Table of Contents:
1. The 12 Requirements of PCI DSS
2. Who Needs to Be PCI Compliant?
3. The Consequences of Non-Compliance
There are thousands of online transactions happening every minute, and the payment gateway can be a prime target for cyber criminals to steal and use cardholder data and financial information.
If your business accepts credit cards as a form of payment, it is imperative that you use standard security procedures and technologies to protect these transactions from potential threats. In 2023, 60% of U.S. credit card holders were the victim of at least one fraudulent charge with unauthorized purchases exceeding $5 billion. 93% of those fraudulent charges involved remote access to personal and account data.This is where PCI compliance comes in. It includes a set of standards that businesses must follow to ensure the security of their customers’ payment information.
In this article, we will explore the details of PCI DSS, who needs to be compliant, and the consequences of non PCI compliance.
Part 1: The 12 Requirements of PCI DSS
PCI compliance is based on the Payment Card Industry Data Security Standard (PCI DSS). It was created in December 2004 by the Payment Card Industry Security Standards Council (PCI SSC) to help standardize practices around the handling of cardholder data and strengthen cybersecurity.
The PCI DSS requires that card account data which contains sensitive information be secure. This includes the Primary Account Number (PAN) which is unique to the card, the Sensitive Authentication Data (SAD) which includes the 3- or 4- digital security code printed on the front or back of a card, and general cardholder data including their name, address and other personal details.
The PCI DSS includes a set of 12 requirements designed for businesses to securely store and manage sensitive customer payment information:
1. Install and maintain a firewall configuration to protect cardholder data
Firewalls protect cardholder data by restricting incoming and outgoing traffic between the network and untrusted sources. Configure the firewall to identify the traffic that should be allowed or blocked and which ports should be open or closed.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Default passwords supplied by vendors are usually simple to guess and are even published online, making them vulnerable to attacks. Configure a strong password for system and security parameters and maintain an inventory of these procedures.
3. Protect stored cardholder data
This is the most important requirement. When storing cardholder data, ensure it is encrypted using industry-accepted algorithms. Store data in a secure location, and only allow access to authorized personnel who have the proper training and security clearance. Make sure to destroy any cardholder data that is no longer needed.
4. Encrypt transmission of cardholder data across open, public networks
All cardholder data needs to be encrypted when transmitted across open, public networks, such as when transmitting from a POS system to a payment processor.
5. Use and Regularly Update Anti-Virus Software or Programs
All devices including workstations, laptops and mobiles used to access the system need to have anti-malware software installed. Update the antivirus program on a regular basis to protect your systems and data from malware. It is best to check with your IT provider the best antivirus program that meets your needs.
6. Develop and Maintain Secure Systems and Applications
Any business that handles payment card information is responsible for developing and maintaining secured systems and applications in the card data environment to avoid any data breaches.
7. Restrict Access to Cardholder Data by Business Need-to-Know
“Need to know” is a fundamental concept in PCI DSS. This requirement is designed to restrict access to only those employees who need to know such information to perform their job duties. You must document all the users with such access, their role, and privilege level.
8. Assign a Unique ID to Each Person with Computer Access
Every authorized user must have a unique identifier and password, and two-factor authorization enabled. This ensures that the person accessing the cardholder data can be tracked and accountability can be maintained.
9. Restrict Physical Access to Cardholder Data
Physical access to data storage, servers and network components should be restricted to authorized visitors and employees only. Recording and access logs should be maintained for a minimum of 90 days.
10. Track and Monitor All Access to Network Resources and Cardholder Data
Organizations should develop and implement procedures for tracking and monitoring access to cardholder data. Logs should be reviewed at least once a day for any suspicious activity, and audit data should be maintained for a minimum of one year.
11. Regularly Test Security Systems and Processes
Security systems and processes must be tested on a frequent basis to ensure they are functioning properly and to identify any vulnerabilities. All external IPs and domains are required to be scanned by a PCI Approved Scanning Vendor (ASV), and must go through an Application Penetration Test and Network Penetration Test.
12. Maintain a Policy that Addresses Information Security for Employees and Contractors
A security policy must be maintained and disclosed with all personnel, vendors and contractors. Organizations need to perform an annual formal risk assessment, as well as user awareness training, employee background checks and incident management.
These 12 requirements are reviewed and verified by a QSA (Qualified Security Assessor) to ensure they are adequately implemented. Failure to comply with the PCI DSS can have significant consequences including financial penalties, reputational damage, and legal liability.
We understand that PCI Compliance can be a complex and time-consuming process, even for companies with the best intentions. If you would like to discuss your specific PCI compliance requirements or other security services, contact us here.
Part 2: Who Needs to Be PCI Compliant?
The PCI DSS applies to all merchants, including small businesses and entrepreneurs, that process credit card transactions or store cardholder data. This requirement also extends to card issuers and third-party vendors such as payment processors.
While all businesses, regardless of size, must adhere to the 12 PCI DSS requirements, not all are held to the same standards. Large organizations processing over 6 million card transactions annually must undergo an external audit by a QSA (Qualified Security Assessor) and submit a Report of Compliance (RoC) to their banks to demonstrate compliance.
Furthermore, organizations that have experienced data breaches compromising sensitive PCI data (classified as high-risk organizations) must submit audit results as part of the PCI compliance process.
How to Comply with PCI DSS
To become PCI compliant, businesses must demonstrate progress towards full compliance within a year of starting to accept credit card payments. This process involves completing a Self-Assessment Questionnaire (SAQ), which evaluates their PCI compliance status. The required documentation must be submitted to their acquiring bank or payment processor.
The SAQ includes a series of yes-or-no questions designed to evaluate compliance levels and identify compliance gaps. If an answer is no, the organization must provide a future remediation date along with the actions to be taken. The revised questionnaire allows for greater flexibility, accommodating the varying complexities of different merchants or service provider situations (refer to the chart below).
The Self-Assessment Questionnaire and supporting information are available from the PCI Security Standards Council. To be able to continue accepting credit card payments, businesses must fill out and submit the SAQ annually. Larger companies may also need to submit quarterly scans to their vendors.
For a comprehensive PCI compliance assessment, small businesses can opt for an external audit by a certified QSA. These trained auditors review procedures, test controls, and audit security practices to report on PCI compliance. This step is mandatory for large organizations.
Note that only the business owner can complete the SAQ; submissions by other employees or IT team members will not be valid. Moreover, if businesses fail to file the necessary paperwork to demonstrate PCI compliance, they will automatically be regarded as non-compliant.
Tackling the PCI compliance questionnaire can be daunting, and while we can’t fill out the form for you, we can help. We can review your merchant account and explain the technical jargon to help you better understand your position so you can accurately fill out the SAQ. Contact us today for personalized support.
Tools for Assessing PCI Compliance
The PCI SSC sets the twelve standards for PCI Compliance, but every financial institution has its own program for compliance, validation levels and enforcement. It’s essential to understand what PCI compliance program your bank holding company follows. Below are info links to some of the most popular American banks:
Part 3: The Consequences of Non-Compliance
According to IBM’s 2023 Cost of a Data Breach Report, the average cost per compromised record is $164.
Now, consider your credit card account holders. If you fail to protect their data you’ll be looking at thousands if not hundreds of thousands of dollars.
And that’s the tip of the iceberg.
There is a range of other negative consequences including:
- Financial penalties: Regulatory bodies can impose fines ranging from thousands to millions of dollars, depending on the severity and duration of the violation. In some cases, a percentage of annual revenue may be levied as a fine, which can severely impact a company’s bottom line and shareholder value.
- Reputation damage: Non-compliance can lead to negative publicity and media coverage, damaging the brand image, and losing customer trust and loyalty. This can have serious consequences on sales, market share, and long term impact on company valuation and stock prices.
- Legal liability: Non-compliance can expose companies to lawsuits from affected parties. Besides the legal costs for defense and settlements which can be substantial, the company may have their licence revoked or suspended.
- Monthly Non-Compliance Fees: Your processors or credit card companies may charge a monthly non-compliance fee, which can add up quickly.
- Loss of credit card payment capability: Credit card companies may penalize companies for not complying with PCI standards, potentially revoking merchant accounts and preventing them from accepting credit card payments.
- Loss of Cyber Liability Insurance Coverage: If there is a data breach and the company was deemed non-compliant, their cyber liability insurance will not cover the fines or penalties imposed by banks or credit card companies due to non-compliance with the PCI DSS.
Online shopping has become a modern standard, and PCI compliance is no longer just a recommendation, but a requirement for all businesses that handle payment card information. By following the Payment Card Industry Data Security Standard (PCI DSS) requirements, you can ensure the security of your customers, prevent financial losses, and maintain a positive reputation.
Thankfully, keeping up with PCI regulations doesn’t have to be difficult. At Gravity IT Solutions, we can provide you with the tools and resources to help you achieve and maintain PCI compliance.
Schedule an appointment today so you can swipe credit cards with confidence.
