Blog Posts

What is PCI DSS? Managing Compliance for Your Business

What is PCI DSS? Managing Compliance for Your Business

If you’re a service provider or retailer who accepts credit and debit card payments online, it’s likely you’ll need to adhere to PCI DSS compliance in your operations.

Credit card numbers represent some of the most sensitive information that consumers possess and they’re a hot commodity for cyber thieves. Hackers aren’t going to wait for you to develop strong defenses before they attack. You want to make yourself a more difficult target by beefing up your security strategy.

Here are the essentials you need to know about PCI DSS and the steps you can take to prepare for achieving compliance.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a global cybersecurity standard for businesses that handle branded credit cards from major credit card networks (think Visa, Mastercard, Discover, etc.). Although these networks have mandated compliance, it’s the Payment Card Industry Security Standards Council (PCI SSC) that handles its administration.

PCI DSS was developed in 2004 to address the growing trend of credit card fraud as online payments became more prevalent. Currently, any merchant or service provider that handles credit card information through an e-commerce site or point-of-sales system in a physical location must be PCI compliant.

PCI DSS compliance has four levels, based on how many transactions a company processes every year:

  • Level 1: More than six million annual transactions
  • Level 2: Between one and six million annual transactions
  • Level 3: Between 20,000 and one million annual transactions
  • Level 4: Fewer than 20,000 annual transactions

In addition, each card network maintains its compliance requirements table for businesses and may have its internal security assessors.

8 Steps to Achieve PCI DSS Compliance in Your Business

The PCI SSC has outlined a series of requirements for handling cardholder data and securing your network. Follow these steps to get started with PCI compliance for your business.

1. Determine the Scope of Your PCI DSS Compliance

Start with an audit of your information security and infrastructure that receives, processes, stores, or transmits cardholder information. Conduct a full inventory of these tools or resources, including their current compliance status. The PCI SSC provides an online tool for identifying approved PIN devices for running transactions, which can help you get started.

2. Classify Your Data and Perform a Gap Analysis

You should identify where and how cardholder information is being processed and stored in your infrastructure. We recommend implementing a data classification system to make it easy for you to spot information that needs to be protected.

After this, use the information you gathered in step one to perform a gap analysis. Pay attention to potential vulnerabilities, risks, or areas where you’re currently not compliant. The next six steps map onto the PCI DSS framework and will help you address them.

3. Secure the Network

Besides the cybersecurity measures you’ve already taken, two PCI DSS requirements exist regarding your network. You must:

  • Install and maintain a firewall on your network (for Windows 10 and macOS)
  • Ensure all passwords are original, not vendor-supplied

We recommend you go beyond these measures and implement a set of strong cybersecurity policies for your entire organization.

4. Secure All Cardholder Data

Make sure that any cardholder data you’re currently storing is kept in a secure environment. PCI DSS notes that you can also satisfy the requirements for cardholder data security if you don’t store any data at all. PCI SSC recommends:

  • Storing data only if it’s absolutely necessary
  • Verifying ahead of time that your payment card forms/terminals/POS comply with all security requirements
  • Sensitive information such as primary account number (PAN) is protected or masked (truncated) on printouts like receipts, especially if you are sending receipts via potentially unsecured means such as in an email

5. Implement Vulnerability Management

PCI DSS also requires specific vulnerability management measures for cardholder data. Make sure that you’re using an up-to-date antivirus for your network, as well as up-to-date software across your systems. We recommend that you also consider:

  • Implementing auto-updates (for Windows 10 and macOS)
  • Developing a policy for security patches and updates

6. Strengthen Your Access Control

Access control involves restricting the ability of users (or non-users) from accessing parts of the system or premises that store sensitive information. In addition to user account privileges, you should also consider physical safeguards. Make sure that:

  • Cardholder data is not stored on unsecured devices like USBs, personal laptops, or smartphones.
  • The use of strong cryptography combined with layered security technologies and processes.
  • Servers are kept in locked rooms to which unauthorized parties do not have access.
  • Only employees that need to access cardholder data can do so and that access is monitored.
  • Each employee with system access has a unique ID attached to them and no accounts with access to cardholder data are shared accounts.

7. Implement Network Monitoring and Testing

A strong network monitoring system should be among your front line of defense for any security program. Without it, breaches go undetected longer and can cause more damage. PCI DSS requires that merchants track and monitor access to network resources and cardholder data.

Additionally, implement periodic testing and reviews of your policies and procedures to ensure they remain updated. At the very least, you should conduct an annual review plus reviews after every documented incident.

8. Develop Your Information Security Policies

Your final step for achieving PCI DSS compliance involves solidifying your procedures and policies in a written information security policy. You should document safeguards, roles, responsibilities, and other important security information for employees and contractors.

Following this, we highly recommend conducting security awareness training for your business. This ensures that everyone gets on the same page and understands why existing policies are in place and each member’s roles and responsibilities as it pertains to information security.

PCI DSS Compliance

How to Show You are PCI DSS Compliant

  • Report on Compliance: This audit report must be performed by a Qualified Security Assessor (QSA) and applies to Level 1 merchants and service providers. A thorough audit is conducted by the QSA which includes a complete review of the controls associated with the PCI DSS. This is produced through a complete assessment by the QSA of the organization’s systems, security posture, and protection of cardholder data.
  • Self Assessment Questionnaire (SAQ): A SAQ is your statement of PCI compliance which shows that you’re taking the security measures necessary to keep cardholder data safe. It is a validation tool to demonstrate compliance with PCI requirements, which is designed for small merchants and services providers. Different SAQs are available for different business environments and not all businesses are required to submit an SAQ. 

How Often is PCI DSS Assessment Required?

Vulnerability scans need to be completed once every 90 days (every quarter). On an annual basis, Level 1 and Level 2 merchants must be audited for PCI DSS compliance while Level 3 and Level 4 merchants must submit a self-assessment questionnaire. Regardless of what level you are as a merchant, you must undergo an onsite audit annually if you have ever experienced a data breach. 

What are the Fees & Consequences for Non-Compliance?

There are numerous consequences associated with non-compliance including lawsuits and governmental action but the fines through PCI DSS range from $5,000 to $100,000 per month until compliance is achieved. Also important to note is that banks may increase transaction fees and you can also have your ability to process payment cards revoked until you become PCI DSS compliant. 

Get PCI Compliant Today with Carbide

Every year, roughly 10 million Americans experience identity theft, with a significant number of them finding their credit card numbers stolen. This can and does wreak havoc since credit cards represent such a major aspect of our lives. Make sure you’re protecting your customers’ most sensitive information by working toward PCI DSS compliance now.

You can make it easy with an information security management platform like Carbide. Your business gets a secure foundation when you use powerful tools to generate custom policies, review configurations, and manage an effective information security strategy. Don’t settle for stop-gap methods and spreadsheets – get the right tools for the job and keep your customer data safe.