PCI compliance is an industry-standard set to keep sensitive payment data safe. Any business that handles credit or debit cardholder data must achieve PCI compliance. It was created by a council of major credit card providers – the PCI Security Standards Council, or PCI SSC – to help prevent credit and debit card data theft.
Unsure what exactly you need to know about PCI Compliance? Here’s a crash course on the PCI Data Security Standard, including the most cost-effective path to securing cardholder data, PCI compliance best practices and benefits, what it takes to get PCI certified, and much more.
So, what exactly is PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. It is a set of controls and obligations for companies of any size that handle credit card information, designed to reduce the likelihood of card data being compromised. To put it simply, PCI DSS directs how organizations should securely manage credit card account numbers and payment card data to best protect the collection, storage, and transmission of cardholder data from e-commerce transactions. PCI DSS has 12 requirements that merchants and service providers must comply with to work with the major credit card companies.
These credit card companies – American Express, Discover Financial Services, Visa, Mastercard, and JCB International – developed a council (the PCI SSC) that created a set of data security standards (the PCI DSS) to help protect payment card data and prevent payment card fraud. The PCI SSC provides, maintains, evolves, and promotes these security standards. They also offer merchants and service providers tools to implement the PCI standards, such as assessment and scanning qualifications, a self-assessment questionnaire (SAQ), training and education, and product certification programs.
What are the benefits of PCI compliance?
While PCI DSS compliance is not a legal requirement, it is necessary for companies that choose to work with any major payment card network, like Visa or Mastercard. Even though PCI DSS can be a hurdle, compliance with PCI standards doesn’t have to be a burden. If you use the right solution to get there, it’s a business investment with numerous benefits.
Achieving the appropriate level of PCI DSS compliance enables your business to:
- Work with payment processors to build an online marketplace.
- Partner with card issuers to launch your own payment card.
- Set yourself up for easier compliance with other compliance standards, like GDPR or HIPAA, since these frameworks share similar controls.
- Minimize the risk and impact of a potential breach.
- Build trust with your customers and partners.
Is PCI compliance mandatory?
If your organization transacts with one of the major credit card companies, such as Visa, Mastercard, American Express, or Discover, you must comply with the PCI Data Security Standards. You must be PCI compliant if your organization collects, transmits, maintains, or transfers card data, no matter the value or number of transactions or how big your business is. In other words, if credit card information touches your secure network at any point, you must comply with these PCI standards.
Like GDPR and CCPA requirements, non-compliance is not an option for PCI DSS requirements. While PCI DSS is technically not a law like GDPR and CCPA are, companies agree to adhere to PCI standards when they engage in any activity related to the payment card industry.
Like many compliance programs, these PCI standards are designed to ensure vendors are more stable and secure, which leads to a more reliable payment card industry overall. PCI DSS ensures that you, your fellow merchants, and all the stakeholders in the credit card industry are held to a rigorous industry standard for security.
What if I am not PCI compliant?
Non-compliance with PCI DSS could be a very costly mistake, particularly if you ever have breaches of credit card data. The penalties for not complying with these security standards range from sizable monetary fines to getting your ability to process credit card data revoked – both of which can be detrimental for any company that relies on this type of customer payment.
Not complying with PCI DSS means that payment data belonging to each customer is less secure, which comes with several disadvantages. Failure to sufficiently secure your CDE leaves your organization more susceptible to data breaches, which can result in:
- Inability to continue to accept credit cards, like Visa or Mastercard
- Loss of confidence within banking and financial partnerships
- Substantial financial penalties
- Regulatory scrutinies such as FTC investigations and audits
- A damaged brand reputation
- Weakened sales
- Lost jobs
Companies may have to pay to inform every individual impacted by a data breach, reissue cards, or pay legal fees; and these fines and fees are just the start. If you are a publicly-traded company, there are legal and regulatory risks should a breach call into question the validity of your firms’ financial statements (such as 10k filings). Not to mention the erosion of investor confidence and stock price should a data breach occur.
The lasting brand damage a data leak causes and the cascading loss of consumer trust that follows is enormous. Brand image is, in fact, one of the most significant vulnerabilities when it comes to data security. According to research from the Ponemon Institute, 61% of Chief Marketing Officers believe that the largest consequence of a security incident is the erosion of brand value.
Data breaches have impacted some of the biggest enterprises out there, resulting in the exposure of hundreds of millions of pieces of sensitive customer data and compromising the privacy and trust of their customers. When credit card data leaks on a large scale, the damage goes far beyond consumer confidence. Individual customers’ livelihoods can be severely hurt or permanently ruined when their sensitive information gets into the wrong hands. That’s why it’s imperative to secure card data. And that’s what PCI DSS aims to do.
Not only should you, as a business leader, want to maintain a secure cardholder data environment (CDE) for your customers, but you should also want to avoid the liability of not implementing these compliance requirements. The question, therefore, should not be “Is PCI DSS compliance mandatory?” (it is), but rather “Why would you take the risk of not implementing it?”
How much are PCI non-compliance fines?
Non-compliance fines start at $5,000 but can soar up to $500,000 per PCI data security incident (like massive data breaches). The range of fines will vary depending on the state of PCI controls and, if a breach occurred, whether the breach was due to PCI control operation failure.
On top of those costs, merchants may have to pay extra penalties. Banks and payment processors may end their relationships with a merchant entirely or increase per-transaction processing fees and require the merchant to pay for the replacement of the payment cards exposed in the data breach. The bank or processor may also obligate the merchant to move up a level in compliance if they have a breach, which means that adherence to the requirements can be even more difficult and much more costly.
Moreover, regulations demand that all individuals whose data appears to have leaked during a breach incident be alerted in writing so they can stay vigilant for any fraudulent activity on their accounts. There’s no chance of sliding this breach of trust under the radar.
Because of these mounting costs, the expenses caused by a single data exposure event can end up far surpassing the initial $500,000 fine and could financially devastate an organization of any size.
What does it take to be PCI compliant?
When an organization abides by PCI DSS requirements on an ongoing basis and can effectively protect cardholder data by maintaining a secure cardholder data environment (CDE), it’s PCI compliant. How your organization validates your PCI Compliance depends on how many transactions it processes each year.
What are the PCI DSS compliance levels?
PCI DSS compliance has two categories – merchants and service providers – with different levels based on how many credit card transactions you handle each year. PCI Compliance Level 1 is the most stringent.
At a high level, guidelines are as follows:
- Level 1: Businesses that process over 6 million card transactions per year across all channels or any business that has had a data breach.
- Level 2: Businesses that process between 1 million and 6 million card transactions per year across all channels.
- Level 3: Businesses that process between 20,000 and 1 million e-commerce card transactions per year.
- Level 4: Businesses that process fewer than 20,000 e-commerce card transactions per year or any business processing up to 1 million regular card transactions per year.
- Level 1: Businesses that process over 300,000 transactions per year (includes Payment Facilitators).
- Level 2: Businesses that process under 300,000 transactions per year.
It’s important to note that while Visa, MasterCard, and American Express all define the levels very similarly, there are minor differences. These become even more pronounced when it comes to American Express and JCB. For example, for American Express, Level 1 is defined as businesses that process more than 2.5 million transactions annually. You can learn more from each card issuer directly.
It’s also important to note that while your organization's transaction quantity may place you in a particular PCI Level, potential clients, partners or payment providers may ask you to “level-up” given any specific security needs they may have.
What are the requirements for PCI compliance?
PCI DSS Compliance is achieved after businesses verifiably complete all 12 requirements included in the security standard.
Within these 12 requirements are hundreds of sub-requirements, which go well beyond firewalls, anti-virus software, strong passwords, and other security measures. Some of them may be especially difficult for smaller organizations to meet, particularly without any expert help.
The 12 requirements for PCI DSS compliance are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know, which is achieved when you implement strong access control measures
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a security policy that addresses information security for employees and contractors
With so many multi-faceted requirements, building a PCI-compliant information security infrastructure can be a daunting task for small and medium-sized businesses. Additional engineers are often hired to supplement in-house resources.
Each requirement also involves a different cost and timeframe for successful implementation.
How do we become PCI compliant?
Becoming a PCI DSS compliant organization can be a long journey, particularly if you’re a small business going it alone. Building a PCI-compliant network from scratch and following best practices means that you will, at a minimum, need to follow the following steps.
Step 1: Gap Assessment (1.5 - 3 months)
The initial move your business should make is to find out your current situation as it relates to payment card data security, a procedure called a “gap analysis.” This enables companies to identify any “gaps” in their security posture so they know what to fix to become PCI DSS compliant.
Resolving gaps that you identify during the assessment may require new, additional resources, including servers, routers, communication equipment, physical security, and full-time employees since your current resources could be insufficient.
The most painless way to do this would be to skip the gap assessment step entirely, which is only possible if you implement an all-in-one, dedicated PCI as a Service solution like VGS.
For businesses that would prefer to do the PCI DSS compliance journey piecemeal, rather than using an end-to-end solution, there are two options:
- The DIY Option: Without asking for any third-party assistance, companies can fill out a Self-Assessment Questionnaire (SAQ). The SAQ is a simple, yes-or-no guidebook that helps companies assess how much they are adhering to PCI security standards (keep in mind that there are nine different versions, depending on how your business processes cardholder data).
- The Point Solution Option: Instead of navigating the Self-Assessment Questionnaire themselves, many organizations skip the SAQ and instead opt to pay an external PCI Qualified Security Assessor (QSA) to perform the gap analysis for them.
Step 2: Decide what infrastructure to use to build your CDE on (1 month)
Once you’ve performed a gap assessment, either on your own or with the help of an auditor, you’ll have a good sense of where your company is lacking. Now it’s time to get down to the nitty-gritty.
The second step is figuring out how you will design your organization’s secure network to store credit card information, like implementing strong access control measures and much more. What will be your payment card data store process? Will you opt for a secure cloud storage subscription service for that data store process? What about an on-premise physical database to keep all your users’ sensitive credit card data?
Once you figure out the type of infrastructure that your company thinks is best to protect credit card information, you can start planning out the systems and processes that will enable you to become PCI compliant.
Step 3: Put in place new business controls (~3 months)
After you’ve identified which infrastructure your business will utilize to store its cardholder data, you can start setting up the new controls to ensure that sensitive data is secure.
This includes defining roles and responsibilities for personnel and vendors with physical access to cardholder data, securing the locations in your system that are exposed to cardholder data, implementing a data encryption and/or tokenization solution and documenting processes and procedures, and ensuring that internal controls are suitably designed and operating effectively.
Test and verify that your controls reduce the risks you identified as expected. Controls do not always work as intended, since technology changes rapidly.
Step 4: Gather documentation (~2 months)
PCI DSS compliance involves an audit process. Much like you may need to retain receipts to answer any questions the IRS has about your taxes, it’s important to keep documentation on the internal controls across your environment for review during a PCI DSS audit.
Since so many of these controls rely on policies and operating procedures, it’s vital to ensure that critical operations are documented, stored, and communicated to staff. Additionally, control evidence may need to be shared to provide assurances that internal controls have been continuously operating and where they are not in place but supported by compensating controls as justification for the alternative approach.
Let’s look at one control in particular as an example: PCI Requirement 5 (as listed above) articulates the need for anti-virus/anti-malware solutions within your environment. Validating this single control area necessitates a variety of documentation:
- What technology is being used to identify, prevent, and remediate malware indicators?
- Where is this technology scoped with respect to the CDE environment?
- Who and how is this technology responsible for being maintained, operated, and consistently deployed? I.e., are there processes or runbooks for Security Analysts to effectively navigate the malware detection and remediation path?
- Does the technology provide 90-day log retention natively? If not, where and how is that log data being stored?
Now, assuming all of this is in place and aligned to PCI security standards, it’s time to provide evidence supporting that control statement. Long story short, documentation can be quite a burdensome endeavor to complete, especially considering that documentation is only as effective as it is communicated and adopted.
Step 5: Ongoing maintenance (never-ending)
When you set up a secure cardholder data environment following security standard PCI requirements, there is never a finish line. You must constantly look after your security infrastructure and policies, software systems need to be updated, vulnerabilities need to be scanned for and patches need to be implemented. It’s a non-stop effort to keep your compliance status.
Even modest changes to infrastructure, data transfer paths, or internal tools can profoundly impact an organization’s approach to PCI. Plus, whenever you add a new feature to your product that impacts your company’s cardholder data - in any way - your PCI DSS compliance is no longer valid. Since your cardholder data environment has changed since the point in time when your compliance was verified, you will need a QSA to revalidate your compliance with its current state.
Additionally, the PCI standards themselves may change, requiring additional investment; the PCI standard itself has undergone 9 changes since 2004, and PCI DSS v4.0 is anticipated for Q1 of 2022. The endless cycle of adjusting, then revalidating, then adjusting and revalidating again is an ongoing expense that many businesses - unfortunately - don’t take into consideration when embarking on a DIY PCI DSS compliance journey. While supporting these audits can be costly in terms of security tooling and infrastructure, it can be equally taxing on resources that may now need to dedicate time away from building products and services to focus on developing a defensible PCI posture.
How do I validate my PCI compliance?
So, you’ve gone through all the steps to secure your customers’ cardholder data - now what?
Does your company need to validate its compliance with PCI standards officially? For Level 1 merchants and service providers, the answer is yes.
If you are a Level 1 merchant or service provider, you need to undergo an audit that results in a completed Report on Compliance (ROC), which a QSA must sign.
All other levels of merchants and providers can simply complete their own SAQ and sign their own Attestation of Compliance (AOC).
What does it cost to get PCI compliant?
When attempted via the DIY path, PCI compliance involves a high Total Cost of Ownership (TCO) compared with employing an end-to-end PCI as a Service solution, such as VGS. The typical ‘DIY TCO’ looks something like this:
When you go the DIY route, your business ends up ‘paying’ more than just money. You are now allocating a significant amount of time to each requirement which takes away from resources you could dedicate to growing your core business.
Moreover, every time you make a change in your environment or your product, you re-start the process of PCI.
When is said and done, the cost of DIY-ing all 12 PCI requirements can quickly add up to $1M or more, and yearly PCI maintenance costs up to $200,000+. Costs include:
- CapEx or OpEx on security tools and infrastructure components
- Continuously operate internal controls in accordance with internal SLAs and processes
- Costs of hiring reliable and experienced auditors knowledgeable on your tech stack
- Time to manage staff, resources, and commitments of your PCI project and audit
- Establish and maintain internal controls to satisfy PCI
- Design, manage, and continually update policies, procedures, and internal processes
- Dedicated staff for audit project management and preparation
- Additional operating and licensing costs for necessary services
Working with a comprehensive third-party data protection solution
There’s a much easier option for companies that aren’t interested in painstakingly going down the list of PCI requirements and tailoring information security policies, securing and testing everything in-house, then being evaluated by a qualified security assessor (QSA). It also costs considerably less than the DIY route.
The solution: work with a third-party data security partner who takes care of your PCI compliance for you.
A business pursuing PCI Compliance can integrate with a third-party provider such as VGS, which has been audited by an independent QSA and is approved as a PCI Compliance Level 1 service provider. Whether you’re a merchant, service provider, or another type of organization, using VGS is easier for you and your business because:
- VGS makes it simple to remove your systems from the scope of cardholder data and manage security and compliance around payment card data, plus all other sensitive information, on your behalf.
- VGS maintains a fully hardened and managed PCI L1 approved CDE along with a suite of options to safely collect credit card data.
- VGS is a Level 1 Service Provider certified with PCI DSS 3.2.1 domains.
VGS provides easy PCI Level 2-4 compliance for smaller merchants and service providers as quickly as 7 days after integration. For businesses that require PCI Level 1, either due to transaction volume or because their bank or partners require it, compliance can be achieved in as few as 21 days.
Alternatively, choosing the DIY path would take several months to a year after you’ve already poured a substantial amount of human and financial capital into your information security policy to protect your databases, systems, and processes.
Very Good Security is a completely scalable solution that grows with your business and offloads your PCI burden while following PCI best practices.
Putting your PCI DSS burden in trusted hands
Using VGS allows you to quickly meet the vast majority of PCI DSS compliance requirements and continuously works as a partner to maintain continuous PCI compliance and keep your most sensitive data secure.
By working with VGS, our users securely segment their business from any sensitive data, which is always protected in the VGS Vault. The VGS Vault does the following:
- Serves as a way to store and use payment card industry data securely
- Leverages security controls including key rotation, patch management, segregated accounts, extensive audit logging, regular vulnerabilities testing, 24/7 continuous monitoring, as well as AES 256-strength encryption
Compared to other data security or tokenization solutions on the market, the VGS Vault is unique because:
- It works seamlessly with our proxies to provide a safe and reliable way to protect your company’s sensitive data easily, both at rest (AES-256-GCM encryption) and in-flight (TLS 1.2).
- It instantly hardens your applications, including 24/7 monitoring for intrusion detection and anomalies, efficient vulnerability management, strong security patching procedures, and extensive change management controls.
VGS quickly descopes companies from PCI DSS requirements and accepts the responsibility of storing all their sensitive data. Our customers are only responsible for access control to security configurations through the VGS dashboard.
At VGS, we:
- Guarantee that PCI data never touches non-Cardholder Data Environments (this includes any non-hardened systems, such as your test environment).
- Securely vault and manage credentials to access network resources and cardholder data (including your VGS Dashboard password and API keys) and monitor how these credentials are distributed and used.
- Provide yearly security awareness training for team members.
- Properly vet employees (e.g. criminal background checks, necessary access, job function, etc.).
- Maintain full PCI DSS and SOC-2 controls across our infrastructure.
We help our customers:
- Generate copies of current Attestation of Compliance (AOC) documents from all cardholder service providers yearly.
- Maintain audits of PCI DSS controls every year, especially the Information Security Policy that details your company’s PCI DSS controls.
- Build and test incident response procedures.
- Designate and document internal roles and duties for handling PCI-related data and vendor relationships.
Using VGS for your data security and compliance needs, including PCI and beyond, gives you a trusted partner to help usher you through the entire data security journey. After an easy-to-navigate onboarding process, you’ll be well on your way to descoping your business from PCI compliance requirements, with the collection, storage, and transfer of sensitive data all handled through VGS.
Are you a Fintech, Merchant, or Service Provider handling sensitive data connected to consumers’ credit cards? Connect with one of our PCI Experts and experience the easier, faster, and more secure way to achieve PCI DSS.