What is Payment Card Industry Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations that apply to companies that process, store, or transmit credit card data. The PCI DSS was created in 2004 by the major credit card companies, including Visa, Mastercard, American Express, and Discover.
PCI compliance is mandatory for all companies that process credit card data. The PCI DSS requires companies to implement a variety of security measures, including firewalls, intrusion detection systems, and anti-virus software. Companies that fail to comply with the PCI DSS can face stiff penalties, including fines.
What is a PCI Assessment?
A PCI (Payment Card Industry) assessment is an evaluation of an organization’s security measures and processes relating to the handling of payment card data. The goal of a PCI assessment is to help organizations identify and correct any vulnerabilities that could lead to a data breach.
Organizations that process, store, or transmit payment card data must comply with the PCI Security Standards Council’s (PCI SSC) security requirements. These requirements are detailed in the PCI Data Security Standard (DSS), which outlines the basic measures businesses must take to protect payment card data.
How to pass a PCI Assessment
If your business accepts or processes credit cards, you’ll need to comply with the Payment Card Industry Data Security Standard (PCI DSS). This comprehensive security framework was created to protect cardholder data and prevent credit card fraud.
One of the requirements of PCI DSS is passing a quarterly vulnerability scan and annual penetration test. If your business is not yet compliant, don’t worry – there’s still time to get prepared. In this section, we’ll show you how to pass your PCI assessment.
*Please note depending on the payment processor provider that you use your exact requirements will vary.
1) Identify your Merchant Level
Merchants who process six million or more transactions per year across all channels qualify as Level 1 and have the most strenuous PCI compliance scanning requirements:
A Report on Compliance (ROC), a long-term external analysis, typically on-site, of all PCI DSS requirements and corresponding security controls in practice
Merchants who process between one and six million transactions per year are Level 2, and those who process between 20 thousand and one million are Level 3.
Both require:
An Attestation of Compliance (AOC), a slightly less rigorous analysis of all security systems’ and controls’ design, per DSS Requirements, along with the required documentation for a PCI Merchant Level 4 (see below)
Merchants who process fewer than 20 thousand transactions per year or up to one million e-commerce transactions (in some cases) qualify as Level 4, which requires:
A Self-Assessment Questionnaire (SAQ), filled out internally by the company being assessed, with simple yes or no answers to questions about all controls.
2) Implement the 12 PCI Assessments Requirements
PCI DSS Goal 1 – Ensure security across all networks and systems:
PCI DSS Requirement 1: Install and update firewall configurations to establish a secure perimeter around systems containing or connected to cardholder data.
PCI DSS Requirement 2: Create unique passwords and upgraded security
parameters to replace all default, vendor-supplied settings across all assets.
PCI DSS Goal 2 – Protect all cardholder data controlled, used, or stored:
PCI DSS Requirement 3: Protect cardholder data in internal or external storage and ensure that cardholder data is only stored and retained if it is necessary.
PCI DSS Requirement 4: Encrypt all cardholder data and other relevant data pertaining to customers that must be transmitted across any public network.
PCI DSS Goal 3 – Implement a vulnerability management program:
PCI DSS Requirement 5: Maintain updated versions of antimalware and antivirus software across all infrastructure to protect sensitive data from malware attacks.
PCI DSS Requirement 6: Build a secure system and applications, then continuously update them as needed to protect against attacks.
PCI DSS Goal 4 – Monitor and control all access to cardholder data:
PCI DSS Requirement 7: Limit the ability of those within your organization to see any cardholder data unless it is necessary for a given employee’s business role and responsibilities.
PCI DSS Requirement 8: Require security checkpoints, such as passwords and strict authentication (e.g., multi-factor authentication), to access cardholder data.
PCI DSS Requirement 9: Control who comes into physical contact with systems and spaces containing or connected to cardholder data, including all clientele.
PCI DSS Goal 5 – Monitor and assess security systems continuously:
PCI DSS Requirement 10: Log all information regarding who accesses sensitive networks and data (e.g., time, location, users, behaviors).
PCI DSS Requirement 11: Perform frequent tests of all data protection systems, scanning for both controls and appropriate user behavior across all personnel.
PCI DSS Goal 6 – Design, implement, and maintain a security policy:
PCI DSS Requirement 12: Develop and distribute a clear, accessible policy that outlines how all members of your organization should approach data protection.
3) Submitting your assessment for PCI Compliance
The final step is to submit your assessment for verification. As mentioned above the exact scanning tools and documents you need to submit will depend on the size of your organization.
