PCI Compliance: A Quick Guide

PCI Compliance: A Quick Guide

The Payment Card Industry Data Security Standard (PCI-DSS) is a binding set of requirements for any organization that processes or stores credit card information. We’ll briefly review PCI compliance and its main requirements, and provide a list of easy best practices you can implement in your organization to comply with the PCI standards.

This is part of an extensive series of guides about compliance management.


What Is PCI Compliance?

The Payment Card Industry Data Security Standards (PCI DSS) applies to any company storing processing, or transmitting credit card data. It facilitates the comprehensive adoption of consistent data security measures. Web companies must follow the requirements of the PCI DSS, including a variety of measures, such as hosting the data with a PCI-compliant host. PCI DSS is an organization formed by the major credit card companies, such as Visa, Mastercard, Discover, and American Express.

The main goal of PCI compliance is to reduce the opportunities for attack. This involves using a secure Card Data Environment (CDE), and this applies regardless of whether you use your in-house environment or a third-party secure payment option. This is especially important for e-comerce sites, which rely exclusively on the transfer of payment card data through the internet.

Some risks involving e-comerce websites are, for example:

  • Credit card fraud – attackers make purchases using stolen credit cards or credit card numbers.
  • Identity theft – attackers pretend to be someone else and make purchases using their credentials.
  • Credit card hijacking – attacks redirect customers to a fake shopping cart, hijack their session, or use other means to compromise credit card data.

Any e-comerce organization’s security strategy requires a continuous effort to ensure compliance. Compliance with PCI affects not only merchants but also universities, banks, municipalities, or in fact any organization from the public or private sector that handles credit card data. Since early 2019, this includes software developers that design software or web applications that accept credit card payments.


What Happens If You’re Not PCI Compliant?

If a company is found non-compliant with PCI-DSS, the penalties and consequences range from fines to the loss of permission to accept credit card payments.

Some of the penalties include:

  • Inability to accept payments by credit card – the most severe penalty for many businesses is the inability to accept payments by credit card at all. This can create massive financial losses, loss of market share, and damage to reputation. An organization suffering this penalty needs to undergo a PCI reassessment by an external Quality Security Assessor (QSA) to regain permission to process payments.
  • Fines – the penalty for a non-PCI compliant website typically ranges from $86,000 to $4 million.
  • Mandatory forensic examination – when a data breach is suspected, merchants are required to undergo a mandatory forensic examination, which can cost between $20,000 and $50,000 for a Level 2 merchant (1-6 million annual transactions), and upward of $120,000 for a Level 1 merchant (6+ million annual transactions).
  • Liability for fraud charges – following a security breach, a company is exposed to lawsuits, as it is the merchant’s responsibility to keep its customer’s sensitive information safe.

PCI Compliance Requirements

The PCI DSS is composed of six goals and twelve requirements, as follows:

PCI Compliance: A Quick Guide

Goal #1: Building and maintaining a secure network

Requirements:

  1. Maintain a firewall configuration
  2. Ensure unique, original system passwords

Goal #2: Protect cardholder data

Requirements:

  1. Protect stored cardholder data
  2. Encrypt cardholder data transmitted across public networks

Goal #3: Maintain a vulnerability management program

Requirements:

  1. Use anti-virus software and keep it updated
  2. Develop secure systems and applications

Goal #4: Implement strong access control measures

Requirements:

  1. Restrict cardholder data on a need-to-know basis
  2. Assign a unique ID to each person in the organization with computer access
  3. Restrict physical access to cardholder data

Goal #5: Monitor and test networks

Requirements:

  1. Track and monitor any access to cardholder data and relevant network resources
  2. Regularly test security systems and processes

Goal #6: Maintain an information security policy

Requirements:

  1. Create an information security policy and enforce it in the organization

PCI Compliance Checklist – Achieving PCI DSS Compliance

To comply with the PCI DSS, an organization should follow three steps:

  • Assessment – this includes identifying the cardholder data, taking an inventory of the technology and business processes and analyzing them for vulnerabilities.
  • Remediate – once detected, fix the vulnerabilities and don’t store unnecessary cardholder data.
  • Report – document and submit remediation validation reports, as well as compliance reports, to the bank and card brands involved.

PCI Compliance Best Practices

The following best practices can help you improve security measures, to more easily comply with PCI-DSS security requirements.

Use a firewall – Per the first requirement, you’ll need to install a reliable firewall to protect your network and run regular testing to ensure efficiency.

Do not use default passwords – To be in PCI compliance, you must ensure all devices and user accounts use passwords that are unique, and that includes lowercase and capital letters, numbers and symbols, to make them more secure.

Use both digital and physical measures to protect cardholder data – The PCI standard requires you to put in place electronic and physical barriers to prevent unauthorized access to passwords. Some of these barriers may include authentication protocols, strong password policies, locked servers and locked cabinets for sensitive physical data. A related measure is restricting access to cardholder data and encrypting the transmission of cardholder information.

Create and enforce a security policy – A security policy should be drafted, supported by management, and made known across the organization, as well as to third-party vendors and customers. You should include a summary of how you protect customer data, explaining password and access requirements.

Establish an incident response process – Have a clear process for detecting, remediating, mitigating and recovering from security incidents.

Keep track of changes – Identify and review changes made to processes or technologies affecting cardholder data. Establish change controls, identifying the impact on compliance for every change.

Keep software patched and install security updates – Many of the world’s biggest security breaches resulted from an exploit of a known software vulnerability. Keeping software up to date, scanning systems for vulnerabilities and remediating them, is a critical defensive measure.


Conclusion

Not complying with PCI standards can result in heavy fines and other consequences, such as loss of business. A Ponemon Institute study showed that more than half of customers lost trust in an organization after it suffered a data breach, and 31 percent terminated their relationship with the organization after a breach.

Complying with PCI DSS standards is critical for the survival and success of any organization, especially those in the e-comerce industry.

See Exabeam in action: Request a demo