-
Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements for storing, processing, and transmitting payment card information in a secure manner.
The Payment Card Industry Standard is changing, are you ready? Learn about PCI DSS v4.0 here.
Author: Sue Poremba
New requirements for electronic payments are coming, will your business be impacted?
The short answer is: “Yes.”
In March 2022, the Payment Card Industry (PCI) Security Standards Council (PCI SSC) released version 4.0 of the PCI Data Security Standard (PCI DSS). This major release brings significant changes with compliance requirements. Payment Card Industry (PCI) compliance is a set of standards developed by the PCI SSC that governs all electronic payment transactions that help protect your business against threats such as malware, phishing, unauthorized remote access, skimming, stolen passwords, and out-of-date software.
Why is PCI compliance important?
PCI compliance can help keep you and your customers’ sensitive personal data secure and out of the hands of cyber criminals. Data breaches can be very damaging to both the public and private sector. They can result in lost confidence, bad press, legal challenges, declining profits, and other damages.
It’s no surprise that with the rising numbers of payment card transactions, the need for payment security has evolved. Add in the adoption of cloud computing, digital and contactless payments, an increase in the adoption of omnichannels, and you have a widening attack surface that continues to grow in complexity.
What does PCI DSS cover?
PCI DSS covers the gamut from technical to operational system components that connect to cardholder data (CHD), no matter how your business accepts payments. This means that if your organization stores, transmits, handles, and/or processes financial transactions via credit cards, debit cards or any type of electronic payments, follow the PCI DSS to help protect payment data.
It will help organizations ensure that data security controls remain relevant and more effective in a shifting payment security landscape. PCI DSS v4.0 is the most significant update to the PCI DSS since its initial release in 2004.
PCI compliance: Who does it apply to?
Generally speaking, if you accept or process payment cards, the PCI DSS applies to you.
There are 12 general security requirements to maintain payment security, however it’s important to note there are also additional sub-requirements which may or may not be applicable to you depending upon your business. At a glance, the PCI DSS requirements as defined by the PCI SSC website are:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect CHD
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data (CHD)
- Protect stored CHD
- Encrypt transmission of CHD across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to CHD by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to CHD
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and CHD
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
PCI compliance: Who does it apply to?
The release of PCI DSS v4.0 introduced several changes to validating and reporting compliance.
There are several fundamental compliance validation actions that organizations complete – some of which include:
- Meet all applicable requirements: Producing recorded evidence that all applicable requirements set out by the PCI SSC are met.
- Establish and maintain a secure environment: Establish a cardholder data environment (CDE) that meets all the applicable baseline security requirements as specified within the PCI Data Security Standard. The CDE is comprised of all system components, people, and processes that store, process, or transmit CHD or sensitive authentication data and/or system components that may not store, process, or transmit CHD or sensitive authentication data (SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.
- Network security assessments: Perform a series of security vulnerability scans of the network and applications. This technical exercise requires the help of outside firms that are designated Authorized Scan Vendors (ASVs). An ASV is a data security firm using a scanning solution to determine whether or not the customer meets the PCI DSS external vulnerability scanning requirement. ASVs are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS. ASVs use a remote tool to detect any vulnerabilities or data security risks in the scanned organization’s systems. These scans must be performed on a quarterly basis (once every 90 days). Here is a list of ASV vendors approved by PCI SSC.
Almost all merchants must undergo a scan, regardless of applicable compliance level. However, some merchants who complete a self-assessment questionnaire (SAQ) might be exempt, based on the same subclassification used to select the appropriate SAQ form. Specifically, entities qualifying for SAQ A-EP, B-IP, C, and D (merchant or service provider) are all obligated to pass the vulnerability scan requirement while SAQ A, B, C-VT, and PEPE-HW are not.
- Environment security assessment: Complete an assessment that shows the level of security for a business's systems and practices. Depending on assessment and reporting levels, as well as other criteria, it may be required for assessments to be conducted by a Qualified Security Assessor. A Qualified Security Assessor (QSA) is an individual certified by the PCI SSC to validate another entity's PCI DSS compliance. QSAs must be employed and sponsored by a QSA Company, which also must be certified by the PCI Security Standards Council.
The PCI DSS includes more than 400 compliance validation testing procedures. Some assessments may be conducted by Internal Security Assessors (ISAs). An ISA is an individual who has earned a certificate from the PCI Security Standards Company for their sponsoring organization, and can conduct PCI security self-assessments for their organization.
- Compliance reporting: Complete and submit a compliance report. PCI DSS validation reports are the official mechanism by which merchants and other entities report their PCI DSS compliance status to their respective acquiring financial institutions or payment card brand. Depending on the applicable compliance reporting and validation levels, this will either be a self-assessment questionnaire (SAQ) or a report on compliance (ROC). Each report is accompanied by a completed and signed attestation of compliance (AOC) form – as described below.
- Compliance validation reporting requirements
All organizations that are required to validate PCI DSS compliance need to complete and submit a set of compliance validation reporting documents. Merchants and service providers need to complete a report on compliance (ROC), and those that do not need a ROC will complete a self-assessment questionnaire (SAQ). If an organization’s assessment confirms compliance with DSS requirements, or if it shows failure, the organization must complete and submit an Attestation of Compliance (AOC). - PCI DSS self-assessments
Organizations with relatively low payment card transaction volumes typically perform a self-assessment and report their compliance status using one of the applicable SAQs. While SAQs mainly apply to small merchants, some service providers may be defined by a payment brand as eligible to complete an SAQ (“SAQ D for Service Providers”). There are seven different types of SAQ forms that can be used to assess PCI DSS compliance and CHD security – depending on the needs of different merchant and service provider environments.
The Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI SSC to inform and educate merchants and other entities involved in payment card processing.
What is the timeline for PCI compliance?
On March 31, 2024, PCI DSS v3.2.1 will be retired, making compliance with PCI DSS v4.0 mandatory for all organizations involved in payment data security. Protect your customers' payment information and your reputation.
To learn more about how to achieve PCI DSS v4.0 compliance, read the 2023 Verizon Payment Security Report insights white paper or contact us at [email protected].
Preguntas frecuentes
What is PCI DSS?
+
Is my business required to be PCI security compliant?
+
-
If you accept credit cards, debit cards or electronic payments from any of the Payment Card Industry participating card brands (American Express, Discover, JCB International, Mastercard, UnionPay, Visa Inc.) your business will likely be contractually required to follow the PCI Security Standard. This Standard applies across industries.
What happens if my business does not comply with PCI DSS v4.0?
+
-
Failure to meet the PCI Standard could result in your business suffering an incident or breach, which in turn may lead to potential consequences such as:
- Fines or penalties
- Diminished sales
- Lost revenue
- Damaged reputation
- Lawsuits, settlements
- Cost of identity theft protection / credit monitoring for affected customer
- Remediation costs
How do I make sure my business is PCI compliant?
+
-
The PCI Security Standards Council (SSC) provides a list of 12 main PCI DSS requirements. Maintaining compliance can be challenging because it's so complex. To learn more about how to design a PCI security program that will simplify achieving and maintaining PCI DSS v4.0 compliance, read the 2023 Verizon PSR insights white paper or contact us at [email protected].