If your business processes credit card payments, you must comply with PCI DSS. The PCI security standards have 12 requirements which may appear to be simple, but are broken down into hundreds of detailed sub-requirements.
Complying with PCI security standards requires adopting and adhering to a rigorous information security policy. Learn what the PCI DSS requires, and the basic steps you should take to become PCI compliant.
In this post you will learn about:
- The 12 requirements of PCI security standards
- PCI security compliance levels
- What you need to do to become PCI compliant: a 7-step checklist
- The difference between PCI compliance and certification
- Benefits of PCI DSS compliance
What is PCI Compliance?
PCI stands for Payment Card Industry. The PCI DSS (Payment Card Industry Data Security Standard) is an initiative supported by credit card companies and merchants, which provides a unified strategy for the protection of credit card user information. The initiative aims to combat credit card fraud and related security breaches.
3 Pillars of the PCI Security Standards
PCI DSS is applicable to all companies, irrespective of their size, that accept credit card payments. The PCI security standards have three main pillars:
1. Focused on credit card data
Businesses that directly deal with credit card data must adhere to 300+ requirements defined in the PCI security standard (organized into 12 high level requirements). Businesses that do not directly deal with card data need to adhere to fewer security requirements, as sensitive data is handled by third parties and not stored by the business.
2. Protecting stored data
Businesses that store cardholder data should separate systems that interact with cardholder data from other business operations. Otherwise, they will have to apply PCI security standard safety measures to all their platforms.
3. Annual validation
Businesses that deal with credit cards must fill in a PCI validation form annually. Factors that influence PCI validation include the number of transactions processed annually, and if the business experienced a breach. Other parties may ask a business to present their certificate of validation.
PCI Compliance Levels
There are four PCI compliance levels. A business is assigned to a level based on the number of annual transactions it processes. The numbers may vary slightly between credit card companies:
- Level 1—upwards of 6 million transactions, or a business that has experienced a breach
- Level 2—between 1 and 6 million transactions
- Level 3—between 20,000 and 1 million iInternet transactions
- Level 4—less than 20,000 internet transactions or less than 1 million physical card transactions
Level 1 businesses are required to have an annual internal audit, and a quarterly PCI scan conducted by an external approved vendor. After the audit is done, it is up to the business to attend to its vulnerabilities. Businesses that fall under levels 2-4 have to do a self-assessment on a yearly basis using a designated questionnaire. They may also be required to do a quarterly PCI scan.
How to Become PCI Compliant: The 12 Requirements of PCI security standards
To become PCI compliant, you must meet the 12 PCI compliance requirements, which are split up into 300 sub-requirements. The following PCI compliance requirements include security systems, organizational processes, testing and policies that can help protect cardholder data.
The 12 PCI compliance requirements are summarized below:
- Maintain a firewall—protects cardholder data inside the corporate network
- Passwords need to be unique—change passwords periodically, do not use defaults
- Protect stored data—implement physical and virtual measures to avoid data breaches
- Encrypt transmission of cardholder data across public networks—data must be encrypted, and you should never store card validation data
- Antivirus—use and regularly update antivirus on all systems holding sensitive data
- Develop and maintain secure systems and applications—actively search for vulnerabilities and remediate them
- Restrict access to cardholder data—sensitive data should be accessible on a need-to-know basis to reduce vulnerability
- Restrict access to system components—systems holding sensitive data should be accessible only with authentication and clear user identification
- Restrict physical access to cardholder data
- Track and monitor access to network resources and cardholder data—to provide an audit trail and assist with breach investigations
- Regularly test security systems and processes—identify weaknesses and remediate them
- Security policy—maintain a clear policy that addresses information security for all personnel
PCI Security Compliance Checklist
Follow this process to ensure your organization is PCI compliant:
- Determine PCI level—find out the number of transactions you process annually, then compare it to the requirements of each credit card company you plan to support.
- Map the flow of cardholder data—including applications, systems and people who work with credit card data. All credit payment platforms and storage systems that hold card data must be included. This is usually done with the assistance of IT staff.
- Fill out the Self-Assessment Questionnaire (SAQ)—the SAQ is a tool used to validate PCI compliance, which checks if your business meets each of the 12 requirements listed above (organized into 6 cControl mMeasures); each requirement is broken down into smaller steps. Your business must meet all the requirements to be compliant. If you are a PCI Level 1 business, a PCI approved auditor will validate your compliance.
- Fill out the Attestation of Compliance (AOC)—this document differs according to the PCI compliance level of your business. AOC ensures that you fulfill every PCI compliance step.
- Conduct a vulnerability scan—you can hire approved scanning vendors (ASVs) to scan for security vulnerabilities and make sure that you meet all standards. You can decide if you need an ASV based on the results of your SAQ.
- Submit documents—you may need to submit documents including AOC, SAQ, and ASV reports to banks, credit card companies, etc.
- Monitoring—your business, the infrastructure and the data you store may change with each security scan. Therefore, it is necessary to monitor compliance on an ongoing basis throughout the year. There should be a security team responsible for monitoring and responding to vulnerability and threats.
To learn how to easily implement PCI security standard controls with a next-generation Security Information and Event Management (SIEM), see our white paper.
PCI DSS Certification vs. Compliance: What’s the Difference?
PCI certification is essentially the same as compliance—it requires your business to adhere to the same 12 requirements, in accordance with your PCI level. The difference is that:
- PCI compliance is voluntary and based on self-assessment, or a lightweight external assessment that takes less than a month.
- PCI certification is a much longer process which can take up to 6 months, and involves in-depth investigation by a Qualified Security Assessor (QSA) whether your business meets each one of the hundreds of sub-requirements of the PCI DSS standard.
Do you need full PCI certification?
If you are a PCI Level 1 business, yes. If not, you are not required to perform PCI certification, but can elect to do so to. Many businesses become PCI certified to increase the confidence of customers and other third parties in their information security standards.
Benefits of PCI DSS Compliance
PCI DSS compliance has a few main advantages:
- Lowers risk—PCI compliance protects a business from breaches. According to a study conducted by Verizon, compliant businesses are 50% more likely to successfully endure an attempted breach.
- Increases customer confidence—customers are more likely to buy, especially on the iInternet, from businesses that invest in data security and are PCI compliant.
- Helps avoid additional costs—your business may be fined by the bank if a breach occurs, and you may need to replace credit cards or compensate customers. Fewer breaches mean less risk of fines. If your business experiences a breach, you will be promoted to PCI Level 1 and will be required to perform a full, costly certification.
- Aligns with industry standards—PCI DSS compliance ensures that businesses everywhere apply the same high security standards. By aligning with a standard, you ensure your information security is at a level acceptable throughout the industry.
- Official resources: PCI Council resources for merchants
- Official reference: PCI DSS 3.2.1 Quick Reference Guide, PCI DSS 3.2 Quick Reference Guide
- Learn how the Exabeam Security Management Platform provides a complete solution for implementing PCI DSS security controls: Read our white paper
- Learn about Exabeam solutions for PCI DSS and other compliance standards
- Information Security: Goals, Types and Applications