For many merchants, PCI compliance is a “necessary evil”. Getting the right security controls in place feels like a never-ending process; annual audits are incredibly time-consuming. However, it is required for all merchants who process, store, or transmit credit card data, and for good reason. There were more than 5,000 confirmed data breaches (across more than 16,000 security incidents) in the United States in 2022, targeting both large and small businesses in nearly every industry. However, while PCI compliance does not provide “magical” protection against a credit card breach, it’s an important and effective step in protecting your business – and your customers – from very real security threats.
How to Become PCI Compliant
PCI compliance is an ongoing process. The requirements are unique from merchant to merchant, depending on how and where you process credit card data. (You can learn more about PCI merchant levels and their corresponding requirements here.) There’s no standard “checklist” that you can work through to take care of compliance once and for all.
The PCI website has over 60 guidance documents available for consideration. The best place to start is always to engage with a Payment Card Industry Qualified Security Assessor (QSA). A QSA is the only person who has final say on what is (or is not) PCI-compliant.
In the meantime, your first step is to figure out what parts of your infrastructure are considered “in scope” for PCI compliance. The more people, processes, or technologies that touch sensitive credit card data, the larger your scope will be. (On the other hand, the fewer ways you touch this data, the smaller your scope. That’s what you’ll ultimately want to work toward.)
Anything that is considered “in scope” will need to meet specific requirements for PCI compliance. You’ll need to answer questions about these elements – and the steps you’re taking to keep them secure – in an annual self-assessment questionnaire (SAQ).
Related Content: How Do I Know Which SAQ to Complete?
PCI DSS Requirements
The Payment Card Industry Data Security Standard (PCI DSS) consists of 12 requirements, each designed with a specific intent to enhance the security of payment card data and protect against data breaches. These comprehensive requirements provide a detailed framework for organizations that handle payment card information.
The intent behind the 12 requirements is to help merchants establish a robust security posture by addressing the most critical aspects of data protection. They cover areas such as network security, access control, encryption, and monitoring. Each requirement offers a set of guidelines and best practices aimed at reducing the risk of data compromise. They emphasize the importance of securing cardholder data during storage, transmission, and processing, while also highlighting the need for regular monitoring and testing to identify vulnerabilities.
The level of detail in these requirements is substantial, offering specific actions that a business must take to achieve compliance. Merchants, for instance, may need to augment their company policies; document their security procedures; and appropriately separate duties among their employees. They may also need to address specific action items such as implementing firewalls, setting encryption protocols and access control mechanisms, and enforcing detailed logging and monitoring procedures.
This framework helps organizations understand exactly what is expected of them in terms of securing payment card data. By following these requirements meticulously, organizations can strengthen their security measures and reduce the likelihood of data breaches, ultimately safeguarding both their customers and their reputation.
That said: in recent versions, PCI has been moving from a “prescriptive” approach (telling merchants exactly what to do to become compliant) to a more flexible approach. Companies can now tailor their security programs to their own needs, provided the controls meet PCI’s end goals. The primary areas of focus, however, remain the same.
Here’s a high-level look at the 12 PCI DSS Requirements and some of their various sub-controls:
1. Install and Maintain a Firewall Configuration to Protect Cardholder Data:
- Implement a firewall and router configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and security parameters.
2. Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters:
- Change all default passwords and security settings to secure, unique values.
- Ensure that security parameters are configured according to best practices.
3. Protect Cardholder Data:
- Encrypt cardholder data when it is transmitted across open, public networks.
- Implement strong encryption and security protocols.
- Protect stored cardholder data through encryption and access controls.
- Use strong cryptography and key management practices.
4. Encrypt Transmission of Cardholder Data Across Open, Public Networks:
- Use strong encryption mechanisms (e.g., SSL/TLS) to secure data during transmission over public networks.
5. Use and Regularly Update Anti-Virus Software:
- Deploy and maintain anti-virus software on all systems commonly affected by malware.
- Ensure that anti-virus software is updated regularly.
6. Develop and Maintain Secure Systems and Applications:
- Develop and maintain secure applications and systems.
- Apply security patches and updates regularly.
- Implement strong access controls for systems and applications.
7. Restrict Access to Cardholder Data by Business Need-to-Know:
- Limit access to cardholder data to only those individuals who require it for their job responsibilities.
- Implement an access control system with unique IDs for each user.
8. Identify and Authenticate Access to System Components:
- Implement strong access control measures, including unique user IDs, passwords, and multi-factor authentication.
- Regularly review and update access privileges.
9. Restrict Physical Access to Cardholder Data:
- Implement physical security measures to prevent unauthorized access to cardholder data.
- Monitor and restrict access to data storage and processing areas.
10. Track and Monitor All Access to Network Resources and Cardholder Data:
- Implement logging mechanisms and regularly review logs for suspicious activity.
- Establish a process for responding to security incidents.
11. Regularly Test Security Systems and Processes:
- Conduct regular vulnerability assessments and penetration tests.
- Remediate vulnerabilities and weaknesses promptly.
12. Maintain a Policy that Addresses Information Security for All Personnel:
- Develop and maintain an information security policy.
- Provide security awareness training to all personnel.
- Enforce security policies and procedures consistently.
These 12 requirements are essential for organizations that handle payment card data to ensure the security and protection of sensitive information.
Proving Compliance Through Self-Assessment Questionnaires
SAQs, or Self-Assessment-Questionnaires, help merchants assess their compliance with these PCI DSS requirements in a structured and simplified way.
SAQs are self-conducted – meaning the merchant’s internal team completes and submits the questionnaire. This stands in contrast to a PCI Report on Compliance (ROC), which must be conducted by a third-party audit firm. However, ROCs are only required for very large merchants who process more than 6 million credit card transactions per year.
Even SAQs, however, can pose a considerable challenge in regards to finding the time and resources to collect the required documentation and answer all of the questions. For smaller businesses without a designated security or compliance team, the process can be particularly overwhelming.
SAQs vary in detail and complexity. The level of detail reflects the varying degrees of risk associated with different payment environments.
For instance, SAQ A, the simplest questionnaire, is intended for e-commerce merchants who outsource all payment processing functions and do not store any cardholder data. In contrast, SAQ D, the most comprehensive questionnaire, addresses organizations that store, process, or transmit cardholder data on their own system, in turn requiring an in-depth assessment of security controls across the organization. Merchants should carefully select the SAQ that aligns with their operations to ensure they meet the necessary security standards while avoiding unnecessary complexity.
Because so much depends on the way(s) in which a merchant processes credit card data (for instance, whether they take card payments online, by mail, or over the phone), the best route is to work with a PCI QSA to determine which Self-Assessment Questionnaire(s) are applicable for a specific environment.
Who Enforces PCI Compliance for Merchants?
It’s essential for merchants to understand that PCI compliance is mandatory, not optional, as it helps protect both the security of cardholder data and the reputation of the payment card brands.
At the highest level, PCI compliance is enforced by these card brands, including Visa, Mastercard, American Express, and Discover. (These major card brands collectively comprise the Payment Card Industry Security Standards Council, or PCI SSC).
However, enforcement typically occurs through a merchant’s acquiring bank.
Acquiring banks are financial institutions with whom merchants partner to accept card payments. These banks play a pivotal role in enforcing PCI compliance. They require their clients to demonstrate compliance with the PCI DSS by submitting a copy of their completed Self-Assessment Questionnaires (SAQs). Non-compliance can lead to fines and potentially even a loss of ability to accept card payments.
Reducing Your PCI Scope (And in Turn, the Cost of PCI Compliance)
For many merchants, this is a lot of information to digest. However, there are ways to reduce the scope – and cost – of PCI compliance.
Scope reduction offers several compelling benefits:
- It can substantially simplify the compliance process. You save time and resources that can be better invested in growing your business.
- It can enhance your security by reducing the exposure of sensitive cardholder data within your environment. This, in turn, can reduce the risk of data breaches and sensitive data theft.
- It can even foster customer trust by demonstrating your commitment to safeguarding their payment information.
Ultimately, reducing your PCI scope is not just about compliance; it’s about protecting your business, your customers, and your reputation, while at the same time letting you focus more on what you do best. So: how can this be achieved?
Payment Processing Technologies for Merchant Scope Reduction
Payment processors, as intermediaries in the payment card industry, offer technologies and services that can help merchants more easily comply with the PCI DSS. One significant advantage is their ability to offload the handling of sensitive card data. Through tokenization, encryption, and other advanced security measures, payment processors can ensure that their merchants’ cardholder data is protected throughout the entire transaction process.
With the card data securely managed by the payment processor, merchants can focus on their core business operations, confident that the most sensitive aspects of payment security are being handled by experts in the field. This collaborative approach between merchants and payment processors not only enhances security but also streamlines the compliance process, allowing businesses to thrive in a secure payment environment.
Of course, it’s important to process payments through a processor who has appropriate security qualifications of their own. A PCI-certified Level 1 Service Provider is the “gold standard”, as they will have taken the appropriate steps to document and audit their own security efforts, giving their merchants full peace of mind.
At Curbstone, we’ve helped merchants of all sizes reduce their PCI scope through our secure credit card processing technologies. We’ve helped e-commerce merchants, brick-and-mortar retailers, and businesses across nearly every industry qualify for reduced PCI SAQs and more efficiently meet their compliance requirements.
If you’d like to learn more, check out our latest whitepaper: Save Time, Increase Security, and Reduce Your Payment Processing Fees, or contact us to discuss a more efficient way to meet your compliance requirements.