If your business deals with credit card payments in any way, then PCI compliance is going to be a fact of life, and an essential part of running your business securely and efficiently. PCI compliance is a critically important step in protecting your customer's or partner's payment card data, and an equally important step in protecting your business from the dire consequences of a data breach.
Unfortunately, there's a lot of misinformation surrounding PCI DSS and what exactly it means to be compliant with the regulation. Last week, we set out to debunk a few of the most common myths surrounding PCI DSS, but if you're not a technical person, you may still have some questions.
In this article, we'll explain what PCI DSS is, how the regulation affects businesses of different sizes, the twelve rules of PCI DSS, and why you should strive to maintain compliance.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS), commonly known simply as PCI, is a set of security standards established by the PCI Security Standards Council (PCI SSC) in order to ensure that all companies that collect, transmit, store, or process payment card data maintain a secure environment. The PCI SSC was founded in 2004 by the major credit card brands (Visa, MasterCard, American Express, Discover, and JCB) and introduced PCI DSS 1.0 in December of that year.
Since then, there have been eight updates to the standard, leading up to the current version PCI DSS 3.2.1.
Compliance Requirements Depend on the Size of Your Business
To determine the requirements that apply to individual businesses, the PCI SSC created a four-level system for classifying businesses by size and risk. These merchant risk levels are based on the overall number of payment card transactions that a company conducts on an annual basis, with Level 4 being the lowest level of risk, and Level 1 being the highest.
For the most part, small businesses land in Level 4, while Level 1 covers large, multi-national retailers like Amazon and Walmart. However, any organization that has had a data breach is likely also to be moved into Level 1, regardless of size or number of annual transactions.
Here's how the four levels break down:
Level 1: Merchants with more than 6,000,000 transactions per year or those that have had data compromised in the past.
Level 2: Merchants with 150,000 to 6,000,000 transactions per year.
Level 3: Merchants with 20,000 to 150,000 transactions per year.
Level 4: Merchants with less than 20,000 transactions per year.
It's also worth noting that the PCI SSC considers eCommerce transactions riskier than in-person transactions, and therefore it takes fewer eCommerce transactions to move into a higher PCI compliance level.
The Twelve Basic Rules of PCI DSS Compliance
So now that we know what PCI DSS is and who it applies to, let's take a look at the rules put forth by the security standard.
The PCI Data Security Standard specifies six goals known as "control objectives." The six goals of PCI DSS are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
To meet these goals and be in compliance with PCI DSS organizations must comply with twelve rules. Let's take a look at those rules and what it takes to comply with them.
1. Install and maintain a firewall configuration to protect cardholder data. This means that you may not store cardholder data on an unprotected network. Likewise, merely having firewall won't get you off the hook. You must take steps to properly configure your firewall and make sure that it remains properly configured.
2. Do not use vendor-supplied defaults for system passwords and other security parameters. We hope that this is self-evident, but sometimes the obvious must be stated: Do not—under any circumstances—use default passwords.
3. Protect stored cardholder data. This rule states that any cardholder data stored on your network must be protected. That typically means perimeter defenses like the firewall mentioned above, along with encryption of cardholder data stored at rest on your network.
4. Encrypt transmission of cardholder data across open, public networks. Just as cardholder data must be encrypted at rest, so must it be encrypted in transit. Data can be extremely vulnerable when transmitted across open, public networks, especially when sent via unsecure methods such as FTP servers. A secure file transfer tool is your best bet for moving cardholder data securely and in compliance with regulations.
5. Protect all systems against malware and regularly update antivirus software or programs. This rule stipulates that you must install and maintain a regularly updated antivirus program.
6. Develop and maintain secure systems and applications. This essentially means that you must patch your systems, and stay on top of any critical security patches.
7. Restrict access to cardholder data by business need-to-know. Access to cardholder data should only be granted to the extent that it is necessary for the performance of an employee's duties, and should be revoked once it is no longer required.
8. Identify and authenticate access to system components. Any user with access to cardholder data must have a uniquely identifiable access method, and each instance of access must be appropriately verified, whether by password or multi-factor authentication.
9. Restrict physical access to cardholder data. This requirement encompasses all physical methods used to restrict access to cardholder data. The Quick Reference Guide provides an extensive list of methods for meeting this requirement.
10. Track and monitor all access to network resources and cardholder data. This is a double-edged sword. Not only must you have a network monitoring system in place that can generate logs and detect and report the failure of a security system, but you must also be able to track any and all access to critical systems, and be able to audit that access.
11. Regularly test security systems and processes. Networks must be regularly scanned for vulnerabilities, and depending on your merchant risk level, pentesting may be in order.
12. Maintain a policy that addresses information security for all personnel. You must maintain a company-wide information security policy.
If It's Not a Law, Why Should You Comply?
Early in this article, we mentioned the myths surrounding PCI DSS compliance. Here's a dangerous myth that has some truth to it: PCI DSS is not a law.
That's true. PCI DSS is not a law, but the consequences of non-compliance can be just as severe as the violation of a federal regulation.
Failure to comply with PCI DSS could leave your business liable to fines between $5,000 – $100,000 per month and could lead to the termination of your partnership with your credit card companies.