To secure credit card transactions and protect related data, the financial industry established operational and technical standards for maintaining the security of payment card transactions. Most notably, the Payment Card Industry (PCI) Security Standards Council (which is backed by the leading credit card institutions) developed a set of standards known as the Payment Card Industry Data Security Standard (PCI DSS).
Payment card companies usually require organizations to comply with PCI standards under their network agreements. PCI standards cover merchant processing and additional requirements such as encryption of Internet transactions. While PCI DSS is at the center of PCI compliance, the National Automated Clearing House (NACHA) and the Card Association Network have also set industry standards.
While there is no specific regulation mandating PCI compliance, court precedent treats it as mandatory for all companies processing payment card data. The Federal Trade Commission (FTC) monitors credit card processing to protect consumers. Organizations processing payment card data must comply with standards to ensure the security of transactions and avoid legal penalties.
Why Is PCI Compliance Important to an Organization?
Any organization that handles payment card transactions or data must ensure they comply with PCI DSS and other applicable standards. The data security standards described in PCI DSS help organizations enhance their security profile and protect themselves against the business and legal repercussions of a data breach.
Regardless of an organization’s size, credit card companies such as American Express, Visa, and Mastercard require PCI compliance. Complying with PCI standards:
- Allows organizations to accept payment cards or transmit, process, and store payment card data
- Reduces the risk of payment card data loss
- Reduces the risk of customer identity theft
- Enables organizations to detect, prevent, and remediate data breaches
If an organization fails to maintain PCI compliance, it could result in fines or the inability to accept payment cards and online transactions.
PCI Compliance Levels
Here are the PCI compliance levels that apply to merchants based on the volume of payment card transactions they process.
A Level 1 merchant processes 6 million or more transactions per annum (e.g., a large international corporation). This compliance level requires third-party Quality Security Assessors (QSAs) to audit the merchant’s practices. QSAs define the audit scope, review the merchant’s data storage and paper trails, and determine PCI compliance in annual Reports on Compliance (ROCs).
Level 1 merchants must also perform quarterly network scans to complement the yearly audits using Approved Scanning Vendors (ASVs). Each merchant must then submit Attestation of Compliance (AOC) forms.
A Level 2 merchant processes less than 6 million but more than 1 million transactions per annum (e.g., a medium-sized corporation). PCI compliance level 2 does not require a third-party auditor, but Level 2 merchants must submit ROCs based on internal audits responding to Self-Assessment Questionnaires (SAQs).
Level 2 merchants must also use ASVs to perform quarterly network scans and submit AOC forms.
A Level 3 merchant processes less than 1 million but more than 20 thousand transactions per annum (e.g., a small corporation). The third compliance level does not require external audits or ROCs—only the completion of annual SAQs.
A Level 3 merchant must also perform quarterly network scans and submit AOC forms.
A Level 4 merchant processes fewer than 20 thousand transactions annually. This compliance level requires merchants to complete annual SAQs and AOCs, in addition to quarterly network scans performed by ASVs.
A Level 4 merchant must use qualified resellers and integrators to install, integrate, and service point-of-sale applications and terminals.
How to Implement a Successful Incident Response Plan for PCI DSS
Two major PCI DSS requirements help organizations implement successful incident response plans—Requirement 10 refers to logging and log management, while Requirement 12 addresses documentation, vulnerability, and risk management.
In addition to considering these two requirements, you should apply the following steps to build a PCI-compliant incident response plan:
- Prioritize assets—locate critical assets such as applications and sensitive data and classify them according to the risk they present. Assign a budget and protection strategy for each risk category.
- Document clear policies—provide employees with clear procedures for responding to incidents, including details such as roles and responsibilities.
- Build your response team—the incident response team can include full-time incident response personnel or other security or IT employees who take on responsibilities. Every individual must have a clear role.
- Educate your employees—regularly train your staff to promote security awareness and safe business practices. Ensure that all employees learn to identify and avoid infiltration attempts such as social engineering attacks.
- Inform stakeholders of the incident response plan—all stakeholders across the organization should be familiar with the incident response plan. Encourage everyone from management, legal, HR, IT, and development departments to contribute to the plan.
- Involve senior management—your incident response plan cannot succeed without the support of senior management. For example, your organization must budget for incident response tools and procedures.
- Test your incident response plan—use realistic tabletop exercises to test the effectiveness of your incident response plan. Testing your plans allows you to identify and address any weaknesses.
The Role of SIEM in PCI DSS Compliance
PCI DSS Requirements 10 and 11.5 include the implementation of regular monitoring of the network and configuration changes. PCI DSS focuses on these two aspects because system logs are critical for investigating and responding to security incidents.
When security auditing is enabled on systems in the cardholder environment, security information and event management (SIEM) systems can be used to monitor systems and generate security alerts. SIEM solutions are able to collect and correlate data from across the IT environment, including a PCI-compliant hosting environment, and from hundreds of security tools. They normalize security data and generate reports in a suitable format for regular reviews and PCI DSS audits.
PCI Compliance Levels
Your organization’s PCI Level will determine your auditing process and the level of scrutiny to which your organization will be subjected.
Incident Response Plan
It is not enough to ensure security controls are PCI DSS compliant. You must prepare to respond to actual security incidents in a way that aligns with the standard.
The Role of SIEM
You can use SIEM systems to greatly reduce auditing complexity by automatically generating reports in a format auditor can use.
Get Help with PCI Compliance
Do you need PCI-compliant hosting? Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or email us at [email protected].