A simplified crash course on the Payment Card Industry Data Security Standard (PCI DSS), including the most cost-effective path to securing cardholder data and quickly obtaining PCI Compliance.
Unsure about PCI Compliance? Here’s everything you need to know about PCI DSS and what it takes to obtain – and demonstrate – your company’s compliance.
You can do this yourself or with the help of third parties, which we will cover at the end of this post.
PCI DSS (Payment Card Industry Data Security Standard) is a set of controls and obligations for companies of any size that handle credit card information, designed to reduce the likelihood of card data being compromised.
To put it simply, PCI DSS directs how organizations should securely manage credit card payments and cardholder information in order to best protect cardholder data.
The standard was set up by the Payment Card Industry Security Standards Council (PCI SSC), which is made up of the major credit card companies (American Express, Discover Financial Services, Visa, Mastercard and JCB International).
The SSC set up these card industry data security standards to help protect cardholder data and prevent payment card fraud. In total, PCI DSS contains 12 requirements, which merchants and service providers that process payment card information must comply with in order to continue working with the major payment card brands.
Each of the payment card brands incorporates PCI DSS as part of the technical requirements for all of their own information security compliance programs.
The SSC provides, maintains, evolves, and promotes these security standards. They also offer tools for merchants and service providers to implement the standards, such as assessment and scanning qualifications, a self-assessment questionnaire (SAQ), training and education, as well as product certification programs.
When an organization abides by PCI DSS requirements, on an ongoing basis, and can effectively protect cardholder data by maintaining a secure cardholder data environment (CDE) they’re PCI compliant.
How you validate your PCI Compliance depends on how many transactions you process each year (more on how to validate below).
While PCI DSS Compliance is not a legal requirement, it is necessary for companies that need to store or transmit credit payment card industry data, or else they won’t be able to work with any major payment card network, like Visa or Mastercard.
Even though PCI DSS is a minimal hurdle that many merchants and providers of services are required to overcome in order to run a company, compliance with these security standards shouldn’t be viewed as a burden - but as a business investment that comes with a number of benefits.
The appropriate level of PCI DSS compliance enables your business to:
- Work with payments processors to build an online marketplace.
- Partner with card issuers to launch your own payment card.
- More easily be compliant with other compliance standards, like SOC 2 or HIPAA, since these frameworks share common controls among them.
- Minimize risk and impact of a potential breach.
PCI DSS applies to any organization, without regard to size, value, or number of transactions, if that organization collects, transmits, maintains, or transfers card data. Anyone who transacts a major payment card industry brand such as Visa, Mastercard, American Express or Discover must comply with the data security standard.
In other words, if card information touches your network at any point, you must comply with these security standards.
Like GDPR and CCPA requirements, non-compliance is not an option for PCI DSS requirements. While it is technically not a law, like GDPR and CCPA both are, companies agree to adhere to PCI standards when they engage in any activity related to the payment card industry.
While PCI DSS is not a law, it does outline a path to successfully protecting your customers’ payment card information. Not complying with PCI DSS means that the PCI data belonging to each customer is less secure, which comes with a number of disadvantages.
Failing to sufficiently secure your CDE leaves your organization more susceptible to data breaches, which can result in:
· An investigation into your business
· A damaged brand reputation
· Weakened sales
· Lost jobs
· Inability to continue to accept credit cards, like Visa or Mastercard
· Substantial financial penalties
· Loss of confidence within banking and financial partnerships
· Regulatory scrutiny such as FTC investigations and audits
Like many compliance programs, these PCI security standards are designed to ensure a more stable and secure vendor, which leads to a more reliable payment card industry overall. PCI DSS ensures that you, your fellow merchants, and all the stakeholders in the credit card industry are held to a rigorous industry standard for security.
Failure to comply with PCI DSS could end up being very expensive, particularly if you ever have breaches of credit card data. The penalties for not complying with these PCI security standards range from sizable monetary fines to getting your ability to process payment cards revoked - both of which can be detrimental for an early-stage company that relies on this type of customer payment.
These can be just the tip of the iceberg compared to the total financial harm caused by non-compliance, as companies may have to pay to inform every individual whose personal information impacted by the data breach, reissue cards, pay legal fees - the list goes on.
The fines for failing to comply are just the start, and don’t even factor the brand damage a data leak causes and the loss of consumer trust that follows. Brand image is, in fact, one of the biggest vulnerabilities when it comes to data security.
According to research from the Ponemon Institute, 61% of Chief Marketing Officers believe that the largest consequence of a security incident is the erosion of brand value.
Data breaches have hit even some of the biggest multinationals out there, enabling the exposure of sensitive customer data and compromising the privacy and trust of their customers.
When it’s credit card data that leaks on a large scale like this, the damage goes far beyond consumer confidence.Individual customers’ financial lives can be severely hurt when their sensitive information gets into the wrong hands. That’s why it’s incredibly important to secure card data, which is what PCI DSS aims to do.
Not only should you, as a business leader, want to maintain a secure cardholder data environment (CDE) for your customers, but you should also want to avoid the liability of not implementing these compliance requirements.
The question, therefore, should not be “is PCI DSS compliance mandatory” (it is), but rather “why would you take the risk of not implementing it?”
If you are a publicly-traded company, there is additional legal and regulatory risk should a breach call into question the validity of financial statements (such as 10k filings). In addition, a data breach can directly impact investor confidence and stock prices.
Non-compliance fines start at $5,000 but can soar to as high as $500,000 per PCI data security incident (like massive data breaches). The range of fines will vary depending on the state of PCI controls and, if a breach occurred, if the breach was due to PCI control operation failure.
On top of those costs, merchants may have to pay extra penalties to their bank. Banks and payment processors can end their relationships with the merchant entirely or increase per-transaction processing fees and require the merchant to pay for the replacement of the payment cards exposed in the data breach.
The bank or processor may obligate the merchant to move up a level in compliance if they have a breach, which means that adherence to the requirements can be even more difficult.
Moreover, regulations demand that all individuals whose data is believed to have been leaked during a breach incident be alerted in writing - so they can stay vigilant for any fraudulent activity on their payment card accounts.
Because of these mounting costs, the expenses caused by a single data exposure event can end up far surpassing the initial $500,000 fine and financially devastate organizations of all sizes.
If you are a publicly traded company, there is additional legal and regulatory risk should a breach call into question the validity of financial statements (such as 10k filings). In addition, data breaches can directly impact investor confidence and stock prices.
For merchants, PCI DSS controls are divided into four levels. Each level is based on the number of cards a merchant processes per year; PCI Compliance Level 1 is the most stringent.
PCI Compliance Level 1
- Merchants that process more than 6 million credit or debit cards transactions per year, including in-store, online, or a mixture of both
- Any merchant that Visa determines should be a Level 1 merchant to minimize risks to the Visa system
- Level 1 merchants must submit a Report on Compliance (ROC) to demonstrate that they are compliant, which must be signed by a Qualified Security Assessor (QSA)
PCI Compliance Level 2
- Merchants that process 1 million to 6 million credit or debit cards transactions per year (regardless of the processing channel, e.g., in-store, online, etc.)
PCI Compliance Level 3
- Any merchant that processes 20,000 to 1 million credit or debit cards from e-commerce transactions per year
PCI Compliance Level 4
- Any merchant that processes less than 20,000 e-commerce transactions annually
Service providers help merchants store, transmit, or process data. For service providers, like those in the payment processing industry, for example, there are only two levels of PCI compliance:
Level 1 Service Provider
- Includes service providers that process over 300,000 credit card transactions per year.
- Partners, customers and integration partners may ask Level 2 service providers to validate compliance as a Level 1 provider, and Level 2 service providers often validate as a Level 1 to reap the benefits of joining the Visa Registry.
- Level 1 service providers must submit a Report on Compliance (ROC) to demonstrate that they are compliant, which must be signed by a Qualified Security Assessor (QSA).
Level 2 Service Provider
- Includes service providers that process less than 300,000 credit card transactions per year.
Becoming a PCI DSS compliant organization can be a long journey, particularly if you’re a small business going for it alone. Building a PCI compliant network means that you will, at a minimum, need to follow the following steps.
Let’s go over each of them.
Step 1: Gap Assessment (1.5 - 3 months)
The initial move your business should make is to find out what your current situation is as it relates to payment card data security, a procedure called a “gap analysis.” This enables companies to identify any “gaps” in their security posture, so they know what to fix in order to become PCI DSS compliant.
Resolving the gaps that you identify during the gap assessment may require new resources, including servers, routers, communication equipment, physical security, and full-time employees, since your current resources could be insufficient.
The most painless way to do this would be to skip the gap assessment step entirely, which is only possible if you implement an all-in-one, dedicated information security solution - like VGS.
For businesses that would prefer to do the PCI DSS compliance journey in piecemeal, rather than using an end-to-end solution, there are two options:
The DIY Option: Without asking for any third-party assistance, companies can fill out a Self-Assessment Questionnaire (SAQ). The SAQ is a simple, yes-or-no guidebook that helps companies assess how much they are adhering to PCI security standards (keep in mind that there are nine different versions, depending on the ways in which your business processes cardholder data).
The Point Solution Option: Instead of navigating the Self-Assessment Questionnaire themselves, many organizations skip the SAQ and instead opt to pay an external PCI Qualified Security Assessor (QSA) to perform the gap analysis for them.
Step 2: Decide what infrastructure to build on top of (1 month)
After you’ve performed a gap assessment, either self-completed or done with the help of an auditor, you now know where your company is lacking. Now it’s time to start getting down to the nitty-gritty.
The second step is figuring out how you will design your organization’s secure network for the storage of credit card information.
What will be your payment card data store process? Will you opt for a secure cloud storage subscription service for that data store process? What about an on-premise physical database to keep all your users’ sensitive payment card information?
Once you figure out the type of infrastructure that your company thinks is best to protect credit card information, you can start planning out the systems and processes that will actually enable you to become PCI DSS compliant.
Step 3: Put in place new business controls (~3 months)
After you’ve identified which infrastructure your business will utilize to store its cardholder data, you can start setting up the new controls that ensure the sensitive data is secure.
This includes defining roles and responsibilities for personnel and vendors with access to cardholder data, securing the locations in your system that are exposed to cardholder data, implementing a data encryption solution and documenting processes and procedures, and ensuring that internal controls are suitably designed and operating effectively.
Test and verify that your controls reduce the risks you identified as expected. Controls do not always work as intended, since technology changes rapidly, so the method you chose a few months ago may have been circumvented in the intervening time.
Step 4: Gathering documentation (~2 months)
PCI DSS Compliance is an audit process; much like you may need to retain receipts to prove to the IRS any questions about your taxes, a PCI audit will look to inspect the internal controls across your environment. Since so many of these controls rely on policies and operating procedures, it’s vital to ensure that critical operations are documented, stored, and communicated to staff. Additionally, control evidence may need to be shared to provide assurances that internal controls have been continuously operating; and, where they are not in place but supported by compensating controls, the justification for the alternative approach.
Let’s look at one control in particular as an example: PCI Requirement 5 (all the requirements are listed below), which articulates the need for anti-virus/anti-malware solutions within your environment. Validating this single control area necessitates a variety of documentation:
- What is the technology being used to identify, prevent, and remediate malware indicators?
- Where is this technology scoped with respect to the CDE environment?
- Who and how is this technology responsible for being maintained, operated, and consistently deployed? i.e., are there processes or runbooks for - Security Analysts to effectively navigate the malware detection and remediation path?
- Does the technology provide 90-day log retention natively? If not, where and how is that log data being stored?
Now, assuming all that is in place and aligned to PCI security standards - it’s time to provide evidence supporting that control statement. Long story short, documentation can be quite a burdensome endeavor to complete, especially taking into account that documentation is only as effective as it is communicated and adopted.
Step 5: Ongoing maintenance (never-ending)
When you set up a secure cardholder data environment yourself, in accordance with security standard PCI requirements, there is never a finish line.
Your security infrastructure and policies need to be constantly looked after, software systems need to be updated, vulnerabilities need to be scanned for and patches need to be implemented - all as part of an non-stop effort to keep your compliance status. Even modest changes to infrastructure, data transfer paths, or internal tools can have a profound impact on an organization’s approach to PCI.
Plus, whenever you add a new feature to your product that in any way impacts your company’s cardholder data, your PCI DSS compliance is no longer valid. Your cardholder data environment changed since the point in time when your compliance was verified, so you will need a QSA to revalidate your compliance with its current state.
Additionally, the PCI standards themselves may change requiring additional investment; the PCI standard itself has undergone 9 changes since 2004, and PCI 4.0 is anticipated for 2020.
The endless cycle of adjusting, then revalidating, then adjusting and revalidating again is an ongoing expense that many businesses - unfortunately - don’t take into consideration when embarking on a DIY PCI compliance journey. While supporting these audits can be costly in terms of security tooling and infrastructure, it can be equally taxing on resources who may now need to dedicate time away from building products and services to focus on developing a defensible PCI posture.
PCI DSS Compliance is achieved after businesses verifiably complete all 12 requirements included in the security standard.
Within these 12 requirements are hundreds of sub-requirements. Some of them may be especially difficult for smaller organizations to meet, particularly without any expert help.
The 12 requirements for PCI DSS compliance are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
With so many requirements, building a PCI compliant data security infrastructure can be a daunting task for small and medium-sized businesses, and additional engineers are often hired to supplement in-house resources.
Each requirement also involves a different cost and timeframe for successful implementation.
So, you’ve gone through all the steps to secure your customers’ card industry data - now what?
Does your company need to officially validate its compliance with PCI security standards?
For Level 1 merchants and service providers, the answer is yes.
If you are a Level 1 merchant or service provider, you need to undergo an audit that results in a completed Report on Compliance (ROC), which must be signed by a Qualified Security Assessor (QSA).
All other levels of merchants and providers can simply complete their own self-assessment questionnaire (SAQ) and sign their own Attestation of Compliance (AOC).
PCI compliance, when attempted via the DIY path, involves a high Total Cost of Ownership (TCO). Compared to employing an end-to-end compliance solution, such as VGS, the TCO looks like this:
How much are you actually paying?
When you go the DIY route, your business is paying more than just money. You are allocating a significant amount of time to each requirement involved - which only takes away from the time you dedicate to growing your core business.
Moreover, every time you make a change in your environment or your product, you re-start the process of PCI.
The cost of the 12 PCI requirements can add up to $1M after all is said and done, and most of them repeat yearly to maintain PCI:
- Costs of security tools and infrastructure components.
- Continuously operate internal controls in accordance with internal SLAs and processes.
- Costs of hiring reliable and experience auditors knowledgeable on your tech stack
- Manage staff, resources, and commitments as a PCI project.
- Establish and maintain internal controls to satisfy PCI.
- Design, manage, and continually update policies, procedures, and internal processes.
- Dedicate staff for audit project management and preparation.
- Additional operating and licensing costs for necessary services.
For companies that aren’t interested in painstakingly going down the list of PCI requirements, securing and testing everything yourself, then getting evaluated by a qualified security assessor, there’s a much easier option that also costs less than the DIY route.
The solution: work with a third-party data security partner who takes care of your PCI Compliance for you.
A business seeking PCI Compliance can integrate with a third-party agent such as VGS, which has been audited by an independent QSA and is approved as a PCI Compliance Level 1 service provider.
Whether you’re a merchant, service provider, or another type of organization, using VGS is easier for you and your business because:
- VGS makes it simple to remove your systems completely from the scope of cardholder data and deal with all your security and compliance around payment card data, plus all other sensitive information, on your behalf.
- VGS maintains a fully hardened and managed PCI L1 approved CDE along with a suite of options to safely collect cardholder information.
- VGS is a Level 1 Service Provider certified with PCI DSS 3.2.1 domains.
- You can get a potential reduction to SAQ A type ROC/L1 Audit or SAQ A-EP type.
VGS provides nearly instant compliance for smaller merchants and service providers upon integration. For businesses that are PCI Level 1, either because of transaction volume or because their bank or partners require it, compliance can be achieved in as few as 21 days.
By taking the DIY path, the same result can take several months - after you’ve already poured a substantial amount of human and financial capital into protecting your databases, systems, and processes.
Very Good Security is a completely scalable solution that grows with your business and can take your PCI burden off your plate almost entirely.
Using VGS allows you to quickly meet the vast majority of PCI compliance requirements and, on a continuous basis, works as a partner with several efforts necessary to obtain and maintain PCI compliance.
By working with VGS, our users strongly segment their business logic from any sensitive data, which is always protected in the VGS Vault. The VGS Vault does the following:
- Serves as a way to securely store and use payment card industry data.
- Leverages security controls including key rotation, patch management, segregated accounts, extensive audit logging, regular vulnerabilities testing, 24/7 continuous monitoring, as well as AES 256-strength encryption.
Compared against other data security vaulting solutions on the market, the VGS Vault is unique because:
- It works seamlessly with our proxies to provide a safe and compliant way to easily protect your company’s sensitive data, both at rest (AES-256-GCM encryption) and in flight (TLS 1.2).
- It instantly hardens your applications, including 24/7 monitoring for intrusion detection and anomalies, efficient vulnerability management, strong security patching procedures and extensive change management controls.
VGS quickly descopes companies from PCI DSS and accepts the responsibility of storing all their sensitive data; our customers are only responsible for access control to security configurations through the VGS dashboard.
At VGS, we:
- Guarantee that PCI data never touches non-Cardholder Data Environments (this includes any non-hardened systems, such as your test environment).
- Securely vault and manage access credentials (including your VGS Dashboard password and API keys) and monitor how these credentials are distributed and used.
- Provide yearly security awareness training for team members.
- Properly vet employees (e.g. criminal background checks, necessary access, job function, etc.).
- Maintain full PCI and SOC-2 controls across our infrastructure.
We help our customers:
- Generate copies of current Attestation of Compliance (AOC) documents from all cardholder service providers on a yearly basis.
- Maintain audits of PCI controls every year, especially the Information Security Policy that details your company’s PCI controls.
- Build and test incident response procedures.
- Designate and document internal roles and duties for handling PCI related data and vendor relationships.
By using VGS for your data security and compliance needs, including PCI and beyond, you’ll have a trusted partner to help usher you through the entire data security journey. After an easy-to-navigate onboarding process, your business will be descoped from much of the PCI compliance requirements - with the collection, storage, and transfer of sensitive data all handled through VGS solutions.
We empower our users to store zero sensitive data in their systems, rapidly obtain full PCI compliance, drastically minimize risk of data breaches, and substantially improve your company’s security posture in one fast, sweeping motion.
Are you a merchant or service provider handling sensitive data connected to consumers’ credit cards? Contact us!