What exactly is PCI DSS?
What is PCI Compliance?
What are the benefits of PCI Compliance
What if I am not PCI compliant?
How much are PCI non-compliance fines?
What are the PCI DSS compliance levels and their core requirements?
How Do You Become PCI Compliant?
What are the 12 requirements for PCI compliance?
How Do I Validate My PCI Compliance?
What does it cost to be PCI compliant?
Working with a comprehensive third-party data protection solution
Putting your PCI DSS burden in trusted hands</a
PCI DSS (Payment Card Industry Data Security Standard) is a set of standards for companies of any size that handle credit card data. To put it simply, PCI DSS directs how organizations should securely manage credit card payments and cardholder data in order to best protect cardholder information.
The standard was set up by the Payment Card Industry Security Standards Council (PCI SSC), which is made up of the major credit card companies (American Express, Discover Financial Services, Visa, MasterCard and JCB International).
The SSC set up these card industry data security requirements to help protect cardholder information and prevent payment card fraud. Each of the payment card brands incorporates PCI DSS as part of the technical requirements for all of their own data security compliance programs.
The SSC maintains, evolves, and promotes these standards. They also offer tools for companies to implement the standards, such as assessment and scanning qualifications, self-assessment questionnaires, training and education, as well as product certification programs.
When an organization abides by PCI DSS requirements, on an ongoing basis, and can effectively protect cardholder data by maintaining a secure cardholder data environment (CDE) they’re PCI compliant.
How you validate your PCI Compliance depends on how many transactions you process each year (more on how to validate below).
While PCI DSS Compliance is not a legal requirement, it is necessary for companies that need to store or transmit credit card data, or else they won’t be able to work with payment cards.
Even though PCI DSS is a minimal hurdle that many organizations need to overcome in order to run a company, compliance shouldn’t be viewed as a burden - but as a business investment that comes with a number of benefits.
The appropriate level of PCI compliance enables your business to:
- Work with payments processors to build an online marketplace.
- Partner with card issuers to launch your own payment card.
- More easily be compliant with other requirements, like SOC 2 or HIPAA, since these frameworks share common controls among them.
- Minimize risk and impact of a potential breach.
More importantly, demonstration of compliance with the PCI DSS shows your customers that you take their data privacy seriously and are willing to invest resources to do so.
PCI DSS is not a law, but it does outline a path to successfully protecting your customers’ cardholder information. Non-compliance with PCI DSS means that your customers’ sensitive PCI data is less safe, which comes with a number of disadvantages.
Failing to sufficiently secure your CDE leaves your organization more susceptible to data breaches, which can result in:
· An investigation into your business
· A damaged brand reputation
· Weakened sales
· Lost jobs
· Inability to continue to accept credit cards
· Substantial financial penalties
· Loss of confidence within banking and financial partnerships
· Regulatory scrutiny such as FTC investigations and audits
Non-compliance fines start at $5,000 but can soar to as high as $500,000 per PCI data security incident (like a massive data breach). The range of fines will vary on the state of PCI controls and, if a breach occurred, if the breach was due to PCI control operation failure.
On top of those costs, merchants may have to pay extra penalties to their bank. Banks and payment processors can end their relationships with the merchant entirely or increase per-transaction processing fees and require the merchant to pay for the replacement of the payment cards exposed in the data breach.
The bank or processor may obligate the merchant to move up a level in compliance if they have a data breach, making adherence to the requirements even more difficult.
Moreover, regulations demand that all individuals whose data is believed to have been leaked during a data breach incident be alerted in writing - so they can stay vigilant for any fraudulent activity on their payment card accounts.
Because of these mounting costs, the expenses caused by a single data breach event can end up far surpassing the initial $500,000 fine and financially devastate organizations of all sizes.
It is vital to be familiar with your credit card merchant account agreement(s), which should comprehensively outline your company’s potential damages and exposure - in the event your business has a data breach.
If you are a publicly-traded company, there is additional legal and regulatory risk should a breach call into question the validity of financial statements (such as 10k filings). In addition, a data breach can directly impact investor confidence and stock prices.
For merchants, PCI DSS controls are divided into four levels. Each level is based on the number of cards a merchant processes per year; PCI Compliance Level 1 is the most stringent.
PCI Compliance Level 1
- Merchants that process more than 6 million credit or debit cards transactions per year, including in-store, online, or a mixture of both
- Any merchant that Visa determines should be a Level 1 merchant to minimize risks to the Visa system
- Level 1 merchants must submit a Report on Compliance (ROC) to demonstrate that they are compliant, which must be signed by a Qualified Security Assessor (QSA)
PCI Compliance Level 2
- Merchants that process 1 million to 6 million credit or debit cards transactions per year (regardless of the processing channel, e.g., in-store, online, etc.)
PCI Compliance Level 3
- Any merchant that processes 20,000 to 1 million credit or debit cards from e-commerce transactions per year
PCI Compliance Level 4
- Any merchant that processes less than 20,000 e-commerce transactions annually
Service providers help merchants store, transmit, or process data. For service providers, like those in the payment processing industry, for example, there are only two levels of PCI compliance:
Level 1 Service Provider
- Includes service providers that process over 300,000 credit card transactions per year.
- Partners, customers and integration partners may ask Level 2 service providers to validate compliance as a Level 1 provider, and Level 2 service providers often validate as a Level 1 to reap the benefits of joining the Visa Registry.
- Level 1 service providers must submit a Report on Compliance (ROC) to demonstrate that they are compliant, which must be signed by a Qualified Security Assessor (QSA).
Level 2 Service Provider
- Includes service providers that process less than 300,000 credit card transactions per year.
Becoming a PCI DSS compliant organization can be a long process, particularly if you’re a small business going for it alone. Let’s go over the steps that can take you there.
Step 1: Gap Assessment (1.5 - 3 months)
The initial move your business should make is to find out what your current situation is as it relates to payment card data security, a process called a “gap analysis.” This enables businesses to identify any “gaps” in their security posture so they know what to fix in order to become PCI compliant.
The most painless way to do this would be to skip the gap assessment step entirely, which is only possible if you implement an all-in-one, dedicated data security solution - like VGS.
For businesses that would prefer to do the PCI DSS compliance journey in piecemeal, rather than using an end-to-end solution, there are two options:
The DIY Option: Without asking for any third-party assistance, businesses can fill out a Self-Assessment Questionnaire (SAQ). The SAQ is a simple, yes-or-no guidebook that helps companies assess how much they are adhering to PCI standards(keep in mind that there are nine different versions, depending on the ways in which your business processes cardholder data).
The Point Solution Option: Instead of navigating the SAQ themselves, many organizations instead opt to pay an external PCI Qualified Security Assessor (QSA) to perform the gap analysis for them.
Step 2: Decide what infrastructure to build on top of (1 month)
After you’ve performed a gap assessment, with or without an auditor, you now know where your company is lacking. Now it’s time to start getting down to the nitty-gritty.
The second step is figuring out how you will design your organization’s secure network for the storage of credit card information.
What will be your cardholder data store process? Will you opt for a cloud storage subscription service? What about an on-premise physical database to keep all your users’ sensitive payment card information?
Once you figure out the type of infrastructure that your company thinks is best to protect cardholder data, you can start planning out the systems and processes that will actually enable you to become PCI DSS compliant.
Step 3: Put in place new business controls (~3 months)
After you’ve identified which infrastructure your business will utilize to store its cardholder data, you can start setting up the new controls that ensure the sensitive data is secure.
This includes defining roles and responsibilities for personnel and vendors with access to cardholder data, securing the locations in your system that are exposed to cardholder data, implementing a data encryption solution and documenting processes and procedures, and ensuring that internal controls are suitably designed and operating effectively.
Step 4: Gathering documentation (~2 months)
PCI Compliance is an audit process; much like you may need to retain receipts to prove to the IRS any questions about your taxes, a PCI audit will look to inspect the internal controls across your environment. Since so many of these controls rely on policies and operating procedures, it’s vital to ensure that critical operations are documented, stored, and communicated to staff. Additionally, control evidence may need to be shared to provide assurances that internal controls have been continuously operating; and, where they are not in place but supported by compensating controls, the justification for the alternative approach.
Let’s look at one control in particular as an example: PCI Requirement 5 (all the requirements are listed below), which articulates the need for anti-virus/anti-malware solutions within your environment. Validating this single control area necessitates a variety of documentation:
- What is the technology being used to identify, prevent, and remediate malware indicators?
- Where is this technology scoped with respect to the CDE environment?
- Who and how is this technology responsible for being maintained, operated, and consistently deployed? i.e., are there processes or runbooks for Security Analysts to effectively navigate the malware detection and remediation path?
- Does the technology provide 90-day log retention natively? If not, where and how is that log data being stored?
Now, assuming all that is in place and aligned to PCI requirements - it’s time to provide evidence supporting that control statement. Long story short, documentation can be quite a burdensome endeavor, especially taking into account that documentation is only as effective as it is communicated and adopted.
Step 5: Ongoing maintenance (never-ending)
When you set up a secure cardholder data environment yourself, in accordance with security standard PCI requirements, there is never a finish line.
Your security infrastructure and policies need to be constantly looked after, software systems need to be updated, vulnerabilities need to be scanned for and patches need to be implemented - all as part of an non-stop effort to keep your compliance status. Even modest changes to infrastructure, data transfer paths, or internal tools can have a profound impact on an organization’s approach to PCI.
Plus, whenever you add a new feature to your product that in any way impacts your company’s cardholder data, your PCI DSS compliance is no longer valid. Your cardholder data environment changed since the point in time when your compliance was verified, so you will need a QSA to revalidate your compliance with its current state.
Additionally, the PCI standards themselves may change requiring additional investment; the PCI standard itself has undergone 9 changes since 2004, and PCI 4.0 is anticipated for 2020.
The endless cycle of adjusting, then revalidating, then adjusting and revalidating again is an ongoing expense that many businesses - unfortunately - don’t take into consideration when embarking on a DIY PCI compliance journey. While supporting these audits can be costly in terms of security tooling and infrastructure, it can be equally taxing on resources who may now need to dedicate time away from building products and services to focus on developing a defensible PCI posture.
So, now that you know what the standard PCI DSS compliance process looks like, let’s look at what the actual fine print tells us.
What are the specific tasks that businesses need to complete in order to be secure their cardholder data environment?
Companies who wish to obtain PCI Compliance must fulfill the following 12 requirements.
1. Set up and maintain a firewall
Firewalls are hardware or software devices which allow or prevent network traffic according to a set of internally-defined rulesets. On endpoints, these may be host-based firewalls such as the native firewall on MacOS which restricts traffic from unsigned applications.
At the network layer, these may be a combination of physical firewalls, switches, routers, and the network configurations supplied across them. Firewalls are frequently the first line of defense against cybercriminals, and their effectiveness in stopping unauthorized access is why these prevention systems are required for PCI DSS Compliance.
These will need to be deployed around the CDE environment, and assets directly accessing that environment as well. If your business has complex network layering, managing the complexities of establishing consistent firewall rulesets around that perimeter can be daunting.
2. Strong password protections
Oftentimes when startups use third-party databases, point of sale (POS) systems, and other types of integrations, the password strength isn’t as difficult to crack as it should be – enabling for avoidable vulnerabilities. Characteristics such as length, complexity, and multi-factor authentication are typically prescribed.
That’s why PCI DSS compliance requires basic password configurations and precautions, including regular password changing and maintaining a list of all devices and software that ask for system passwords (or other type of login verification).
3. Protect cardholder information
When businesses handle cardholder data, PCI requirements demand all that information be encrypted with certain algorithms in transit and in storage. Frequent maintenance and scanning of primary account numbers (PAN) are both necessary to guarantee that encryption is enabled and planning is in place to monitor these controls.
4. Encrypt the transmission of cardholder data
Many businesses transmit cardholder data across several regular channels, and it must all be encrypted whenever it is sent to these predetermined locations. Cardholder account numbers aren’t allowed to be sent to unknown destinations. Often an audit will consider where this data is accessible from; for example, if a remote employee has access to cardholder data, how they connect to the PCI-compliance infrastructure may need to be considered.
5. Install and maintain anti-virus software
Implementing anti-virus software is a good idea for your business, regardless of PCI compliance. To become compliant, however, anti-virus software is obligatory for all devices that touch or store PAN. Additionally, anti-virus controls require constant monitoring, enforcement, upgrade planning, and log retention. Your POS provider should implement anti-virus solutions as well, whenever it cannot be directly installed.
6. Keep all software properly updated
While, in general, it’s a good idea to keep every software solution that business uses updated at all times, it’s also a PCI compliance requirement. When software providers launch their updates, they often include security measures, like patches that resolve recently discovered weak spots. For software that interacts with cardholder data, it’s even more crucial.
This can become a significantly complex control to satisfy in the event user laptops are considered in scope; employees may collectively have hundreds, if not thousands, of unique application instances and versions.
7. Control data access
Businesses should always control access to network resources and sensitive data. But when it comes to cardholder data, PCI DSS says you need to control who gets to see it. Access to all sensitive PCI data should be on a strictly “need to know” basis. According to PCI requirements, the team members’ roles that get access to sensitive data should be documented and frequently updated
8. Require unique IDs for access
Team members in your company that do get access to cardholder information need to have their own unique login credentials for access. There shouldn’t be, for example, a single login ID and password used by multiple employees to access encrypted data. Unique credentials establish a clear custodianship of activity to an individual that may otherwise become obfuscated or lost through use of a service account.
9. Restrict physical access to cardholder data
Cardholder information needs to be physically stored in a safe place. For PCI DSS, this includes both data that’s stored digitally – like in a physical database – as well as any physically written or typed data. Physical access to cardholder data must be limited, and there should be a record of any time there is access to cardholder data.
10. Establish and maintain access logs
Apart from restricting physical access to cardholder information, businesses must keep records of access. Anytime a team member access cardholder data in your system, that event must be logged. Additionally, the logging events themselves must include the appropriate event indicators that would provide a clear chain of events in data access activities.
PCI Compliance requires proper record keeping and documentation in the form of access logs, and companies must document how PCI data flows throughout their organization – including the number of times access is needed. Software solutions to record access are also necessary to guarantee accuracy.
An additional component of this is the implied control of monitoring; even if these events are being appropriately logged, are they being maintained and stored in a secure fashion that restricts the likelihood of loss or tampering, and are they available to be aggregated and correlated to put together a chain of events following an incident?
11. Scan and test for vulnerabilities
The ten preceding standards mean that companies need to employ a number of software products, physical data storage locations, and probably a few new team members.
It’s important to regularly test security systems and make sure everything is in order. After all, there are several things that can go wrong, malfunction, become obsolete or suffer as a result of human error.
These possibilities can be minimized by abiding by the PCI DSS requirements for regular scans and vulnerability testing.
Satisfying this control typically includes two core components: penetration testing of external web applications servicing PCI-scoped data, and vulnerability scanning on the underlying hosts. Additionally, the implied controls include prioritization and remediation of identified vulnerabilities. Often maintaining a consistent pattern of fixing these security bugs require assessing the underlying infrastructure and code layers, and this is where simple scans can turn into much broader complexities. For an example and more information on these complexities, see the Wikipedia page on ‘Dependency Hell’.
12. Document your policies
PCI DSS requires documentation of a business’ inventory of equipment, software, and team members that have access to cardholder data. How PCI data flows into your organization, where it is stored, when it is accessed and how it is used after the point of sale also needs to be documented.
Some questions you may need to ask of your organization include:
- To manage the inventory of assets, for example: Do I know where all our laptops and mobile devices are that are capable of accessing the CDE? If I do, are they controlled?
- How to manage software for employees? Do we restrict administrative privileges or regularly audit software usage for individuals accessing the CDE?
So, you’ve gone through all the steps to secure your customers’ card industry data - now what?
Does your business need to officially validate its PCI compliance?
For Level 1 merchants and service providers, the answer is yes.
If you are a Level 1 merchant or service provider, you need to undergo an audit that results in a completed Report on Compliance (ROC), which must be signed by a Qualified Security Assessor (QSA).
All other levels of merchants and service providers can simply complete their own self-assessment questionnaire (SAQ) and sign their own Attestation of Compliance (AOC).
PCI compliance, when attempted via the DIY path, involves a high Total Cost of Ownership (TCO). Compared to employing an end-to-end compliance solution, such as VGS, the TCO looks like this:
How much are you actually paying?
When you go the DIY route, your business is paying more than just money. You are allocating a significant amount of time to each requirement involved - which only takes away from the time you dedicate to growing your core business.
Moreover, every time you make a change in your environment or your product, you re-start the process of PCI.
The cost of the 12 PCI requirements can add up to $1M after all is said and done, and most of them repeat yearly to maintain PCI:
- Costs of security tools and infrastructure components.
- Continuously operate internal controls in accordance with internal SLAs and processes.
- Costs of hiring reliable and experience auditors knowledgeable on your tech stack
- Manage staff, resources, and commitments as a PCI project.
- Establish and maintain internal controls to satisfy PCI.
- Design, manage, and continually update policies, procedures, and internal processes.
- Dedicate staff for audit project management and preparation.
- Additional operating and licensing costs for necessary services.
For companies that aren’t interested in painstakingly going down the list of PCI DSS requirements, securing and testing everything yourself, then getting evaluated by a qualified security assessor, there’s a much easier option that also costs less than the DIY route.
The solution: work with a third-party data security partner who takes care of your PCI compliance for you.
A business seeking PCI compliance can integrate with a third-party agent such as VGS, which has been audited by an independent QSA and is certified as a PCI Compliance Level 1 service provider.
Using with VGS is easier for you and your business because:
- VGS makes it simple to remove your systems completely from the scope of cardholder data and deal with all your security and compliance around cardholder data, plus all other sensitive information, on your behalf.
- VGS maintains a fully hardened and managed PCI L1 certified CDE along with a suite of options to safely collect cardholder data.
- VGS is a Level 1 Service Provider certified with PCI DSS 3.2.1 domains.
- You can get a potential reduction to SAQ A type ROC/L1 Audit or SAQ A-EP type.
Using VGS allows you to quickly meet the vast majority of PCI compliance requirements and, on a continuous basis, works as a partner with several efforts necessary to obtain and maintain PCI compliance.
By working with VGS, our users strongly segment their business logic from any sensitive data, which is always protected in the VGS Vault. The VGS Vault does the following:
- Serves as a way to securely store and use payment card industry data.
- Leverages security controls including key rotation, patch management, segregated accounts, extensive audit logging, regular vulnerabilities testing, 24/7 continuous monitoring, as well as AES 256-strength encryption.
Compared against other data security vaulting solutions on the market, the VGS Vault is unique because:
- It works seamlessly with our proxies to provide a safe and compliant way to easily protect your company’s sensitive data, both at rest (AES-256-GCM encryption) and in flight (TLS 1.2).
- It instantly hardens your applications, including 24/7 monitoring for intrusion detection and anomalies, efficient vulnerability management, strong security patching procedures and extensive change management controls.
VGS quickly descopes companies from PCI DSS and accepts the responsibility of storing all their sensitive data; our customers are only responsible for access control to security configurations through the VGS dashboard.
At VGS, we:
- Guarantee that PCI data never touches non-Cardholder Data Environments (this includes any non-hardened systems, such as your test environment).
- Securely vault and manage access credentials (including your VGS Dashboard password and API keys) and monitor how these credentials are distributed and used.
- Provide yearly security awareness training for team members.
- Properly vet employees (e.g. criminal background checks, necessary access, job function, etc.).
- Maintain full PCI and SOC-2 controls across our infrastructure.
We help our customers:
- Generate copies of current Attestation of Compliance (AOC) documents from all cardholder service providers on a yearly basis.
- Maintain audits of PCI controls every year, especially the Information Security Policy that details your company’s PCI controls.
- Build and test incident response procedures.
- Designate and document internal roles and duties for handling PCI related data and vendor relationships.
By using VGS for your data security and compliance needs, including PCI and beyond, you’ll have a trusted partner to help usher you through the entire data security journey. After an easy-to-navigate onboarding process, your business will be descoped from much of the PCI compliance requirements - with the collection, storage, and transfer of sensitive data all handled through VGS solutions.
We empower our users to store zero sensitive data in their systems, rapidly obtain full PCI compliance, drastically minimize risk of data breaches, and substantially improve your company’s security posture in one fast, sweeping motion.