What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure the protection of cardholder data and secure payment card transactions. The framework was established by the Payment Card Industry Security Standards Council (PCI SSC), which is an organization founded by the 5 major credit card companies: Visa, Mastercard, American Express, Discover, and JCB International. As such, the PCI DSS guidelines are mandatory for their respective stakeholders.
All merchants, service providers, and any other entities that process, handle, store, or distribute cardholder data must follow the PCI DSS international standard. This applies to a wide range of industries, such as those in retail, banking, healthcare, distribution, development, and point-of-sale (POS) vendors. Essentially, any company that accepts or handles credit cards must comply with PCI.
The PCI DSS framework has undergone several revisions and updates since its initial release in 2004. The most recent major update, version 4.0, was released in March 2022. Currently, we are in the transition period from v3.2.1, which will remain active for two years until March 2024. As of March 31, 2024, PCI DSS v3.2.1 will officially retire, and v4.0 will become the only active version of the standard. However, many of the new 4.0 requirements have been identified as best practices until March 2025, after which they will become mandatory. Prior to this date, organizations are not required to validate these new requirements.
What are the requirements for PCI DSS?
Although PCI DSS compliance is not mandated by law, it is required by the payment card companies as part of their contractual agreements. Any company of scale that accepts payment cards is obligated to comply with PCI DSS to maintain a secure environment for cardholder data.
The PCI framework outlines common-sense protection measures that are aligned with industry best practices. It consists of twelve high-level requirements divided into six categories. The revised PCI v4.0 requirements are as follows:
Build and Maintain a Secure Network and Systems
- Install and Maintain Network Security Controls.
- Apply Secure Configurations to All System Components.
Protect Cardholder Data
- Protect Stored Account Data.
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
Maintain a Vulnerability Management Program
- Protect All Systems and Networks from Malicious Software.
- Develop and Maintain Secure Systems and Software.
Implement Strong Access Control Measures
- Restrict Access to System Components and Cardholder Data by Business Need to Know.
- Identify Users and Authenticate Access to System Components.
- Restrict Physical Access to Cardholder Data.
Regularly Monitor and Test Networks
- Log and Monitor All Access to System Components and Cardholder Data.
- Test Security of Systems and Networks Regularly.
Maintain an Information Security Policy
- Support Information Security with Organizational Policies and Programs.
PCI DSS Compliance Levels
PCI compliance is divided into four levels according to the annual volume of credit or debit card transactions a company handles. Each classification level contains a different set of requirements.
Level 1: Level 1 merchants perform more than six million real-world credit or debit card transactions each year. Entities under level 1 must comply with all twelve requirements. To demonstrate compliance, an external audit by a Qualified Security Assessor (QSA) is necessary. Once that is completed, the auditor will provide an ROC (Report on Compliance) to the organization’s acquiring bank. In addition, companies must submit a vulnerability scan through an Approved Scanning Vendor (ASV) once per quarter.
An assessment by a QSA or an ISA (Independent Security Assessor) is part of the external audit. They’ll conduct an on-site assessment of your company to:
- Validate the scope of the assessment;
- Examine your paperwork and technical data;
- Check to see if the PCI DSS standards have been met;
- Provide assistance and direction throughout the compliance process; and
- Assess compensatory controls or customized controls (if applicable).
Level 2: This level pertains to businesses that process between one and six million credit or debit card transactions per year in the real world. They must conduct an annual assessment using a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC) to the acquiring bank. On a quarterly basis, an official vulnerability scan might be required.
Level 3: Merchants who process between 20,000 and one million e-commerce transactions each year fall into this category. They must undertake an annual assessment using an SAQ and submit it to the acquiring bank along with an AOC. An official vulnerability scan may be required on a quarterly basis.
Level 4: The 4th level concerns merchants who conduct fewer than 20,000 e-commerce transactions or up to one million in-person transactions per year. A yearly assessment must be done and submitted to the acquiring bank, along with an AOC, and a quarterly vulnerability scan may be required.
If your organization falls under levels 2, 3, or 4, you are not required to undergo an external audit. Instead, you must complete an “SAQ,” a Self-Assessment Questionnaire. SAQs are PCI DSS compliance validation tools for merchants and service providers who are not expected to conduct on-site assessments. There are nine different SAQs available for various merchant environments, including e-commerce environments and environments with PCI-listed Point-to-Point Encryption (P2PE) solutions. Most SAQs include a sub-set of only those PCI DSS requirements that are applicable to a given environment. The requirements necessary to validate compliance are defined by the number of annual transactions, possible harm, and visibility introduced into the payment system. To determine whether you are eligible to complete an SAQ, and if so, which SAQ is appropriate, contact the payment brands or your acquiring bank.
Why should you be PCI DSS compliant?
PCI enforcement is not only a legal obligation to deter identity fraud, but it also provides best practices for identifying, preventing, and resolving data breaches. Compliance also helps to prevent data breaches in which cardholder data is exposed.
Achieving PCI DSS compliance also instills trust and confidence among customers and partners. Being compliant demonstrates a commitment to data security, which can enhance the organization’s reputation and attract more customers. It can also open up new business opportunities, as many stakeholders, particularly in the payment card industry, require compliance with PCI DSS as a prerequisite for partnership or collaboration.
On the other hand, organizations can suffer serious consequences for failing to comply with PCI DSS. Non-compliance may result in financial penalties imposed by payment card companies, which can be substantial. Merchants and payment processors that aren’t PCI compliant could face fines ranging from thousands to hundreds of thousands of dollars. Moreover, a data breach brought on by inadequate security measures can lead to legal and regulatory repercussions, lawsuits, and the loss of customer trust. In some cases, non-compliant organizations may face limitations on their ability to process payment card transactions, hindering their business operations and growth potential.
How to achieve PCI DSS compliance?
Achieving compliance with PCI DSS may seem daunting, but it doesn’t have to be. With the assistance of the Centraleyes platform, the path to compliance becomes streamlined and efficient. The platform offers a comprehensive set of tools and features to guide organizations through the necessary steps, enabling them to achieve PCI DSS compliance quickly and effectively.
To begin the journey towards compliance, organizations can leverage Centraleyes’ built-in questionnaires and templates, which cover both the regular PCI DSS questionnaire and the nine Self-Assessment Questionnaires (SAQs). These questionnaires provide a structured approach to assessing and addressing compliance requirements based on your specific cardholder data handling processes.
Centraleyes automates data collection and analysis, allowing organizations to gather the necessary evidence and documentation required by PCI DSS. The platform also provides real-time customized scoring, enabling organizations to track their progress and identify areas that require attention and remediation. By prioritizing remediation guidance, Centraleyes ensures that organizations can focus on the most critical tasks to expedite their path to compliance.
One of the key advantages of using Centraleyes is its smart mapping feature. This functionality links the PCI DSS questionnaire to the platform’s control inventory, facilitating seamless information sharing across various frameworks. As a result, organizations can save valuable time and resources while improving the accuracy of their compliance data.
With the Centraleyes platform, organizations gain complete visibility into their cyber risk levels and compliance status. The platform generates comprehensive reports that aid in audit preparation, providing a clear picture of the organization’s compliance posture. Through automated tasks, comprehensive questionnaires, prioritized remediation guidance, and real-time scoring, organizations can efficiently navigate the requirements of PCI DSS and achieve compliance in a timely manner.
Centraleyes is soon to release a new feature for generating official PCI DSS reports directly from PCI data. From your PCI data collection, users will be able to effortlessly obtain in-depth reports in the official PCI format. These reports can be submitted to the requesting organization (payment brands, acquirers, etc.) or shared with auditors, ensuring compliance and instilling confidence. Contact us for updates on this exciting development.