What is PCI DSS?

PCI DSS stands for the Payment Card Industry Data Security Standard. It is a compliance standard that was created to help organizations that process financial transactions protect debit and/or credit cardholder information from data breaches and fraud. It provides a number of operational and IT requirements that organizations must implement to safeguard their customer’s financial data.

PCI DSS was created and is regulated and maintained by the PCI Security Standards Council, an independent administrative and governing body. It was formed by major credit card companies like American Express, Visa, Mastercard, JCB, and Discover.

Furthermore, while the PCI Security Standards Council sets the standards for PCI compliance, each of the major credit card companies has its own compliance program and is responsible for enforcing compliance as it relates to their account holders.

Overview of PCI DSS

PCI DSS was designed to empower organizations to protect their customer’s credit card information from unauthorized access, theft, or misuse. This might be from a data breach or malware embedded into an IT system through a neglected or unknown cybersecurity vulnerability. 

To protect cardholder data, PCI DSS mandates requirements for the security controls that organizations must implement in order to ensure that their customer data is protected and monitored against potential threats.

What are the requirements of PCI DSS?

PCI DSS requirements mandate either an audit or self-assessment questionnaire (SAQ) depending on the Compliance Level category your organization falls in. Which is based on the number of transactions your organization processes within a year. We review the Compliance Levels below.

  • Level 1: Indicates the organization processes more than 6 million card transactions per year. This is the highest level of PCI DSS certification and requires the organization to submit to an audit by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).
  • Level 2: Indicates the organization processes between 1-6 million transactions per year. This level requires the organization to complete an SAQ instead of an audit. However, they must also complete a Report on Compliance (RoC).
  • Level 3: Indicates the organization processes between 20,000-1 million transactions per year. This level requires the organization to complete an SAQ instead of an audit.
  • Level 4: Indicates the organization processes less than 20,000 transactions per year. This level requires the organization to complete an SAQ instead of an audit.

Merchants falling under Compliance Levels 1-3 must also complete a quarterly scan conducted by an Approved Scanning Vendor (ASV). While merchants falling under Compliance Level 4 are not required to complete an ASV scan, this is typically required by the merchant’s acquiring bank. For those organizations that require an audit, one must be performed on an annual basis.

Who does PCI DSS affect?

PCI DSS affects any organization that collects payment information, as well as processes, stores, or transmits debit or credit card payment data electronically. 

How to be Compliant with PCI DSS?

To be PCI DSS compliant, the framework outlines six “control objectives” an organization should seek to comply with and twelve security requirements among each of those objectives. 

Furthermore, these objectives are not a one-time requirement. The PCI SSC conducts on-going monitoring to ensure continuous compliance. Therefore, organizations must ensure that their control measures are maintained and do not degrade over time.

*The PCI Security Standards states the following six control objectives:

#1 – Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall configuration to protect cardholder data
  • Conduct proper password management and security parameters (for example, replacing default passwords with complex, secure passwords).

#2  – Protect Cardholder Data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.

#3 – Maintain a Vulnerability Management Program

  • Protect all systems against malware and update antivirus software or programs regularly.
  • Develop and maintain secure systems and applications.

#4 – Implement Strong Access Control Measures

  • Restrict access to cardholder data on a need-to-know basis.
  • Identify and authenticate access to system components.
  • Restrict physical access to debit card or credit card data.

#5 – Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

#6 – Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel.

Generally, a business’ merchant bank is responsible for enforcing PCI DSS. If a business or acquiring financial institution is found to be non-compliant, they can face fines from the payment card brands. Fine amounts vary depending on the number of instances of non-compliance and the severity of the incident.

 

Key Takeaways

  • The PCI SSC is the governing body of the PCI DSS.
  • The PCI DSS was created to protect against surging numbers of cardholder data breaches and fraud.
  • Any organization that collects payment information, as well as processes, stores, or transmits payment data electronically, must demonstrate compliance through either a Self-Assessment Questionnaire (SAQ) or an audit depending on the number of annual transactions.
  • If you qualify for a SAQ, your organization must pass a vulnerability scan on a quarterly basis.
  • Depending on an organization’s Compliance Level, an annual audit might be required.
  • Furthermore, PCI DSS lays out six control objectives and twelve requirements that can empower a business to obtain PCI compliance.