PCI Security: 7 Steps to Becoming PCI Compliant

If your business processes credit card payments, you must comply with PCI DSS. The PCI security standards have 12 requirements which may appear to be simple, but are broken down into hundreds of detailed sub-requirements.

Complying with PCI security standards requires adopting and adhering to a rigorous information security policy. Learn what is PCI compliance. Including a PCI compliance checklist and basic steps that can help you become PCI compliant.

Recommended Reading: What Is SIEM, Why Is It Important and 13 Key Capabilities.

What is PCI Compliance?

PCI stands for Payment Card Industry. The PCI DSS (Payment Card Industry Data Security Standard) is an initiative supported by credit card companies and merchants, which provides a unified strategy for the protection of credit card user information. The initiative aims to combat credit card fraud and related security breaches.

3 Pillars of the PCI Security Standards

PCI DSS is applicable to all companies, irrespective of their size, that accept credit card payments. The PCI security standards have three main pillars:

1. Focused on credit card data – Businesses that directly deal with credit card data must adhere to 300+ requirements defined in the PCI security standard (organized into 12 high level requirements). Businesses that do not directly deal with card data need to adhere to fewer security requirements, as sensitive data is handled by third parties and not stored by the business.
2. Protecting stored data – Businesses that store cardholder data should separate systems that interact with cardholder data from other business operations. Otherwise, they will have to apply PCI security standard safety measures to all their platforms.
3. Annual validation – Businesses that deal with credit cards must fill in a PCI validation form annually. Factors that influence PCI validation include the number of transactions processed annually, and if the business experienced a breach. Other parties may ask a business to present their certificate of validation.

PCI Compliance Levels

There are four PCI compliance levels. A business is assigned to a level based on the number of annual transactions it processes. The numbers may vary slightly between credit card companies:

• Level 1 – upwards of 6 million transactions, or a business that has experienced a breach
• Level 2 – between 1 and 6 million transactions
• Level 3 – between 20,000 and 1 million iInternet transactions
• Level 4 – less than 20,000 internet transactions or less than 1 million physical card transactions

Level 1 businesses are required to have an annual internal audit, and a quarterly PCI scan conducted by an external approved vendor. After the audit is done, it is up to the business to attend to its vulnerabilities. Businesses that fall under levels 2-4 have to do a self-assessment on a yearly basis using a designated questionnaire. They may also be required to do a quarterly PCI scan.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you effectively achieve and maintain PCI compliance:

Optimize the PCI Scope Through Business Workflow Changes

Evaluate and minimize your business’s exposure to cardholder data by adopting point-to-point encryption (P2PE) and leveraging third-party payment processors. This minimizes the systems in your PCI scope, reducing complexity and risk.

Implement Real-Time Monitoring on PCI Key Controls

Use automation to monitor compliance with key PCI controls, such as firewall configurations, access logs, and encryption standards. Implement alerts to catch deviations immediately, allowing for swift remediation.

Conduct a Data Flow Mapping Exercise Regularly

Go beyond the initial mapping of credit card data flows. Update this map annually or after any significant system changes to ensure no new paths for sensitive data are inadvertently created.

Adopt Secure Software Development Practices

If your organization develops applications handling payment data, integrate PCI DSS requirements into your software development lifecycle (SDLC). Use tools for static and dynamic application security testing (SAST/DAST).

Invest in a Strong Change Management Process

Ensure all changes to PCI-related systems undergo rigorous testing and approval processes to avoid inadvertently introducing non-compliant configurations or vulnerabilities.

How to Become PCI Compliant: The 12 Requirements of PCI Security Standards

To become PCI compliant, you must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.

The 12 PCI compliance requirements are summarized below:

1. Maintain a firewall – protects cardholder data inside the corporate network
2. Passwords need to be unique – change passwords periodically, do not use defaults
3. Protect stored data – implement physical and virtual measures to avoid data breaches
4. Encrypt transmission of cardholder data across public networks – data must be encrypted, and you should never store card validation data
5. Antivirus – use and regularly update antivirus on all systems holding sensitive data
6. Develop and maintain secure systems and applications – actively search for vulnerabilities and remediate them
7. Restrict access to cardholder data – sensitive data should be accessible on a need-to-know basis to reduce vulnerability
8. Restrict access to system components – systems holding sensitive data should be accessible only with authentication and clear user identification
9. Restrict physical access to cardholder data
10. Track and monitor access to network resources and cardholder data – to provide an audit trail and assist with breach investigations
11. Regularly test security systems and processes – identify weaknesses and remediate them
12. Security policy – maintain a clear policy that addresses information security for all personnel

PCI Security Compliance Checklist

Follow this process to ensure your organization is PCI compliant:

1. Determine PCI level – find out the number of transactions you process annually, then compare it to the requirements of each credit card company you plan to support.
2. Map the flow of cardholder data – including applications, systems and people who work with credit card data. All credit payment platforms and storage systems that hold card data must be included. This is usually done with the assistance of IT staff.
3. Fill out the Self-Assessment Questionnaire (SAQ) – the SAQ is a tool used to validate PCI compliance, which checks if your business meets each of the 12 requirements listed above (organized into 6 cControl mMeasures); each requirement is broken down into smaller steps. Your business must meet all the requirements to be compliant. If you are a PCI Level 1 business, a PCI approved auditor will validate your compliance.
4. Fill out the Attestation of Compliance (AOC) – this document differs according to the PCI compliance level of your business. AOC ensures that you fulfill every PCI compliance step.
5. Conduct a vulnerability scan – you can hire approved scanning vendors (ASVs) to scan for security vulnerabilities and make sure that you meet all standards. You can decide if you need an ASV based on the results of your SAQ.
6. Submit documents – you may need to submit documents including AOC, SAQ, and ASV reports to banks, credit card companies, etc.
7. Monitoring – your business, the infrastructure and the data you store may change with each security scan. Therefore, it is necessary to monitor compliance on an ongoing basis throughout the year. There should be a security team responsible for monitoring and responding to vulnerability and threats.

PCI DSS Certification vs. Compliance: What’s the Difference?

PCI certification is essentially the same as compliance—it requires your business to adhere to the same 12 requirements, in accordance with your PCI level. The difference is that:

• PCI compliance is voluntary and based on self-assessment, or a lightweight external assessment that takes less than a month.
• PCI certification is a much longer process which can take up to 6 months, and involves in-depth investigation by a Qualified Security Assessor (QSA) whether your business meets each one of the hundreds of sub-requirements of the PCI DSS standard.

Do you need full PCI certification?

If you are a PCI Level 1 business, yes. If not, you are not required to perform PCI certification, but can elect to do so to. Many businesses become PCI certified to increase the confidence of customers and other third parties in their information security standards.

Benefits of PCI DSS Compliance

PCI DSS compliance has a few main advantages:

• Lowers risk – PCI compliance protects a business from breaches. According to a study conducted by Verizon, compliant businesses are 50% more likely to successfully endure an attempted breach.
• Increases customer confidence – customers are more likely to buy, especially on the iInternet, from businesses that invest in data security and are PCI compliant.
• Helps avoid additional costs – your business may be fined by the bank if a breach occurs, and you may need to replace credit cards or compensate customers. Fewer breaches mean less risk of fines. If your business experiences a breach, you will be promoted to PCI Level 1 and will be required to perform a full, costly certification.
• Aligns with industry standards – PCI DSS compliance ensures that businesses everywhere apply the same high security standards. By aligning with a standard, you ensure your information security is at a level acceptable throughout the industry.