PCI DSS Compliance (Checklist, Requirements, How to Check, etc.)
Contents
As another holiday season comes to a close both businesses and consumers alike are once again reminded of the importance of privacy and data security. The now infamous Target breach of some 40 million customer’s credit card data is just one example of what PCI DSS compliance is so important.
The breach, according to a Target letter included customer names, credit and debit card numbers, card expiration dates, and the CVVs (three-digit security code).
This unfortunate security breach is another reminder why having a proper information security program is of the utmost importance. Particularly, businesses that deal with sensitive data are subject to regulatory compliance laws that must be regularly revisited to meet the requirements.
The Payment Card Industry Data Security Standards (PCI-DSS) come to mind as a primary focus on security and compliance for processing or storing credit card data. Over the past few years, security professionals have pushed for improved point-of-sale (POS) systems and payment applications.
What Is PCI-DSS Compliance
PCI DSS Compliance refers to the adherence to the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. This is critical to protect cardholder data from theft and to secure and strengthen payment transaction systems.
Standards
The new standards for PCI-DSS have been written into the release, which focuses on a more stringent requirement for payment applications. In the case of Target, some of the requirements written in the PCI-DSS standards must not have been compliant. A strong information security, risk management, compliance, best practices, and services are the keys to establishing a PCI-DSS compliant environment.
Many businesses, particularly smaller organizations have a difficult time achieving PCI-DSS compliance. A lack of resources, domain knowledge, or dedicated information security staff can all factor into the difficulties of meeting the compliance requirements of PCI-DSS.
To Whom Does PCI DSS Apply
The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization, irrespective of size or number of transactions, that accepts, transmits, or stores any cardholder data. Here’s a breakdown of entities to whom PCI DSS typically applies:
Merchants
Any entity that accepts payment cards bearing the logos of any of the five members of the PCI SSC (Payment Card Industry Security Standards Council) — Visa, MasterCard, American Express, Discover, and JCB.
Service Providers
Any entity that processes, stores, or transmits cardholder data on behalf of another entity is considered a service provider. This includes payment gateways, payment processors, and hosting providers, among others.
Financial Institutions
Banks, credit unions, and other financial entities involved in payment card processing should comply with PCI DSS to ensure the secure handling of sensitive information.
Payment Application Vendors
Companies that develop payment applications, especially those that handle cardholder data, need to adhere to security standards like PA-DSS (Payment Application Data Security Standard), a standard under the PCI compliance umbrella.
Other Entities
Any other organizations involved in payment card processing, such as third-party service providers and vendors whose products or services can affect the security of cardholder data, should also comply with PCI DSS.
PCI DSS Levels
Different levels of PCI compliance exist based on the volume of transactions processed annually. These levels determine the specific compliance validation requirements for merchants and service providers:
- Level 1
Merchants processing over 6 million card transactions per year. - Level 2
Merchants processing 1 to 6 million transactions per year. - Level 3
Merchants processing 20,000 to 1 million ecommerce transactions per year. - Level 4
Merchants processing fewer than 20,000 ecommerce transactions per year or all other merchants processing up to 1 million card transactions per year.
Objectives
The standard has six main objectives, broken down into 12 requirements, aimed at securing cardholder data:
- Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel.
Entities that fall under the scope of PCI DSS must ensure they implement and maintain these requirements to safeguard sensitive cardholder information and mitigate the risk of data breaches.
How to Get PCI-DSS Compliant
So what are some things that can be done if an organization that deals with sensitive data does not have the necessary resources to achieve PCI-DSS compliance?
First, have an independent IT security audit performed by a proven outside company against the PCI-DSS framework. An IT security audit will produce organizational risks that may be overlooked on the surface, but can shed light into the current state of the information security environment.
Additionally, an IT security audit will have a proper action plan to remediate all out of compliance areas.
Second, adopt a formal information security policy that follows industry best practices and controls. Put in place a vendor management program that does due diligence before purchasing payment processing applications. Have follow up assessments to ensure that the infrastructure still conforms to best practices and the PCI-DSS compliance requirements.
These are all first steps to starting down the road of PCI-DSS compliance. Good IT governance is required to keep any information security program alive and producing results. The ultimate lesson to be learned from the Target breach is organizations need to be paying greater attention to the POS-related changes specified in the new PCI-DSS 3.0 standards.
What This Means For Businesses (SMBs)
Since 2005, more than 80% of card data breaches have involved small businesses. In such cases, if a business is found to be non-compliant, major brands such as Visa are likely to suspend their accounts.
Smaller business owners may not know that the Best Practice 6.6 security standard went into effect on June 2008, which requires merchants to tighten security. All eCommerce websites are required to conduct application code reviews and install website firewalls.
Be aware of the requirements for small to medium sized businesses. For Visa compliance, level 2 and 3 Merchants must complete annual Self Assessments and quarterly network security scans. Level 4 merchants must also complete an annual PCI Self-Assessment, but in some cases they are not required to complete the quarterly network scan.
It’s worthwhile for all business owners to take the time to understand their compliance requirements for each of the credit card brands they use. This is especially true of smaller merchants that are more often attacked by cyber criminals and identity thieves.
For more information about PCI compliance or to learn about the IT solutions we offer to enhance your business, contact us today.