The PCI DSS Requirements Overview
PayGuard’s PCI Compliance Guide will take you through an overview of what compliance means as set out by the PCI Security Standards Council. Discovering who needs, and benefits for having, this in place and the consequences of not complying. The guide highlights the minimum criteria that anyone taking payments should achieve to avoid data breaches.
What is PCI DSS Compliance and The Payment Card Industry Data Security Standard (PCI DSS)?
Being PCI DSS Compliant refers to the adherence of a list of requirements created by The Payment Card Industry Security Standards Council. The Payment Card Industry Data Security Standard’s intention is to safeguard against insecure handling of the payment process and maintaining a secure environment for sensitive data.
This standard is constructed of 12 major categories that outline instructions to help prevent data breaches and maintain quality security controls. These protocols are put in place to protect both the consumer and the businesses. The latter being ultimately liable for the safety of this information. Non-compliance can result in penalties up to £80,000 per month charged by Visa, Mastercard, AMEX and Discover.
Who Needs to Follow The PCI DSS Requirements?
Simply put, any organisation that has access to cardholder data should be following the PCI DSS Requirements. This does not differ if you are a retailer, charity or service provider, the PCI guidelines remain the same.
Using a third-party processor does not eliminate the requirement for an organisation to follow the guidelines laid out by the PCI DSS. Using a service such as PayGuard helps businesses protect themselves against the risks of taking payments and will simplify annual audits.
What are the levels of PCI DSS Compliance?
There are four levels of PCI Compliance that have been created. Each outlines the various criteria for the different types of organisations that will take payment.
Merchant Level 1
Who – Any organisation that processes over six million transactions per year through any channel.
PCI DSS Assessment Method:
- Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or a Qualified Internal Security Resource.
- Quarterly network scan by Approved Scan Vendor (ASV).
- Attestation of Compliance form (proof or evidence of a compliance form).
Merchant Level 2
Who – Merchants processing one million to six million transactions annually via all channels.
PCI DSS Assessment Method:
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by ASV
- Attestation of Compliance form (proof or evidence of a compliance form).
Merchant Level 3
Who – Merchants processing 20,000 to one million e-commerce transactions annually.
PCI DSS Assessment Method:
- Must use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s Website
Or
- Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
Merchant Level 4
Who – E-commerce merchants processing fewer than 20,000 e-commerce transactions annually.
PCI DSS Assessment Method:
- Must use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website)
- Or have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
Who – Non-E-commerce merchants processing up to one million transactions annually.
PCI DSS Assessment Method:
- Annual SAQ
- Quarterly network scan by ASV
- Attestation of Compliance form
The 12 PCI DSS Requirements
Build and Maintain a Secure Network
Requirement 1 – Install and maintain a firewall configuration to protect cardholder data
The requirement of installing a firewall serves to protect data held in the companies digital environment. The firewall manages your traffic that flows in and out of your servers. By filtering access requests it can stop traffic that do not comply with its security rules.
Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters
Using pre-supplied passwords and usernames means your settings are already exposed to an outside environment. Changing the passwords and other factory defaults means that your settings are now unique. This simple change will start you in the right direction of becoming compliant for this requirement.
Protect Cardholder Data
Requirement 3 – Protect stored cardholder data
The third PCI Requirement is to protect cardholder data. All card details that are stored should be encrypted with an accredited algorithm. Not only does the data need to be encrypted and secure, but also the encryption keys.
Requirement 4 – Encrypt transmission of cardholder data across open, public networks
Businesses are required to encrypt data on their own server and also secure the transmission of data across networks. This can be the transmission to backup servers, corporate offices or even third-party processors to name a few.
Maintain a Vulnerability Management Program
Requirement 5 – Use and regularly update anti-virus software or programs
Making sure that anti-virus and anti-malware software is installed is important to eliminate risk. These need to be up to date to stop attacks of newer threats. It is also advised that you stay aware of the latest malware threats to aid protection.
Requirement 6 – Develop and maintain secure systems and applications
Staying on top of updates for systems used by organisations helps to eliminate hacker opportunities. This can include updates to browsers, software applications, firewall, operating systems and POS terminals. Hackers are actively looking for weaknesses in software and coding to gain access to your systems. These regular updates often include fixes to known security holes.
Implement Strong Access Control Measures
Requirement 7 – Restrict access to cardholder data by business need-to-know
Essentially a level of access control is needed to fulfil this requirement. A role-based access control system allows only the people who need access to data to have it. This obviously limits the exposure of sensitive information and risk. An up-to-date list of staff who has access to card data is required and needs to be maintained.
Requirement 8 – Assign a unique ID to each person with computer access
To increase access control, attention should be paid to unique ID’s and passwords. Passwords should not be generic or shared and need to be sufficiently unique. Remote access should also be subject to multi-factor authentication.
Requirement 9 – Restrict physical access to cardholder data
It is a stated requirement that companies have to physically restrict access to areas and devices that contain cardholder details. It is also specified that your business details and lists who has access to the data and why. A company also have to document a list of devices that give access to the cardholder data, where they can/cannot be allowed and when they are used.
Implementation of controls such as time lockouts should also be in place to stop unauthorised access. With regular inspection of devices and staff training of security procedures also constantly maintained.
Regularly Monitor and Test Networks
Requirement 10 – Track and monitor all access to network resources and cardholder data
It is essential and mandatory that you track events such as actions and access to and on your systems and devices on the businesses network. This is used to monitor events of system users and create alerts of any suspicious activity making sure at all times that the cardholder details are secure. Security information and event monitoring tools can be used to help in this process.
Requirement 11 – Regularly test security systems and processes
Conducting vulnerability and penetration testing into your systems will reveal any weakness in security. It is important by doing this you can stay ahead of potential hackers and those wishing to breach your data. This proactive approach will require different levels of testing dependent on the particulars and size of the business.
Maintain an Information Security Policy
Requirement 12 – Maintain a policy that addresses information security for employees and contractors
This final requirement demands documentation of your business’s security procedures. This will include employee training documents, policies and procedures, outsourced vendor agreements and incident response plans. Secondly to this policy is a yearly risk assessment which has outlined any actions.
What are the penalties for non-compliance?
Monthly Penalties can be administered from the founding PCI Security Standards Council credit card companies (Visa, Mastercard, AMEX, and Discover). Penalties can range from £4,000 to £80,000 a month and are dependent on the merchant level and volume of transactions taken. Each month that the PCI DSS terms are not met are subject to a further fine.
Data Breaches can also be subject to penalties even though PCI Compliance will not stop breaches. That said, if an organisation adheres to PCI DSS requirements the fines can be dramatically lower or even in some cases removed. Additional costs involved in a data breach include financial investigations and increased rates charged by banks and processors.
Legal Action – Further to data breach penalties, companies can be faced with further legal action. The DIY chain “Home Depot” in the USA was subject to an estimated $19.5 million fine in 2014 (reported on Reuters). This breach affected over 50 million cardholders. It was perceived that there was a lack of vulnerability scans. This failed to reveal the security risk of access to cardholder data.
Damaged Reputation – Customer loyalty is a hard-won battle, which can be severely damaged by security issues. If an organisation does not restrict access to cardholder or sensitive information, they risk severe reputation damages. The cost of regaining trust has increased marketing and PR costs that exacerbate the loss of customers.
Revenue Loss is a knock-on effect you would expect to see when a business’s reputation has been damaged. A high percentage of customers will walk away from an organisation after their sensitive information has been exposed. A majority are likely to share their negative experience on digital platforms and by word of mouth. This will make it harder for companies to attract new business.
PCI DSS v4.0 Is On Its Way
A new update of the PCI DSS requirements is due to be announced this year in Q2. Initial information shows the above 12 requirements will remain the core of the security standard. The development of the new v 4.0 update has taken considerable time and received input from a variety of business and organisations.
The result will be an improved and more flexible implementation of security for merchants and the global card industry. The transition to this new version will be over an extensive period of time, likely to be 2 years. This will allow organisations the opportunity to adjust and implement new procedures.
How PayGuard Takes On PCI DSS Requirements & Makes It Easy For You
There are a lot of considerations and processes that need to be in place for any organisation to take payments. PayGuard provides a great way to be compliant without the hard work or worry, of these somewhat difficult and hard to implement requirements. Our Simple, Secure payment technology takes you out of scope and provides the highest level of PCI DSS Compliance. PayGuard gives peace of mind and very real savings of the implementation, maintenance and annual auditing.
