The Quick and Easy Guide to PCI Compliance

PCI DSS stands for Payment Card Industry Data Security Standard, which sets the requirements for organizations and sellers to safely and securely accept, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches.


What is it PCI Compliance? Who is it for?

PCI DSS compliance is a highly ranked concern for many organizations because non compliance with any regulatory framework can lead to a company financial penalties due to data breaches and stolen data. Some important responsibilities that come along with managing key management and certificate duties include making sure your company has a strong security system set in place, and ensuring that your certificate key never expires or is compromised. Payment Card Industry Data Security Standards (PCI DSS) compliance is the largest concern for any company or enterprise because credit card information is among the most sensitive and valuable information that can be stolen, so the payment card industry wants their to be very strict requirements in place to protect it. The PCI SSC determines all the PCI DSS compliance requirements, and you must follow all of their rules if you want to accept payment card information from these companies. PCI DSS is implemented into the respective compliance programs of all payment card companies that must be adhered to. The PCI Self-Assessment Questionnaire which is a set of questions corresponding to the PCI Data Security Standard requirements designed for service providers and merchants.

4 Levels of PCI Compliance

Level 1: Merchants processing 6 million plus payment card transactions per year.
Level 2: Merchants processing 1 to 6 million card transactions per year.
Level 3: Merchants handling 20,000 to 1 million card transactions per year.
Level 4: Merchants handling fewer than 20,000 card transactions per year.

Credit card companies such as Visa, MasterCard and Discover all have their own table of merchant levels, and have approved of the merchant levels above. PCI Compliance Level is validated through the self assessment questionnaire. Acquiring Banks have a Say in Your PCI compliance because they are responsible for many noncompliance fines for payment card brands. Payment card brands also may impose additional requirements before they can declare that your organization is a level 1, 2, 3 or 4.

Why do we need it?

Anyone that accepts payment card information from brands such as ( Visa, American Express, Discover, Mastercard), must comply with PCI DSS. PCI DSS has four different compliance levels; each level has requirements that businesses must follow to prove they are PCI compliant. All sellers, service providers, and banks need to prove they are PCI compliant because they all handle payment card information. We need PCI compliance to help prevent any possible data breaches and fraud.


PCI Compliance Requirements

1. Firewall

PCI DSS requirements include installing and monitoring a strict firewall to protect your data. A firewall needs to be monitored and traffic needs to be controlled as information goes in and out of the network. It’s very important to choose the right firewall based on the needs of your organization. All firewalls are different, and can be either host-based, or network based. Establishing a firewall picking the right vendor should never be overlooked. Firewalls need to have well documented security and operational procedures and available to key holders of the organization. A firewall needs to block direct public access to the internet and all components in the system which are apart of the cardholder data environment. Requirements of PCI DSS also include having router configurations that restrict connections between untrusted networks and any system components, while developing strict router configuration. Installing a personal firewall software on a portable device to allow mobile devices to safely connect to the internet outside of the network is also very important.

2. Change IDs and Passwords

New devices usually have vendor default information for it’s password and ID which are available online and easy for criminals to access. Hacking into a device using vendor defaults is a very easy process and organizations need to be aware of this. PCI DSS compliance requires businesses to change this default information to avoid having unwanted hackers in your system. PCI DSS also requires businesses to ensure any shared host providers are protecting cardholder data. Vendor default operational procedures, security policies, and security parameter must be documented. All non console administrative access must be encrypted with cryptography. Also there must be configuration standards for all system components which have security vulnerabilities that meet industry accepted system hardening standards.

3. Protect cardholder data-at-rest

All personal information should be encrypted at-rest and in-transit. Encrypting data at-rest protects in the event of a network intrusion. Hackers find this information to be useless because it can’t be decrypted. All information used to implement procedures and to manage encryption keys needs to be well documented. Only personnel with a legitimate business should be able to see the first six/last four digits of the PAN when Mask Primary Account Numbers are displayed. Also all PAN should be unreadable using hashing, encryption or truncation

4. Protect cardholder data-in-transit

Its required for all websites to protect cardholder data-in-transit. If your connection is ever compromised or routed it would be easy for it to be intercepted or stolen which is why protecting cardholder data-in-transit is so crucial. SSL/TLS protects you from these attacks because the data would be encrypted rather than traveling through plaintext, and it will become useless even if it is compromised due to the encryption from SSL/TLS.

5. AntiVirus

Antivirus needs to be updated regularly in order for it to be the most effective. Any system that can be affected by malware should have antivirus. Your antivirus should have regular scans, stay up- date, and be well documented. Antivirus should always be running and non privileged users should not have access.

6. Develop and Maintain secure systems and applications

Maintaining a good patching cadence and diagnostic system that can find vulnerabilities should be a key requirement in the development of any security system. Identify security vulnerabilities, and using reputable outside sources for security vulnerability information helps protect your system components and software from vulnerabilities. It's important to have vendor-supplied security patches and to change control processes and procedures to meet the needs of your system components. Coding vulnerabilities in formal software-development processes should always be addressed and every organization needs to address new threats and vulnerabilities for public web-facing applications.

7. Restrict access to Data

Employees should never have complete access to your data. Privileges should be assigned on your network and employees should only have access to data directly related to there job.

8. Unique ID and Authentication

In order to enforce control everyone should be authenticated with unique ID. Companies need to have rules in place to deal with inactive IDs, lost passwords, terminated IDs and having a multi-factor authentication in place to add another layer of security to the system.

9. Restrict Physical Access to Data

PCI DSS compliance requirements also include ensuring that you have physical safeguards preventing unauthorized access to hardware. Encryption keys for example should be stored on physical hardware to enhance security and make sure only authorized personnel can see them. Employees should have limited access to sensitive areas and strict procedures should be set in place for visitors. Facility entry controls such as locks should be set in place to monitor physical access to cardholder data.

10. Monitor network data

Most organizations already monitor traffic in their data to look for odd usage patterns. Times should be synchronized in your network and audit trails should be implemented to track network access from each individual.

11. System Scanning

System scans provide a company with actionable intel on remediating anything it kicks up in a ready-to-submit-report. Processes should be set in place to detect wireless access points identify all authorized and unauthorized wireless access points.Scans should have a deploy a change-detection mechanism, and intrusion-detection and/or intrusion-prevention technique in place to prevent unauthorized users from entering your network.

12. Security Policy

Every organization should have a security policy in place to administer your network IDs, regulate scanning, and document all of the PCI DSS requirements. Usage policies for critical infrastructure should be in place and formal security awareness and training programs need to be defined for all personnel affected. Also, all hires should be screened because they could be potential threats and data processing agreements should be maintained with partners that share cardholder data.


Reporting

PCI compliance requires that businesses are submitting scan reports to their acquiring bank and payment brands at least every three months through an Approved Scanning Vendor (ASV) assigned by the PCI Security Standard Council (PCI SSC). Also, larger businesses must have an on-site assessment each year that is approved by a Qualified Security Assessor (QSA) in order to meet PCI compliance requirements.

Penalties for Non Compliance

The penalties for being non compliant can range from $5,000 to $500,000. Visa reported over $4.6 million in non compliance fees in 2016. Non-PCI compliant merchants and payment processors also could face additional forensic investigation and remediation costs, Increased rates charged by banks, and you can lose the ability to process credit card transactions for your organization. The costs of ignoring PCI compliance are very severe, so the regulations must be followed by all businesses.

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


SSLTrust Blog

View our blog covering news and topics in security, certificate authorities, encryption and PKI.

Learning Centre

View more resources on cyber security, encryption and the internet.