protected and third parties are PCI DSS compliant.
What type of data does PCI DSS protect?
PCI DSS protects two categories of data: cardholder information and sensitive authentication data. Cardholder data refers to information such as primary account numbers, cardholder name, card expiration date, and service code. Sensitive authentication data meanwhile includes full track data (magnetic-stripe data or equivalent on a chip), PINs and PIN blocks, and card verification values (CAV2/CVC2/CVV2/CID).
Storing cardholder data
Under PCI DSS requirement 3.2, any data that falls under the sensitive authentication data category cannot be stored, even if encrypted. All sensitive authentication data received should be rendered unrecoverable as soon as the authorization process is complete.
Primary account numbers can be stored but must be made unreadable everywhere, including on portable digital media, in backup files and logs. The PCI Security Standards Council recommends key-based encryption, index tokens and pads, one-way hashes, and truncation to achieve unreadability.
However, the Council warns that, since a hashed and truncated version of the same account number can be used to reconstruct the original number, if a merchant uses both, additional security measures must be put in place to avoid malicious outsiders from correlating the numbers.
Meanwhile, cardholder names, expiration dates, and service codes can be stored and do not need to be made unreadable.
Twelve core PCI DSS requirements
PCI DSS provides a baseline of technical and operational requirements designed to protect account data. They are divided into twelve requirements that together encompass nearly 250 security controls:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
PCI DSS offers not only a detailed description of each requirement and why it is needed but also how it can be tested and offers guidance on how compliance with it can be achieved. Besides firewalls and antivirus software, organizations looking to avoid noncompliance can also apply strong access control measures and information security policies to limit access to card information. Solutions such as Data Loss Prevention (DLP) software can also support data protection efforts by monitoring and controlling the transfer of cardholder data such as card numbers, names, and expiration dates.
PCI DSS Compliance Levels
PCI DSS established four compliance levels for organizations. The level depends on how many card transactions per year a company processes. To fall under the strictest level of PCI DSS compliance, Level 1, merchants need to process over 6 million card transactions yearly.
Level 1 organizations need to provide a yearly Report on Compliance (RoC) which involves an audit performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) certified by the PCI Security Standards Council. The auditor submits the RoC to the organization’s acquiring institutions to demonstrate its compliance. They must also undergo an annual network scan by an approved scanning vendor (ASV).
For levels 2 to 4, merchants can complete a Self-Assessment Questionnaire (SAQ) which has multiple versions to accommodate different types of businesses and processing methods. Requirements for these levels however may differ depending on the card scheme: MasterCard for example requires Level 2 organizations to complete their SAQ with the assistance of a trained QSA or ISA.
Organizations found to be non-compliant with requirements of PCI DSS face fines of up to $100,000/month and increased transaction fees. Worst still, they can have their relationship with their bank permanently terminated and might wind up on the Merchant Alert to Control High-Risk (MATCH) list which means they would never be allowed to process card payments again. Merchants that suffer a data breach can also be penalized by having their PCI DSS compliance level raised.
Frequently Asked Questions
Knowing exactly how cardholder data is being processed, stored and transferred is a fundamental requirement for an effective PCI DSS compliance strategy. Requirement 3 of PCI-DSS states that data should only be stored in specific, known locations with limited access to protect credit card information. Organizations must therefore map their data flow and regularly conduct network scans to ensure credit card information has not been saved or forgotten in unpermitted locations by careless employees.
Under requirement 7 of PCI DSS, access to data must be restricted to authorized personnel only. Companies must evaluate which of their employees need access to card data to fulfill their job responsibilities and then use the proper tools and processes to limit access based on business needs.
Find out more about the best practices for PCI DSS Compliance.
Data Loss Prevention (DLP) solutions are some of the most useful tools for PCI DSS compliance on the market. Because their policies are applied directly to sensitive data rather than to devices or the whole network, they ensure that cardholder information is identified, logged, and controlled to meet PCI DSS requirements.
DLP tools also offer data discovery tools that can automatically or manually scan networks for credit card information and encrypt or delete it when it is found on unauthorized users’ computers.
Read more about how DLP helps with PCI DSS compliance.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.