You don’t need a professional to be PCI-compliant, but professional expertise can make navigating the notoriously complex PCI DSS requirements easier. An experienced cybersecurity firm with qualified assessment staff can speed up compliance, enhance a firm’s security posture according to priority actions, and help the firm achieve a high level of security and peace of mind.
However, you must use a professional for your business to be PCI-certified. While PCI compliance can be confirmed with yearly self-assessments and attestations, PCI certification requires vigorous, external, independent assessment.
If you are PCI-compliant, you adhere to the cardholder data standards of PCI DSS. If you are PCI-certified, you’re not only compliant, but you’ve also proven this to everyone concerned without room for doubt. Following the PCI standards and attaining certification for PCI are two separate steps.
To help you understand whether you need to be PCI-compliant or PCI-certified — and whether or not you want to use a professional — this post looks more closely at PCI DSS and the implications of PCI compliance vs. PCI certification.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standards. The standards were created in 2006 by the PCI Security Standards Council (PCI SSC), which comprises payment industry stakeholders, among which are the five largest credit card companies: JCB International, American Express, Discover, Mastercard, and Visa.
The global forum of the PCI SSC provides resources to encourage and facilitate safer payments and card processing globally. Their continually evolving standards and requirements apply to businesses that process, store, or transmit cardholder data.
By meeting these standards, businesses know they meet the minimum standards for securing card payments.
PCI DSS applies to all organizations accepting, storing, processing, or transmitting cardholder data. All merchants must adhere to PCI DSS requirements or risk non-compliance.
While PCI compliance is not required by federal law, it’s mandated by the contracts between merchants, major card brands, and banks.
Payment brands can fine banks for not complying with PCI DSS. For the most part, a business that does not comply with DSS is not breaking the law. What is more likely to happen is that the payment processor or card brand may be fined for working with a non-compliant merchant. The payment processor or card brand may then pass the fine to the merchant.
Therefore, the merchant is not directly fined for non-compliance, but there is still a real risk and cost to non-compliance.
Non-compliant merchants and other organizations mishandling cardholder data could be considered in breach of their contract with payment processors and banks, which could lead to legal action.
In some US states, including Minnesota and Washington, businesses must maintain standards equivalent to PCI DSS. This is law at the state level, so firms should consider their PCI compliance requirements on a state-by-state basis.
Additionally, PCI compliance can be demonstrated by self-assessment via a questionnaire or external assessment, depending on the level of compliance, ranging from 1 to 4.
Unlike attesting to PCI compliance, PCI certification necessitates verification by an external third-party assessor. A firm that attests to PCI compliance has not yet proven that they have implemented security measures. The assessment is a comprehensive audit performed by a qualified security assessor (QSA).
The QSA is responsible for auditing all relevant areas of an organization to ensure it has the security controls necessary to protect cardholder data for PCI DSS. QSAs work for independent security organizations that the PCI SSC has vetted to ensure they maintain the rigorous standards PCI DSS requires.
QSA individuals and QSA organizations must adhere to high standards of professionalism, accuracy, integrity, and ethics to conduct efficient and effective PCI DSS assessments. Qualified, independent QSA assessors are necessary because they provide external proof that a firm’s software, procedures, and processes are sufficient to protect cardholder data.
While the data and security measures concerned are the same for PCI compliance or PCI certification, PCI certification is a far more rigorous process and has more weight when earning trust from business partners, customers, and clients.
A business with mature cybersecurity or a high-security rating may find that it can achieve PCI compliance within two weeks after the process begins. However, because being PCI-certified is a more rigorous process and requires a QSA, it can take up to around six months.
The Benefits of PCI Compliance
The increase in cyber attacks means increased risks for everyone making debit or credit card payments. Complying with PCI DSS protects such financial transactions from fraud or mishandling.
Furthermore, businesses can use PCI DSS as a framework to help them improve their security postures by helping them identify vulnerabilities requiring remediation and threats they can mitigate or remediate with security controls.
Strengthening card transaction security is good for business. A data breach or exposure of cardholder information, particularly financial data, can be devastating to a business, resulting in business disruption, loss of revenue, negative media attention, and loss of consumer trust.
The cost of remediating a data breach can be significant, as can the potential fines if it’s determined that the company failed to comply with PCI DSS in circumstances where it’s mandatory or where existing data protection and privacy laws apply. These include but are not limited to the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).
Despite the many costs of data breaches, the reputational damage from a breach that compromises customers’ financial information can be the hardest to recover. Equifax is one of many examples of a firm that suffered heavily due to major data breaches compromising financial information.
Data breaches are a fact of life today. What counts is that businesses take precautions to prevent them and that they maintain incident response plans that allow them to respond promptly, identifying the source of the breach, containing the damage, reporting the breach to the relevant authorities, customers, and/or the media, and being transparent about the incident.
Part of achieving PCI compliance is maintaining an adequate incident response plan so that the business can limit the damage of accidental exposure or a successful data breach. Complying with PCI DSS can also help a business avoid fines for non-compliance, depending on certain circumstances, including in which state the firm operates.
Benefits of PCI Certification
A business may wish to make compliance with PCI DSS more well-known through an official PCI certification process. Being PCI-compliant protects cardholders and businesses that handle that data by making them more resilient to cyber attacks and data exposure. Being PCI-certified, however, makes a bold statement that actively inspires trust in customers, especially in small businesses.
PCI certification demonstrates to customers, clients, and business partners that a business has invested time, money, and effort in providing and prioritizing protections for financial transactions. A PCI-certified business makes it clear that it is genuinely PCI-compliant and maintains those standards, thus protecting third parties and helping secure the supply chain.
Therefore, PCI certification is a stamp of approval that attests that the organization takes protecting cardholder data seriously and implies that it’s ready, willing, and able to flow with the changes in legislation affecting customers’ financial data.
New fraud-prevention strategies, changes to payment infrastructure, new governmental rules regarding data, and more stringent authentication measures are all factors affecting the financial and retail industries. Merchants with PCI certification prove they are up to the challenges of protecting data from evolving cyber risks.
Levels of PCI Compliance
There are four main levels of PCI compliance.
Hiring a professional is necessary for Level 1 PCI DSS compliance.
At Levels 2 through 4, hiring a professional can ease the process of achieving compliance, but it is not a requirement. Each level, from 1 to 4, requires yearly and quarterly actions, making PCI compliance an ongoing activity, not a one-off event.
The amount of work a firm must do to be compliant depends on its size, how many card transactions it makes per year, and its cybersecurity history. The bigger the business and the more transactions, the more requirements are necessary for PCI compliance.
Level 1 is for enterprise-level merchants that process more than 6 million card transactions per year via Visa or Mastercard or more than 2.5 million transactions via American Express.
Alternatively, Level 1 compliance may also apply to organizations that a card association, such as Visa or Mastercard, has deemed Level 1. Firms that have also experienced a data breach may also necessitate Level 1 compliance with PCI DSS.
To attain and maintain this level of compliance, firms must have the following:
- A Level 1 onsite assessment performed annually by a QSA or, in some circumstances, an internal auditor where the assessment is signed by an officer of the company
- A quarterly network scan performed by an Approved Scan Vendor (ASV)
- An Attestation of Compliance (AOC) regarding onsite assessments
Level 2 compliance is relevant to merchants that process between 1 million and 6 million transactions annually.
These firms must provide the following:
- A completed yearly PCI DSS Self-Assessment Questionnaire (SAQ) of which there are various kinds, depending on the method of payment integration
- An ASV’s quarterly network scan
- An Attestation of Compliance that corresponds with the appropriate SAQ
At Level 3, merchants handle between 20,000 and 1 million transactions annually. Level 3 requirements are the same as for level 2.
Level 4 PCI compliance is for merchants processing fewer than 20,000 transactions annually. Level 4 requirements are the same as for Levels 2 and 3.
Three Components of PCI DSS
PCI compliance focuses on three areas. These three areas can be used to categorize the 12 PCI DSS security control requirement families with more than 300 subcomponents.
Handling Payment Card Data
Organizations that handle credit card data directly must implement and maintain appropriate security software and hardware to protect it.
Data protection software, hardware, policies, and procedures are required for cardholder data, even if the data handling is relatively brief or short-lived. No matter the duration or extent, it’s still at risk from hackers, cybercriminals, and insider threat actors.
A company performing its own transactions might be required to meet every one of the 300+ PCI DSS security controls.
On the contrary, firms using a third-party payment solution are more likely to avoid having to meet all those 300+ requirements because the card data is handled entirely by the third party’s servers.
It is not feasible for many large firms to use third-party payment systems. However, those that do might only need to adhere and attest to using 22 common security controls.
Firms storing cardholder data must perform an assessment to understand and define the scope of their cardholder data environment (CDE), which is everything connected to the people, processes, and technologies with which the organization handles credit card data.
An organization’s payment environment must be segmented from the rest of the network to make PCI DSS more efficient and effective. Rather than securing the entire network and every endpoint according to 300+ security controls, a segmented network allows the security team to focus on the payment system.
Validating Security Controls
PCI DSS compliance and certification require yearly validation. This is via self-assessment for the former and external assessment for the latter.
Proving the use of adequate security controls may be required by third-party payment processes and business partners.
12 PCI DSS Security Control Requirements
If your business uses a merchant account, which is the bank account required to take card payments, the conditions and requirements related to PCI compliance are normally included in the merchant account providers’ terms and conditions.
While the merchant account provider will take on some burdens of protecting cardholder data, the firm must do its part to ensure safe, private transactions.
For businesses using a payment service provider (PSP), such as Stripe or SumUp, a merchant account is not necessary and the provider typically takes on some responsibility for PCI compliance. However, the organization using the PSP must again ensure that its practices are compliant with PCI DSS.
Cybersecurity for financial transactions is the responsibility of all participants in those transactions. Furthermore, PCI DSS makes non-compliance punishable by fines, not to mention the potential loss of reputation resulting from not following established guidelines for protecting customers and clients.
The 12 families of cybersecurity controls mirroring best practices for organizations dealing with cardholder data are as follows:
- Install and maintain a firewall
- Change default passwords and configuration
- Protect stored cardholder data
- Encrypt transmitted cardholder data
- Implement and maintain antivirus solutions
- Develop security systems and processes
- Use access limitation
- Implement a system of authentication
- Implement physical security
- Monitor network access
- Test systems and processes
- Maintain information security policies
1. Install and Maintain a Firewall
A firewall monitors and tracks everything that enters or exits a network. This basic cybersecurity element can significantly improve an organization’s security posture and is essential to developing a cybersecurity system that can help businesses handle known and emerging threats.
Where sensitive data is stored or transmitted, a firewall is vital. In addition to helping prevent cyber attacks and alerting IT or cybersecurity personnel to suspicious activity, a firewall’s logs can be invaluable during an investigation following a successful data breach.
Data forensic teams can benefit from a firewall to identify the source of a security problem or data breach. They can use that information to contain the breach or remediate exposure more quickly, which is critical when compromised data includes sensitive information like customer data and financial details.
2. Change Default Passwords and Configuration
One of the major vulnerabilities to businesses is using common, default passwords for network access.
This is a major issue with the increasing use of IoT devices, which tend to come with weak default security that remains unchanged before it goes into use. Hackers can then easily exploit these devices, even without technical expertise, to breach a network, move laterally, and gain access to sensitive information.
Point-of-Sale (PoS) devices with default passwords provide cybercriminals with a way to achieve unauthorized access to a network, read, steal, and modify data that passes through the system.
Improving basic default passwords to stronger passwords is a simple way to increase security dramatically. A strong password and multi-factor authentication can go a long way to securing a system that stores or handles card payment information.
Misconfiguration of servers can lead to data exposure. Ensuring proper configuration and updating and monitoring system settings is crucial to PCC DSS and the confidentiality, integrity, and availability of cardholder data.
3. Protect Stored Cardholder Data
Cardholder data is a significant target for hackers. With financial information, cybercriminals can attempt to make fraudulent transactions. This kind of data can also lead to phishing attacks as it gives cybercriminals vital information about their targets, making their attacks more targeted and seem more authentic.
Cybercriminals can also benefit from compromised financial data by encrypting it and holding it to ransom using ransomware or ransomware-as-a-service, leveraging the sensitivity of this data to extort money.
Common and effective methods of securing stored cardholder data include encryption, masking, and hashing. Note that protecting stored data does not focus exclusively on preventing data breaches but considers methods of protecting data and making it unusable if involved in a cyber attack.
Data limitation is also a valid way to reduce the risk of compromised data. It can’t be compromised if it no longer exists. Therefore, data limitation considers ways to reduce the amount of data flowing through businesses, minimizing its storage and limiting how long it remains accessible before being destroyed securely.
According to the PCI DSS standard, primary account numbers (PANs) must be unreadable wherever they are stored. This includes portable devices, flash drives, backup systems, and audit logs.
4. Encrypt Transmitted Cardholder Data
Hackers can intercept data while it’s in transit. In a man-in-the-middle attack, hackers intercept transmissions to read, steal, and/or modify data between the sender and the receiver, with neither knowing that interference has occurred.
Encryption makes it much harder for hackers to perform such attacks. Even if they manage to intercept data, strong cryptography makes it very difficult to read. Decrypting encrypted data can take sophisticated methods and a lot of time, making ransomware dangerous for businesses and why encryption is effective against hackers.
When sending or processing financial information or other sensitive data online, it should always be done with additional security above the HTTP protocol. HTTPS adds Transport Layer Security (TLS) to prevent theft, spying, and manipulation of sensitive data.
5. Implement and Maintain Antivirus Solutions
An antivirus is on the front line of a network, monitoring and checking files on the network and looking out for threats, according to its database.
An excellent antivirus program will react automatically when a threat is detected. Viruses can self-replicate quickly, and malware can act fast, so it’s helpful to have an automated system that can quarantine suspicious files and alert IT or cybersecurity personnel if it detects suspicious activity.
Not only must a business dealing with cardholder payments implement an antivirus, but it must also maintain that system to continue to be effective. This means upgrading the system regularly to draw on the latest threat intelligence.
6. Develop and Maintain Security Systems, Applications, and Processes
Implementing basic cyber hygiene and robust security measures can help a firm boost its security posture. The organization should identify, develop, and implement security systems and applications that address the organization’s unique vulnerabilities and security needs, as identified by a risk management process.
These security measures also require monitoring and patching to ensure they always work to the best of their ability throughout the organization. The organization needs to manage its attack surface, keeping track of its endpoints, including PoS terminals and staff devices for firms operating Bring Your Own Device (BYOD) or remote working policies.
7. Use Access Control or Limitation
Access control is a key way for businesses to reduce the risk of a data breach. It also facilitates remediating a system after a successful data breach.
Typically, not everyone needs access to sensitive information. With a Privileged Access Management (PAM) system, different users can be given the appropriate access levels according to their needs.
For example, visitors, part-time contractors, and cybersecurity staff might have different network access levels. With fewer people able to access sensitive data, there is less risk of data exposure, attacks from insider threat actors, and compromised credentials leading to data breaches.
It’s also vital that privileged access is revoked the moment it’s no longer necessary. In some cases, staff members have continued to use old login credentials of former colleagues to access confidential data, seriously risking information security.
In the event of a data breach, access control and activity monitoring can help a data forensic team identify what went wrong, when, and where.
8. Implement a System of Authentication
Authentication is vital when dealing with sensitive data because it allows for the monitoring and tracking of users on the network, helping to highlight suspicious activity and making it easier to identify what went wrong if there is a data breach.
Identification means that devices and users have IDs of some sort, typically alphanumeric, that can help network administrators and security staff manage the system.
Authentication means that those users, systems, and processes must prove they are who or what they claim to be. While a username is an example of identification, a password is an example of authentication.
9. Implement Physical Security
Physical and environmental security controls are often overlooked for digital, network-focused solutions. However, improving or maintaining physical security measures is crucial to achieving PCI DSS compliance.
Physical security means safeguarding a perimeter around sensitive data. The perimeter might be the building itself and its grounds, a high-security room within the building, or the surface of a cabinet containing sensitive information.
Securing these areas can be achieved in various ways, including:
- CCTV covering entrances and exits
- Smart badges for visitors and contractors
- Security guards
10. Monitor Network Access
Using controls to limit network access is helpful for cybersecurity, but modern threats require a more robust approach to network security.
With cybercriminals leveraging AI and 5G to perform quicker, more sophisticated, and effective cyber attacks, ensuring network security increasingly requires continuous monitoring and can benefit from leaning on AI technology, too.
Continuous monitoring helps the system detect suspicious activity and deviations from normal patterns. Audit logs can also help data forensics teams assemble the pieces of what happened during a data breach.
With AI and machine learning, a subset of AI, a cybersecurity system can start to understand what normal patterns look like and respond extremely quickly to threats, even if it has not encountered them before.
In an increasingly threat-heavy landscape with emerging threats demonstrating more sophistication and advanced persistent threats challenging not only businesses but the economy itself, continuous network monitoring with the help of threat intelligence, automation, and AI can provide a robust defense against unknown threats.
11. Test Systems and Processes
PCI compliance is not a one-off event but an ongoing practice that requires organizations to ensure that their systems and processes offer continuous protection from cyber attacks.
Testing systems and processes are required to ensure that the security measures implemented are working. Changes in personnel, technology, and the cyber threat landscape itself can all impact a firm’s security posture.
Regular, rigorous testing of established systems and processes ensures that cardholder data and other financial information remain secure, whether backed up, in storage, in transit, or being processed.
12. Maintain Information Security Policies
Without documented information security policies, organizations are more likely to lapse into poor cyber hygiene and inconsistent cybersecurity practices, leading to challenges in maintaining information security.
With transparent, easily-accessible information on security policies applicable and available throughout the organization, stakeholders in cybersecurity can ensure that they are doing what is necessary to maintain the minimum standards required for PCI DSS compliance.
A standardized, holistic approach to cybersecurity helps security teams keep systems updated and reduces the risk of misconfiguration, security gaps, and accidental exposures.