The globally-comprised PCI SSC (Security Standards Council) has developed and continues to enhance a framework of security standards to simplify payment data security for merchants. The PCI SSC recognized the need for standards to help companies efficiently and effectively protect cardholder data.
The set of standards that it developed – PCI-DSS – guides business owners around the world to consistently meet these standards, thereby achieving PCI compliance. These standards include:
- Assessment and Scanning Qualifications
- Self-assessment Questionnaires
- Train and Education
- PCI Certification Programs
- PCI DSS Audits
What Is PCI Compliance?
PCI compliance means consistently adhering to the core security requirements set forth by the PCI SSC aimed at safeguarding customer payment data. When businesses that accept credit card payments have fully adopted all the requirements of PCI DSS, they have achieved PCI compliance.
What Is the Benefit of PCI Compliance?
The most important benefit of PCI compliance is the confidence that you instill in your customers when they learn that you have done everything possible to protect their cardholder information.
What Are the Core Requirements for PCI Compliance?
PCI DSS has become the standard that online retailers follow when collecting, storing, processing and transmitting each customer’s credit card data.
This key standard in the credit card industry is comprised of a set of requirements and standards that serve as functional guidelines for businesses to operate safely while managing customer data.
The core requirements for PCI DSS that result in PCI Compliance include the following:
- Design, construct and maintain a secure network and systems, including installation of a firewall between wireless network and cardholder data environment
- Protect cardholder data
- Implement and maintain a strong vulnerability management program
- Introduce and execute solid access control measures
- Regularly monitor and test networks
- Develop and maintain information security policy and ensure proper distribution via training sessions and manuals
Learn about the Changes Coming with the Latest Update: PCI DSS 4.0.
What Are the Compliance Levels of PCI-DSS?
Companies who are subject to PCI standards are divided into four different compliance levels defined by Visa and MasterCard. These levels are based on how much they process per year, as well as other details about the level of risk assessed by payment brands. Generally, these validation levels also apply to the aggregated number of transactions for other credit card brands within a 12-month period as well. These levels apply to all forms of payment acceptance portals such as telephone transactions, point-of-sale transactions, mailed-in transactions, and e-commerce transactions.
At each level, there are different validation requirements. The four levels and their validation criteria are:
Merchant Level 1
A merchant needs to comply with Level 1 requirements if they process more than six million transactions per year across any channel. Additionally, you are required to comply with Level 1 requirements if you have been subject to an attack or a data breach that resulted in any compromise of cardholder data. Payment brands may also require other merchants to comply with Level 1 requirements, at their discretion, if they decide that the risks merit it.
At Level 1, the SAQ is replaced by an Annual Report on Compliance (RoC, also know as AoC) performed by a Qualified Security Assessor. This can be performed by a Level 1 onsite assessor or an internal auditor if an officer of the company is willing to sign the assessment. Having an external auditor, such as those who work with us at I.S., can help ensure that you are complying with all requirements.
Merchant Level 2
Merchants must comply with Level 2 requirements if they process anywhere from one to six million transactions each year, across all channels.
The validation requirements at this level are the same for those at the lower compliance levels.
Merchant Level 3
Merchants at this level are those performing anywhere from 20,000 to one million e-commerce transactions each year.
The validations requirements are the same as those for Level 4 compliance.
Merchant Level 4
This is the least stringent compliance level. It applies to those who process fewer than 20,000 Visa or MasterCard e-commerce transactions per year or up to one million other types of card transactions, regardless of the payment acceptance portal.
At Level 4, businesses must complete a Self-Assessment Questionnaire (SAQ) each year. They are also subject to quarterly network scans by a PCI SSC-Approved Scanning Vendor and need to complete an Attestation of Compliance form.
How Do You Determine Your Level?
Your level is based on data from the prior 52 weeks of business. While each major payment brand has their own table of merchant levels, Visa, Discover and MasterCard have all worked together to make their levels consistent. American Express and JCB accepts the merchant levels determined by any other card brand.
What Happens if There is a Breach?
The consequences of a breach can be devastating to a business. A breach that can cause a change in your compliance level includes any attack or incursion that leads to the exposure of data. If you have a breach, Visa reserves the right to increase your compliance level as a response. Because of the increased perceived risk, your compliance level will no longer be bound to the number of transactions you perform each year. So, if you are currently only bound by Level 4 compliance, you may find yourself having to comply with Level 1 requirements.
What Are the Penalties for Non-Compliance?
Based on the discretion of the credit card company, acquiring banks can be fined from $5,000 up to $100,000 per month. Banks may pass off this fine to the business or merchant as well as increase transaction fees for the business or terminate their business relationship.
By not complying, a business will have problems working with credit card brand associated with the PCI SSC in the future. Companies are also often greatly damaged in terms of reputation, stakeholder support, and customer loyalty.
What Is the PCI-DSS Prioritized Approach?
The Prioritized Approach groups the 12 PCI-DSS standard requirements into 6 milestones to provide a framework for compliance. These milestones help organizations secure their customer data against high-risk factors and ever-escalating threats while working to ensure PCI compliance. It also helps assessors in evaluating security controls so there is more consistency in their auditing methods.
Using the six security milestones as a tool, merchants can develop, implement and monitor all security policies, protocols, and controls. The primary benefits associated with the Prioritized Approach are:
- Roadmap or guidepost to help an organization address all of its risks in order of priority
- The simple and pragmatic approach allows for “quick wins”
- Supports operational and financial planning
- Provides and promotes measurable and objective indicators of progress
- Features tools and strategies that promote consistency among assessors
The six security milestones are:
1. Remove Sensitive Authentication Data and Limit Data Retention.
Basically, this milestone concentrates on the idea that “less is more” in the case of a data storage and maintenance. In essence, anything you do not need, or do not need any longer, you should remove from your system and networks to avoid consumer data compromise if you suffer a data breach.
2. Protect All Systems and Network and Prepare for a Breach.
This milestone allows you to set target controls for points of access where you might experience a system compromise. Here, you will also develop processes for responding to breaches.
3. Secure Payment Card Applications.
Payment card applications are chock full of information that hackers want. With this milestone, you can work to set controls to protect all applications and application processes and servers.
4. Monitor and Control Access to Your Systems.
It is always important to make sure you have set the proper authorization controls to protect consumer data. With this milestone, you can detect all the details of anyone accessing the network and cardholder data area and whether there is reason for concern. Additionally, administrators of your systems must have multi-factor authentication (MFA) before being allowed to access the cardholder data environment.
5. Protect Stored Cardholder Data.
If you have analyzed your business processes and have determined that there is data that you must store, such as primary account numbers, this milestone focuses on key protection mechanisms for the stored data involved.
6. Finalize Any Remaining Compliance Efforts to Ensure All Necessary Controls are In Place.
With this milestone, it is time to finalize any remaining related policies, procedures and processes you need to protect your business’s cardholder data environment.
What Are the Key Differences Between PCI Compliance and PCI Certification?
Essentially, PCI compliance involves the development and daily maintenance of cardholder data protection policies and procedures. PCI certification proves that businesses have actually achieved PCI compliance for a given time period.
PCI compliance is attended to on a daily basis while PCI certification is a specific process, performed by a trusted auditor that can take as long as six months to complete. However, such an investment shows your customers how much you value them. Many business owners look at PCI certification as a way to proactively repay their customers’ trust in their brand.
Can Certification Help Boost PCI Compliance?
As more and more companies have come to understand the value of PCI compliance, PCI certification has also gained attention and importance. Thanks to the ever-growing list of data breaches, online retailers are more attuned than ever to the need to protect cardholder information. These business owners understand that PCI compliance is important, and they would like to fast-track their efforts to doing everything possible to achieve compliance.
PCI certification comes as the result of an intensive and comprehensive PCI DSS audit, performed by a qualified security assessor (QSA). The QSA examines and validates all aspects of the business that come into contact with cardholder data to make sure that the business has maintained proper controls and followed prescribed security measures to protect cardholder data.
Get more expert advice here: How to Keep Employees and Your Organization PCI Compliant.
Common Misconceptions about PCI Compliance
Over the years, there have been many misconceptions in regards to PCI-DSS compliance. Here are a few common myths about these security standards.
PCI-DSS Compliance Is Voluntary.
False. Any business that engages in credit card transactions is required to follow the standards set and enforced by the PCI SSC. Organizations that accept, store, transmit, or process cardholder data must comply with the current PCI-DSS version in vigor.
Though PCI compliance is not federally mandated, some states that have become increasingly concerned about credit card fraud and have implemented their own laws to guide businesses toward better practices to protect cardholder data.
PCI certification, on the other hand, is voluntary. It serves as reliable verification that your company is PCI compliant. It is useful when it comes to audits and for showing a clear to commit to PCI compliance. Taking extra steps to protect potential customers from the negative consequences of data breaches goes a long way toward turning them into customers and may give you an edge over your competition. .
PCI-DSS Only Applies to Businesses that Store Credit Card Information.
False. Any business or merchant that accepts credit card payments, transmits cardholder data, processes transactions and/or stores cardholder information needs to comply with PCI-DSS requirements.
My Business Can Stay PCI-DSS Compliant by Using a Single Vendor.
False. No single vendor or product will cover all 12 PCI-DSS requirements or meet all the minimal standards. Instead, your organization should create a comprehensive security strategy that reaches PCI compliance and then use products and vendors that complement your network security system.
My Company Can Stay PCI-DSS Compliant by Outsourcing Card Processing Tasks.
False. If credit card transactions are outsourced, your company will still need to meet PCI-DSS compliance when transmitting cardholder data to the service provider. You also need to ensure that the outsourcing company you use meets PCI-DSS compliance.
Meet PCI-DSS Security Standards with Auditing Assessments
PCI-DSS provides tools for businesses to assess its current security methods and institute procedures for greater payment account security. To help your team comply with the standards, AWA has qualified security assessors who have been certified by the PCI SSC to perform audits on security controls, systems, and policies.
Editor’s Note: This post was originally published in 2018 and has been updated for accuracy and comprehensiveness.