What is PCI-DSS Compliance?
Online retail sales have been increasing for years. With the COVID-19 pandemic affecting retail stores worldwide, more consumers than ever are shopping online.
For both customers and businesses, this behavior change has led to an increase in data breaches. A pre-pandemic study by the University of Maryland revealed that, on average, someone is hacked every 39 seconds.
Customers are scared. Approximately 70% of Americans reveal they feel their data is less secure than five years ago. So, businesses are faced with serious issues. A lack of consumer confidence impacts potential sales. This is why credit card companies created a set of security standards — PCI-DSS — to protect consumer information and business reputation.
But, what does PCI stand for?
PCI-DSS (Payment Card Industry Data Security Standard) was established to reassure and protect consumers and their data. Today, every business is required to follow this set of security standards for credit card transactions.
Here’s what you need to know about PCI and how to comply with its standards.
What is PCI Compliance?
Payment Card Industry (PCI) compliance is a mandate installed by the five major credit card companies. It enhances the security of all credit card transactions.
PCI standards are broken down into two categories:
Businesses are required to utilize these standards to secure and protect the credit card data of all customers.
Since every major credit card company abides by PCI standards, any business that accepts credit cards must adhere to them.
The current body responsible for developing, managing, and evolving these standards is the PCI Security Standards Council.
History of PCI-DSS
The roots of today’s current standards began in the late 1990s during the establishment of early e-commerce. As exciting as the period was for technology, fraudsters quickly demonstrated that they were sophisticated and technologically advanced.
Visa was the first credit card company to respond to data breaches by establishing a set of standards known as the Cardholder Information Security Program (CISP). CISP first became active in 2001.
Other major credit card companies soon followed suit. However, retail industries lacked a set of unified standards. For merchants, navigating cardholder data protection was confusing, and compliance was difficult to achieve.
The history of PCI DSS began in 2004. The founding members committed to establishing a unified standard of credit card payment security standards were:
- American Express
- JCB International
The PCI Security Standards Council released Version 1.0 in 2004 and then followed it closely with Version 1.1 in 2006.
The latest version of these standards is Version 4.0, which is set to release in May 2021. It’s expected to build on recent additions, including Secure Sockets Layer (SSL) and multi-factor authentication.
PCI Merchant Levels
Complying with PCI isn’t as simple as a business complying with a list of requirements. Depending on your merchant level, you must follow a specific set of security requirements to be classified as PCI compliant.
Merchant levels are determined based on potential cardholder risk. Depending on that risk, each merchant level outlines how a business should respond. Your merchant level defines your level of security validation and assessment.
Although each merchant level comes with its own set of requirements, the level your business falls into depends largely on the number of transactions you carry out per year.
Here’s a comprehensive view of the four merchant levels:
Level 1 – Carries out over six million transactions per year.
Level 2 – Processes between one and six million transactions per year.
Level 3 – Between 20,000 and one million transactions per year.
Level 4 – Less than 20,000 transactions are processed annually.
The vast majority of small businesses will fall into either level 3 or level 4. It should be noted that card issuers have their own sets of criteria. For example, JCB and American Express have their own versions. In 99% of cases, if you’re a level three business with Visa, you’ll be a level three business with JCB.
However, it’s always good to double-check your level with each credit card company to ensure your business isn’t one of the exceptions.
What Types of Businesses Need to Ensure PCI Compliance?
When reviewing PCI DSS compliance regulations, you may be thinking that your business isn’t large enough to need to be PCI compliant.
PCI compliance is required by credit card companies for every business, regardless of the industry, size, or location.
Even the smallest of businesses must be compliant if they collect, transmit, or store PCI data. In other words, if you collect, transmit, or store credit card/cardholder data, you need to comply.
However, if you are using a third-party vendor and don’t store or register credit card details, it’s on the third-party vendor to maintain compliance because you never handle or have access to customer payment data.
For example, if you’re a business that sells products and processes payments exclusively through third-party websites, such as Amazon, and don’t collect or store credit card data then you don’t need to worry about PCI standards.
PCI Compliance Requirements
There are approximately 12 general requirements for a business to ensure they are compliant with PCI-DSS.
Although it may sound like a significant burden for businesses, your business likely already fulfills most of these requirements.
Here’s the list of 13 requirements your business must follow:
1. Use and Maintain a Firewall
Firewalls block access to your digital devices from third-party entities, thus protecting the data on those devices.
A firewall is the primary line of defense you have in the online world. Practically every computer or laptop sold comes with firewalls included, so you are likely already protected.
Just make sure you install updates as and when they become available.
2. Follow Password Best Practices
Following password best practices prevents hackers from stealing or guessing your passwords. Create strong passwords with numbers, symbols, and both upper and lowercase letters.
You should also change any generic passwords on routers, modems, and other similar systems. Many businesses fail to do this, and it becomes a point of vulnerability.
It’s also good practice to switch your passwords every six months.
3. Protect Cardholder Data with Two-Fold Encryption
Businesses must encrypt all consumer card data with protective algorithms, i.e., encryption keys. These same encryption keys must also be encrypted for compliance.
Businesses are required to perform regular scans to ensure no data goes unencrypted.
4. Encrypt All Data Transmitted
When a customer makes a payment, their card data is sent through multiple channels. It may be sent through home offices, local stores, and payment processors themselves.
This data should be encrypted to guarantee compliance at all times, and account data never sent to unknown locations.
5. Mask Credit Card Information in Application Development, Testing, Analytics, and AI/ML Environments
Considering these environments can make up close to 80% of a company’s data, there is sure to be PCI information contained throughout. Instead of limiting the data that can be used in these mission-critical activities, companies can mask any sensitive information with fictitious, but realistic data that is referential across databases.
6. Use and Maintain a Reputable Anti-Virus System
Like firewalls, anti-virus systems tend to come bundled whenever you purchase a brand-new laptop or desktop computer.
You should always have anti-virus software installed on any device that accesses or stores Personal Access Number (PAN) data.
Furthermore, businesses must patch and install anti-virus software regularly. You can automate these processes, as the majority of anti-virus software solutions will notify you when a new patch or version becomes available.
7. Update Software Often
When software isn’t updated, it can become vulnerable. You should update every piece of software that you use in your business as soon as possible. This includes patches, which are usually delivered when vulnerabilities are discovered.
Fully updated software is another level of protection that protects cardholder data. Hackers are known to exploit businesses that have failed to update to the latest versions of their software.
Keep in mind, this doesn’t only apply to specialist software. It also includes web dashboards like WordPress.
8. Restrict Access to Data
PCI standards stipulate that cardholder data should be distributed on a strictly “need to know” basis. In other words, not everyone within your business should have access to this data. Only certain specialist employees should have access to this sensitive data. PCI guidelines recommend that you limit access to sensitive data as much as possible, particularly when master data is involved.
As part of your annual compliance audit, you must document and submit information about employee access.
9. Access for Unique IDs Only
Employees who have access to sensitive data should possess a unique login. PCI standards dictate that multiple employees should not share a single login.
Unique IDs reduce vulnerability and enable quicker response times if a business’s sensitive data is breached.
10. Guarantee Restrictions on Physical Access
Businesses must also prevent physical access to sensitive data by keeping both physical and digital data in a secure location.
For example, a password storage device should be kept in a secure room or a locked drawer. Access should be limited. Your company must also maintain an ongoing log to record each time anyone accesses the data.
11. Keep Accurate Access Logs
All relevant activity involving PAN and other cardholder data must have a log entry. This is the most common issue of non-compliance for businesses.
A lack of recordkeeping makes it difficult to trace breaches to a source of entry and resolve them.
PCI standards require software products to guarantee the accuracy of access logs.
12. Vulnerability Testing
The previous ten standards detail the creation and management of PCI compliance requirements. However, all systems eventually become outdated or experience malfunctions. Therefore, businesses must conduct vulnerability scans regularly to pinpoint areas of weakness. Current PCI standards mandate that businesses conduct quarterly scans of their systems.
13. Document Policies
You must possess appropriate documentation for access, employees, and software, as well as dates when updates were installed. Documenting information flow and storage procedures is a critical part of your annual audit.
Thankfully, modern PCI solutions automatically log changes. Many software options come with document generation tools that enable you to create reports at the click of a button.
Benefits of PCI Compliance
The road to PCI-DSS compliance may seem long and arduous. However, you must comply with these standards to perform credit card transactions in your business. There are benefits for going above and beyond the minimum standards instead of simply coasting. Here are a few of these benefits:
- Reaching compliance ensures all your digital systems are secure. This improves customer trust and increases the likelihood of building consumer confidence and gaining repeat customers.
- Improve your reputation by showing thorough diligence regarding customer data protection.
- PCI is just a small part of an overall business security strategy. It may only be a starting point, but installing this infrastructure can make additional regulations easier to comply with over time.
- Avoid major fines. Data breaches commonly lead to huge fines from local and state authorities if they find that the company wasn’t compliant with PCI requirements.
As you can see, taking the time to comply with PCI standards is beneficial to both your internal company workings and your external public perception. In an age where reputation is everything (and anyone on the internet can reach thousands of people instantly), your compliance efforts are not just recommended but essential.
How to Become PCI Compliant
Unlike other recommended standards in business, compliance with PCI cannot be self-assessed and posted on your website. You must follow a specific procedure.
Completing the Self-Assessment
The first step is to visit the PCI Security Standards Council website and download the appropriate self-assessment questionnaire.
The questionnaire you complete depends on your business. When filling out the questionnaire, you’ll need to answer yes/no to questions on the security arrangements you have within your company.
The most common areas where businesses fall short include outdated security protocols, unsecured authentication credentials, and a failure of verification for the SS1 certificate.
Once you finish the questionnaire, you’ll need to pass a vulnerability scan with a PCI SSC Approved Scanning Vendor. This requirement only applies to certain merchants. If it applies to you, you won’t be able to receive the Attestation of Compliance until the scan is completed.
Submit all the information you’ve complied with each step.
Cost of PCI Compliance
The cost of compliance largely depends on the business. The more card transactions you have, the more complex and more expensive it becomes to remain compliant.
As a result, some major corporations and enterprises, typically classified as level 1 or level 2 merchants, hire PCI experts. These professionals work directly with businesses to ensure compliance. Using a PCI expert is rarely necessary for small businesses.
Many merchant account suppliers offer free or extremely low-cost software for annual compliance with PCI standards. For an already compliant business, it can cost just a few hundred dollars to maintain that compliance every year.
For a small business starting from nothing, it could cost a few thousand dollars to get all the necessary software in place.
Penalties for Non-Compliance
In 2020, less than 30% of companies complied with PCI compliance requirements. Year-over-year, the number of compliant companies is falling.
Although fines are not published, they do happen. Fines can range from $5,000 to $100,000 per month until the merchant complies with PCI.
Banks that receive fines have a habit of passing them onto their clients. These come in the form of increased transaction fees or, in the worst-case scenarios, termination of the business relationship.
Companies also have to take into account lawsuits, actions by government authorities, and credit monitoring fees. Breaches of data lead to huge fines. Target was forced to pay $18.5 million in a settlement with 47 state attorney generals back in 2017.
Could your business handle penalties of this magnitude if you sustain a breach?
If your business experiences a data breach, you may encounter other potential consequences. A past breach could cause your business to move up to a higher merchant level. Higher merchant levels come with more complex requirements for compliance.
Finally, in rare cases, you could be prohibited from processing credit card transactions entirely. For businesses in the online era, this could be the death knell for your venture.
PCI Compliance & E-Commerce
Businesses that operate exclusively online are the least likely entities to comply with PCI standards. This may result from the common myth that micro-businesses don’t need to meet these standards. (Micro-businesses have less than 10 employees.) The only businesses that do not need to meet these standards are businesses that operate through third-party vendors, like Amazon stores or Etsy shops.
E-commerce operations that do handle payment data must have a strategy for maintaining full compliance. Much of it can be managed by certain software solutions.
Let’s take a look at some of your options.
1. Commercial Software
Delphix programmable data infrastructure (PDI) - Delphix provides an automated approach to finding and masking credit card and credit card holder information data in non-production databases used for development, testing, analysis, and AI/ML. In addition, Delphix helps to identify unauthorized changes to data in these environments to head off PCI-DSS data exposure. Non-production data encompases up to 80% of a companies data, so ensuring that PCI information is anonymized protects consumers, their data, and the company from non-compliance with PCI-DSS.
SolarWinds Security Event Manager (SEM) – A lightweight application with a dynamic console that even a non-tech savvy person can use and understand. All data is displayed graphically. Features include log collection and normalization, endpoint security, historical search, and compliance reporting.
ManageEngine ADAudit Plus – Great commercial software for implementing compliance and running instant audit reports. It focuses on Active Directory, monitoring, and recording any changes to access. All user actions are logged, and changes are fully tracked.
Splunk – Splunk’s best commercial option is Splunk Enterprise, as it comes with IPS (intrusion prevention system) capabilities. The software offers full detection procedures, including complete network traffic monitoring. It’s also possible to upgrade to AI-based anomaly detection.
2. Open-Source Software
E-commerce businesses may choose to use an open-source solution as these are typically cheaper and better suited for microbusinesses.
In addition to their affordability, open-source software makes it easier to scale and simplify the technological infrastructure supporting vendors.
Open source tools like Logstash and Fluentd are either free or extremely low-cost. However, your business must finetune any open-source software to your unique specifications. This can increase setup time.
3. Hosted SaaS Platforms
For the small business that wants to comply with PCI requirements but doesn’t have the resources to make it happen, hosted SaaS platforms are the solution.
SaaS and cloud-based e-commerce technology are compliant out of the box. The provider takes on much of the burden, so your responsibilities are heavily mitigated.
The e-commerce world is seeing an increasing number of popular SaaS platforms for meeting PCI standards, including BigCommerce.
Maintaining Compliance Over the Years
Compliance is hard to maintain. One reason is that businesses must conduct vulnerability scans quarterly. Second, they must submit the self-assessment questionnaire annually. This extra work often means businesses let compliance slip.
The answer is to outsource this aspect of your business. With so many platforms dedicated to helping businesses comply, the added expense is often worth it. Softwares automate much of the process while enabling you full control through intuitive dashboards.
PCI DSS is a complex set of standards that impose significant responsibility on businesses. Although businesses are not legally required to comply, a data breach could lead to huge penalties, as well as a complete loss of consumer confidence in your brand.
Ensure PCI compliance and protect cardholder data with Delphix programmable data infrastructure.