PCI-DSS stands for the Payment Card Industry Data Security Standard; it is a well-known regulation aimed at protecting consumer credit card information from theft and disclosure. Everything started when the credit card companies began having a significant increase in fraudulent credit card transactions.
Due to regular fraudulent credit card transactions, different credit card companies, including Visa, MasterCard, American Express, and others, decided to create a council to construct an international security standard applicable to the credit card industry. That is when the credit card companies formed the Payment Card Industry Data Security Council (PCI-DSS).
The PCI-DSS applies to all payment merchants or service providers that store, process, and transmit cardholder data such as credit card numbers, card expiry date, CVV, cardholder name, billing address, and other confidential information.
It is also applicable to all companies that provide payment security services to protect cardholder data, such as a firewall management service or cyber security companies responsible for online payment/transaction security. From Banks to retailers to consumers, any company that processes cardholder data must be PCI-DSS Compliant.
What is the Security Standards Council?
PCI standards are required by the card brands and administered by the Payment Card Industry Security Standards Council. The Payments Card Industry Data Security Standard (PCI-DSS) was formed to reduce credit card fraud.
The PCI Security Standards Council is responsible for qualifying companies & individuals to be PCI assessors, known as Qualified Security Assessors (QSA). They are also responsible for training people to do these quality assessments.
=> PCI-DSS defines technical & operational requirements for
• Organizations accepting or processing credit card transactions; &
• Software developers and manufacturers of applications & devices used in those credit card transactions
=> QSAs are trained to conduct PCI-DSS assessments
• Sets standards to include avoiding a conflict of interest
• Require initial training programs and certification exams
• Conduct annual training & recertification exam
• Maintain working papers for assessments for three years
PCI-DSS Compliance Levels
All organizations that accept credit and debit cards or that store, process, and transmit cardholder data need to comply with the Standard.
Merchants’ and service provider’s compliance requirements differ depending on several factors, including the size of the organization and the volume of transactions it undertakes.
The criteria that merchants or service providers have to meet are set by the individual payment brands, each of which has its compliance program.
Organizations are classified in one of four levels, depending on the volume of transactions they process. These organizations are required to undergo an independent annual security audit performed by a PCI certified company that has been previously approved by the official Security Standards Council.
Level 1: Merchants handling or processing more than 6 million debit or credit card transactions per year across all the channels are Level 1.
Level 2: Merchants handling or processing 1 million to 6 million debit or credit card transactions per year across all the channels are Level 2.
Level 3: Merchants handling or processing 20,000 to 1 million debit or credit card transactions per year across all the channels are Level 3.
Level 4: Merchants handling or processing fewer than 20,000 debit or credit card transactions per year across all the channels are Level 4.
These are different levels of PCI compliance which merchants are categorized under; however, working with a trusted & certified PCI compliant payment provider such as Stripe can help relieve the burden of acquiring a PCI-DSS certificate.
How to become PCI-DSS Compliant?
To become a PCI-DSS compliant, you must undergo a PCI auditing procedure performed by an independent organization led by a QSA to meet the PCI-DSS requirements. Twelve high-level requirements must be implemented by any businesses or organizations involved in storing, processing, and transmitting credit card data. The requirements are:
1. Protect your systems with firewalls
2. Configure passwords and settings
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open public networks
5. Use and regularly update anti-virus software
6. Update and patch systems regularly
7. Restrict access to cardholder data for limited access on a need to know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to workplace and cardholder data
10. Implement logging and log management
11. Conduct vulnerability scans and penetration tests
12. Maintain a policy that addresses information security for employees and contractors
The PCI-DSS is based on security-based practices, and the 12 requirements are essential to comply with PCI-DSS. These 12 requirements are organized into six control objectives.
1. Build and maintain a secure network and systems
• Install and maintain adequately configured firewalls to protect credit or debit cardholder data.
• Do not use vendor-supplied defaults for system ids or passwords and other security parameters.
2. Protect cardholder data
• Limit cardholder data storage and retention time to that required for business legal and/or regulatory purposes.
• Protect cardholder data in transit and at rest via the use of adequate encryption practices.
3. Maintain a vulnerability management
• Implement the use and ongoing updates of antivirus and malware protection tools and ensure that they produce adequate logs of activities monitored by qualified organizational staff.
• Develop and maintain secure systems and applications.
4. Implement strong access control measures
• Restrict logical and physical access to cardholder data on a need-to-know basis.
• Identify and authenticate access to all systems by using strong authentication practices, passwords, and encryption.
5. Regular monitor and test networks
• Track and monitor all access to network resources and cardholder data.
• Perform penetration tests annually or after a significant system change. The penetration tests required include external network penetration tests, internal network penetration tests, and web application penetration tests.
6. Maintain an information security policy
• Maintain a policy that addresses information security for employees and contractors.
• Implement a robust security awareness and training program and ensure that third-party vendor contracts have adequate security coverage.
These are the six controlled objectives required by businesses to become compliant with PCI-DSS standards.
The PCI-DSS Compliance Process
PCI-DSS compliance is a continuous process that consists of three primary steps.
First, identifying and analyzing all IT assets, business processes, and locations used in storing, processing, and transmitting cardholder data for vulnerabilities.
Second, all identified vulnerabilities must be remediated and may include the implementation or change of systems, business processes, and business partners.
Third, your state of compliance must be documented in a compliance report, ROC, or a self-assessment questionnaire, SAQ, depending on the PCI-DSS level.
Additionally, the attestation of compliance, AOC, must be completed by a qualified security Assessor or by the merchant if the internal audit performs the validation. The AOC is a declaration of the merchant or service provider’s compliance status with the PCI data security standard.
What is PCI ROC?
A ROC (Report on Compliance) is a test of the standards applied by an organization responsible for protecting cardholder data. It must be conducted by a PCI certified Qualified Security Assessor (QSA), who will issue a formal report to the PCI Security Standards Council to attest that your organization is in full compliance with the standard. A PCI ROC is applicable for all Level 1 merchants.
What is PCI SAQ?
Ideal for small merchants and service providers, a Self-Assessment Questionnaire (SAQ), is designed as a self-validation tool to assess security for cardholder data. There are several types of SAQ, each of which has different requirements; some require internal and external vulnerability scans and regular penetration testing.
What is the difference between ROC and SAQ Assessments?
|Report on compliance (ROC)||Self-assessment questionnaire (SAQ)|
|Performed by an independent organization||Intended to assist merchants and service providers in self-evaluating their PCI-DSS compliance|
|Led by a QSA||May engage a QSA to assist or perform the assesment|
|Applicable to level 1 merchants and service providers||Applicable to all levels except level 1|
|Acquiring banks may elect other levels to do a ROC||Eight different types of SAQ|
What are the penalties for non-compliance?
The PCI-DSS is a standard, not law. It’s enforced through contracts between merchants, acquiring banks, and payment brands. Each payment brand can penalize banks for PCI-DSS compliance violations, and acquiring banks can withdraw the ability to accept card payments from non-compliant merchants.
Compliance with the standard is too complicated, and many organizations fail to maintain their compliance. Verizon's 2018 failing security report found that nearly half (47.5) percent of organizations assessed for interim PCI DSS compliance had been unable to maintain all security controls.
We'd recommend using a third-party PCI-DSS compliant processor such as Stripe if you don't want to go through the hassle of becoming PCI compliant. And if you are using Stripe as your payment processor, make sure to check out Payvoice App for your recurring and subscription transactions.
If a payment processing company outsources some processes such as IT operations or data center, such external vendors need to be PCI compliant and not just certified.