PCI DSS Compliance: All You Need to Know

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps organizations protect their payment systems from data breaches, fraud, and theft of cardholder data. It resulted from a need to standardize and align the security requirements of the world’s biggest card brands: American Express, Discover, JCB, MasterCard, and Visa. Together, the five companies created the Payment Card Industry Security Standards Council (PCI SSC) tasked with supervising the evolution and development of PCI DSS.

While not legally binding and not superseding any county, state, or local laws, the PCI Data Security Standard was adopted as a general standard by financial institutions worldwide. This means that compliance is required for any organization that accepts credit or debit card payments, whether in person, over the phone, or online.

PCI DSS version 4.0 was released on 31 March 2022. The updated security payment standard’s goal is to address emerging threats and technologies and enable innovative methods to combat new threats to customer payment information. Based on the concept of zero trust, PCI DSS 4.0 introduces new requirements such as the mandatory use of automated mechanisms to protect against phishing and web application firewalls. There will be a two-year transition period from PCI DSS version 3.2.1, which will be retired on 31 March 2024.

PCI DSS is made up of twelve core compliance requirements and nearly 200 associated security controls. They include both basic security measures such as the use of firewalls, antivirus software, and changing default passwords and more complex ones that involve the development and maintenance of secure networks, systems, and applications.

Who does PCI DSS apply to?

PCI DSS applies to all entities involved in card payment processing, including merchants, processors, acquirers, issuers, and service providers. Organizations that store, process, or transmit card information and/or sensitive authentication data also fall under its incidence.

Organizations that outsource their operations to third-party payment processors are responsible for ensuring that credit card data continues to be protected and third parties are PCI DSS compliant.

What type of data does PCI DSS protect?

PCI DSS protects two categories of data: cardholder information and sensitive authentication data. Cardholder data refers to information such as primary account numbers, cardholder name, card expiration date, and service code. Sensitive authentication data, meanwhile, includes full track data (magnetic-stripe data or equivalent on a chip), PINs and PIN blocks, and card verification values (CAV2/CVC2/CVV2/CID).

Storing cardholder data

Under PCI DSS requirement 3.2, any data that falls under the sensitive authentication data category cannot be stored, even if encrypted. All sensitive authentication data received should be rendered unrecoverable when the authorization process is complete.

Primary account numbers can be stored but must be made unreadable everywhere, including on portable digital media, in backup files and logs. The PCI Security Standards Council recommends key-based encryption, index tokens and pads, one-way hashes, and truncation to achieve unreadability.

However, the Council warns that, since a hashed and truncated version of the same account number can be used to reconstruct the original number, if a merchant uses both, additional security measures must be put in place to avoid malicious outsiders from correlating the numbers.

Meanwhile, cardholder names, expiration dates, and service codes can be stored and do not need to be made unreadable, but storage must be kept to a minimum, and clear data retention and disposal policies must be put into place.

Twelve core PCI DSS requirements

PCI DSS provides a baseline of technical and operational requirements designed to protect account data. They are divided into twelve requirements that together encompass nearly 200 security controls:

1. Install and maintain network security controls
2. Apply secure configurations to all system components
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
7. Restrict access to system components, and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
10. Log and monitor access to system components and cardholder data
11. Test security of systems and networks regularly
12. Support information security with organizational policies and programs

PCI DSS offers not only a detailed description of each requirement and why it is needed but also how it can be tested and offers guidance on how compliance with it can be achieved. Besides firewalls and antivirus software, organizations looking to avoid noncompliance can also apply strong access control measures and information security policies to limit access to card information.

To protect stored account data, companies can turn to Data Loss Prevention (DLP) solutions. These tools prevent data leakage through DLP policies that identify, monitor, and control the transfer and storage of files containing sensitive information such as personally identifiable information (PII) and account data. DLP tools support regulatory compliance with standards like PCI DSS but also data protection laws such as GDPR or HIPAA.

PCI DSS Compliance Levels

PCI DSS established four compliance levels for organizations. The level depends on how many card transactions per year a company processes. To fall under the strictest level of PCI DSS compliance, Level 1, merchants need to process over 6 million card transactions yearly.

Level 1 organizations need to provide a yearly Report on Compliance (RoC) which involves an audit performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) certified by the PCI Security Standards Council. The auditor submits the RoC to the organization’s acquiring institutions to demonstrate its compliance. They must also undergo an annual network scan by an approved scanning vendor (ASV).

For levels 2 to 4, merchants can complete a Self-Assessment Questionnaire (SAQ) with multiple versions to accommodate different types of businesses and processing methods. Requirements for these levels, however, may differ depending on the card scheme: MasterCard, for example, requires Level 2 organizations to complete their SAQ with the assistance of a trained QSA or ISA.

Penalties

Organizations found to be non-compliant with PCI DSS requirements face fines of up to $100,000/month and increased transaction fees. Worst still, they can have their relationship with their bank permanently terminated and might wind up on the Merchant Alert to Control High-Risk (MATCH) list, which means they would never be allowed to process card payments again. Merchants that suffer a data breach can also be penalized by having their PCI DSS compliance level raised.