What is PCI compliance?
PCI compliance is compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of standards that was created for the purpose of ensuring that every company that processes, stores, or transmits credit card information does so while maintaining a secure environment. SOC 2 which also an importance role and is a much larger regulator body than PCI compliance as it regulates customer data.
PCI compliance is regulated, administered, and managed by the Payment Card Industry Security Standards Council (PCI SSC) which is an independent organization that was established by MasterCard, Visa, American Express, and JCB. The responsibility for enforcing compliance lies with the payment brands and acquirers instead of the PCI Security Standards Council.
Is PCI compliance mandatory?
PCI DSS is not a law, it’s a standard. But, it’s mandated by the contract that your company signs with the card companies as well as the banks that handle payment processing.
In these contracts, you agree to be subject to fines if you fail to comply with PCI DSS. The fines would be larger for companies that have a higher volume of payments.
What tools and resources are available from the PCI SSC?
The PCI SSC has made the following tools and resources available:
- Self-Assessment Questionnaires to aid organizations in assessing and validating their PCI DSS compliance.
- PIN Transaction Security (PTS) requirements that device vendors and manufacturers must comply with, along with a list of approved PIN transaction devices.
- Payment Application Data Security Standard (PA-DSS) as well as a list of Validated Payment Applications to assist software vendors and others in creating and developing secure payment applications.
- Lists of Qualified Security Assessors (QSAs).
- Lists of Payment Application Qualified Security Assessors (PA-QSAs).
- Lists of Approved Scanning Vendors (ASVs).
- An education program for Internal Security Assessors (ISAs).
What are the requirements for PCI DSS compliance?
There are 12 requirements for PCI DSS compliance. These are:
Using and maintaining firewalls
Firewalls can be considered to be the first line of defense against hackers. They prevent foreign or unknown entities from getting access to private data. They are a major requirement for PCI DSS compliance because of how effective they are at preventing unauthorized access.
Ensuring proper password protection
A lot of point of sale (POS) systems, modems, routers, and other third-party products tend to have generic passwords and security measures that can easily be bypassed.
A large number of businesses do not even bother to secure these vulnerabilities. To be PCI compliant, you need to create and maintain a list of all your devices and software that need a password or any other security to access. You also need to take precautions and put necessary configurations in place (like changing your password after certain intervals).
Safeguarding cardholder data
This is a two-fold process. First, the card data needs to be encrypted using specific algorithms. The encryption keys themselves also need to be encrypted.
You also need to regularly maintain and scan primary account numbers (PANs) to make sure that there is no unencrypted data.
Encrypting transmitted data
Cardholder data gets transmitted across several channels. It must be encrypted when it is sent to known locations. Besides, sending this information (especially account numbers) to unknown locations should always be avoided.
Using and maintaining antivirus software
All devices that interact with or store primary account numbers need to be protected with antivirus software. The antivirus software should be patched and updated regularly.
Even your POS provider needs to employ antivirus measures where you cannot directly install the software.
Properly updating software
You should update all the software that your business uses on a regular basis. However, updating all the software on devices that interact with or store cardholder data is mandatory for compliance purposes.
Restricting data access
Data access should be granted solely on a need-to-know basis. Nobody who does not require access to this information should have it
There should be a comprehensive and regularly updated list of the roles that do require access to this data.
Using unique IDs for access
Everyone who has access to cardholder data should have their own credentials which they use to access the data. Instances of multiple employees using the same credentials should not arise.
This makes it possible to take action and fix issues faster if your data is compromised.
Restricting physical access
All cardholder data must be physically stored in secure locations. Access to this location needs to be limited.
Creating and maintaining access logs
You need to maintain a log of all activity dealing with cardholder data and primary account numbers. Document how data flows in your organization and how many times access is needed.
You need to keep a track of who accesses the sensitive information and when they access it. You should also use appropriate software to log access.
Scanning and testing for vulnerabilities
You need to scan and test your software, physical locations, and employees for vulnerabilities on a regular basis to reduce the chances of malfunctions, and human error.
The lists of equipment, software, and the employees that have access need to be thoroughly documented. You also need to document how data flows through your company, where you store it, and how you use it after the point of sale.
What are the benefits of PCI compliance?
The benefits of PCI compliance are:
- It instills confidence in your customers, making them feel safe trusting you with their card information. This would even encourage your customers to make repeat purchases, thus building customer loyalty.
- It improves your reputation with acquirers and payment brands.
- Putting these security measures in place helps you prevent security breaches and payment card data theft.
- It helps you improve your IT infrastructure efficiency.
- It provides the base for complying with additional regulations and standards like HIPAA, SOX, etc.
What are the different levels of PCI compliance?
There are 4 PCI DSS compliance levels. These levels are determined by the number of transactions that the organizations handle on a yearly basis. The levels are:
Companies that handle upwards of 6 million transactions on a yearly basis.
Companies that handle between 1 and 6 million transactions annually.
Companies that handle 20,000 to 1 million transactions annually.
Companies that handle less than 20,000 transactions annually.