If your business accepts credit cards and other types of payments cards, you may have heard about something called PCI compliance. Payment card industry compliance (PCI compliance) is the meeting of guidelines developed by the PCI Security Standards Council, an open worldwide body formed to focus on payment card data protection during and following transactions. This article will explain the basics of getting started with becoming PCI compliant.
The PCI council builds and distributes payment standards while helping organizations learn how to meet them. It publishes resources, including self-assessment questionnaires, certification procedures, and training parameters.[i]
The founding members of the body are Visa Inc., MasterCard, Discover Financial Services, American Express, and JCB International. All these companies have integrated the PCI Data Security Standards (PCI-DSS) within their own security programs.
PCI-DSS compliance validation is managed by each different payment company (Visa, MasterCard, and the other founding members). Each of them also trusts the authority of Approved Scanning Vendors and Qualified Security Assessors that have met the expectations of the PCI council.
The security standards council is not involved with compliance enforcement. That role is carried out by the payment card firms or acquiring financial institutions.
PCI data security guidelines
Payment security is critical for any merchant, bank, or organization that handles cardholder information. The PCI-DSS requirements are designed to keep data safe and away from unauthorized parties. They establish how an entity can approach payment transactions from operational and technical perspectives. They also provide a structure with which manufacturers and developers can build security into their technology.[ii]
Basic Elements of PCI Compliance
Maintenance of Network Security
- Deployment of firewalls to prevent intrusion into data
- Changing of default passwords provided by vendors
Safeguarding of Cardholder Details
- Blocking of access to cardholder information
- Encryption of all data during transmission
Establishment of a Vulnerability Management Plan
- Keeping an antivirus solution updated, and using it consistently
- Creation and evolution of software and system security
Adherence to Access Control Best Practices
- Following of a need-to-know policy for transaction data
- Designation of individual login credentials for every user
- Limiting access within the physical environment
Monitoring and Testing of the Network
- Oversight for any data and network access
- Ongoing, periodic testing of all security aspects
Implementation of a Data Security Policy
- Creation of a policy that contains expectations related to data safety for an organization’s staff, as well as third parties.
PIN Transaction Security
The PCI PIN Transaction Security (PCI PTS) guidelines are meant to protect devices that process or contain consumer PIN data and other transaction information. Companies that manufacture devices used in payments should meet this standard when they create, build, and ship their products.
Payment Application Data Security Standard
This rule, the Payment Application Data Security Standard (PA-DSS), applies to application developers or anyone else who creates programs involved in payment card information storage, processing, or transmission. This standard applies, for instance, to the sale, distribution, and licensure of transaction-related software.
This part of the standards is focused on validating tasks completed by vendors that provide point-to-point (P2P) encryption. When a P2P encryption product meets these compliance specifications, merchants can know that cybercriminals won’t be able to read any information they might intercept.
Simple step-by-step security framework
The PCI Data Security Standard, developed using the expertise of security personnel from entities across the planet, should not be oversimplified. Below, we will explore more thoroughly how to establish PCI compliance, but this checklist is a good start:
- Purchase and install point-of-sale (POS) PIN entry devices that are validated to have met the requirements of the PCI council.
- Only use transaction applications, at POS and online, that are validated.
- Stop storing payments details either digitally or as hard copies.
- Set up firewalls.
- Use passwords and encryption for your Wi-Fi router.
- Make sure all passwords are complex and that none are defaults.
- Scan PCs and PIN devices for malicious applications.
- Train your personnel on data standards.
- Align your organization with all PCI-DSS guidelines.
How to meet PCI compliance standards
If you want to protect your payment data, monitor to ensure that you are meeting all the PCI DSS controls. It’s key that your efforts at compliance are continual, rather than checking for it only once per year. An annual assessment that you meet the standards is insufficient: the controls in place at entities that previously completed assessments often don’t meet compliance at the time of a breach. Compliance is, instead, a year-round endeavor – as indicated by the three-step model created by the council.[iii]
Three-step model for ongoing compliance
PCI compliance is not linear but moves in a continual circle, transitioning repeatedly through these three stages:
Assessment: Through scoping, note card data that must be protected, and recognize technology and operations involved in transactions. Assess these elements for vulnerability.
Remediation: Solve any vulnerability issues and offload any sensitive data you don’t need.
Reporting: Create and send necessary documentation to payment card firms and merchant acquirers.
To put the PCI Data Security Standard into action at your organization, you must perform scoping. Scoping is a process through which you create an inventory of every element that is inside or linked to your transaction data system. It must take place once per year, in advance of your assessment.
For comprehensive scoping, organizations that want to achieve compliance should be aware of everywhere payment data exists, as well as how it is transmitted.
Data security companies that are approved by the PCI council are called qualified security assessors.
An assessor completes the following tasks and expectations for validation of compliance:
- Confirms technical details provided by services or merchants
- Determines whether the entity is compliant based on their own understanding of the standards
- Offers expert advice and support
- Is physically present during the assessment as is necessary
- Meets the requirements of the assessment practices outlined by the PCI council
- Verifies the assessment’s scope
- Assesses compensating controls
- Creates compliance reports
Reporting is an essential element of PCI compliance. It is the official manner through which a merchant or other organization notifies the payment card companies and acquiring banks of their efforts at compliance.
It may also be necessary to submit a quarterly report detailing the findings of a network scan. Payment card firms will sometimes want you to complete and submit other paperwork as well. Examples include the self-assessment questionnaire (when evaluating your own system) and report on compliance (when having a third party assess your system).
The self-assessment questionnaire (SAQ) is typically used by entities that do not need to send in a report on compliance. It is a robust method to validate your own security stance.
The SAQ is very straightforward, made up of a list of yes-or-no questions intended to evaluate compliance with each PCI DSS element. Whenever one of the parameters is not met, the entity may have to set a date for remediation and related tasks.
Various types of questionnaire exist for use by the full spectrum of entities that need to meet compliance.
You can easily find the self-assessment questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance. They are all detailed in the Self-Assessment Questionnaire PDF available through the PCI Council’s website.
Compliance with the Payment Card Industry Data Security Standard is not only important internally but with your hosting partners as well. Do you need a PCI-compliant hosting environment? Atlantic.Net’s Data Centers are routinely inspected and are fully audited and SSAE 16 (SOC 1) TYPE II (Formerly SAS 70) certified. Learn more.