What is PCI Compliance?

In today’s fast-moving and competitive marketplace, you can barely find any businesses and merchants that still haven’t adopted the use of credit cards for their services.

More than a third of American cardholders use credit cards for their transactions on a monthly basis. With the rising prevalence of identity theft, over 1.1 billion personal records were exposed by data breaches and credit card fraud alone.

This is where PCI (payment card industry) compliance comes in — to ensure that every business’s debit card and credit card transactions are maintained, protected, and safe from any sort of fraud and mishandling.

Both small and large enterprises that use credit card transactions must be PCI-compliant to assure their customers that the entity they’re doing business with handles and safeguards cardholder data with utmost priority.

PCI compliance requirements depend on how your business operates, and in this comprehensive guide, we’ll talk about the key points in meeting those requirements for your business.

Understanding PCI compliance can be difficult. That’s why it’s important for businesses to familiarize themselves thoroughly with the PCI DSS and learn how to can set up, improve, and maintain their PCI compliance.

What is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standards) is a set of information security standards and requirements for companies/merchants that process, store, or transmit cardholder data from trustworthy card schemes.

PCI DSS ensures companies prevent credit card fraud and protect credit card holders from personal data theft.

Businesses adhere to the PCI DSS in order to meet the minimum recommended security requirements for card payments. In turn, that helps them strengthen their card transaction security and avoid potential data infringement and non-compliance penalties.

The PCI DSS was founded in 2006 by the PCI SSC, an independent organization that was created by the five biggest credit card brands and providers: MasterCard, Visa, Discover, American Express, and JCB International.

While the PCI standard requirements are mandated by the card brands, they’re administered by the PCI SSC (PCI Security Standards Council).

PCI DSS Versions

The PCS DSS standard has been evolving over the years, as cyber attackers are constantly finding new ways to breach the information systems of businesses and steal card information.

The PCI Council releases ongoing revisions to the standard in response to these increasingly sophisticated cyber threats.

PCI DSS v1.0

The first 1.0 version of the PCI DSS was a combined effort of the five card companies, ushered in December 2004 and revised and implemented in 2006. The companies had separate information security programs with similar characteristics but a clear goal for credit card security.

The first version was intended to unify a single layer of protection for card issuers to ensure that businesses meet the recommended level of security for handling cardholder data and sensitive authentication data.

PCI DSS v2.0

The second version, PCI DSS 2.0, was released in 2011 with reinforced scoping before assessment, the implementation of log management, enhanced validation requirements for assessing vulnerabilities, and several minor language adjustments that were intended to clarify the 12 PCI DSS requirements for credit card security.

PCI DSS v3.0

The PCI DSS v3.0 came with new updates, the biggest and most significant requirement being about improving penetration testing, which changed former requirements for penetration testing. Merchants are required to use stricter “industry-accepted pen testing methodology,” as well as newer requirements regarding the verification of methods for segmenting the cardholder data environment (CDE) from other IT infrastructures.

Other key updates in PCI DSS 3.0 include: 

• Keeping inventories of hardware and software components in the CDE that are in scope of PCI DSS, 
• Anti-malware detection and remediation standards
• Access control measures
• Third-party vendor PCI requirements
• Protecting the data-capture technology of payment methods, among others.

PCI DSS v3.2

The PCI DSS v3.2 was released in 2016 as a mature standard that would only require minor changes in accordance with new credit card payment methods and the changing cyber threat landscape.

It introduced new and updated clarifications to the 12 requirements in regard to guidelines for vendors, updates for protection against card exploits, and implementing better security controls for new migration deadlines surrounding the removal of SSL/TLS.

Learn about the third-party requirements of PCI DSS.

PCI DSS v4.0

While PCI DSS v3.2 was the newest iteration of the PCI standard until 2016, PCI DSS 4.0 was developed, revised by the industry, and finalized in April 2022 with the following changes:

• Updated, clarified, and broadened firewall terminologies regarding NSCs (network security controls) for conducting proper analyses and policies on a per-session basis;
• Mandating the use of MFA (multi-factor authentication) for protected access into the CDE, instead of just requiring a unique ID (username and password) for people with computer access privileges;
• Enhancing an organization’s flexibility so that they can better exemplify how they outline security standards and objectives for PCI compliance;
• Enabling companies to conduct targeted risk analysis, which makes it easier for them to decide how regularly they perform tasks. This, in turn, allows companies to align their security posture with their business needs.

Businesses that still use PCI DSS 3.2 shouldn’t panic. The older version will be relevant until March 2024, allowing ample time to adapt to the newest requirements.

The Importance of PCI Compliance

Hackers actively search for security flaws in systems that handle customer information and exploit them to gain access to valuable financial data. Businesses must rapidly identify and remediate cybersecurity vulnerabilities in systems, devices, and networks with access credit card and customer information to reduce the risk of a costly data breach.

Data can be stolen from many areas, including but not limited to:

• Card readers;
• Payment system databases (point-of-sale systems);
• Wireless networks in retail stores and access routers;
• Physical payment card data and paper-based records;

• Online shopping carts and payment applications.

A 2018 report by Verizon Payment Security states that 52.5% of companies and organizations have 100% PCI compliance, while a mere 39.7% of those companies are from the Americas.

The good news is that PCI compliance in businesses has grown over the years, with Verizon reporting an 11.1% increase in 2012, and a 55.4% increase in 2016. However, in 2018, only 36.7% of organizations completely passed the interim assessment.

PCI compliance only represents a general outline of regulations for credit card payment security, and it’s not a fundamental cybersecurity framework that guarantees complete protection from cyber incidents. PCI compliance can be very complex and dependent on multiple factors like the size of the organization and the service provider plans that are offered.

However, PCI DSS compliance is still important for both small and big businesses. While it may be difficult to implement and maintain for some companies, it has its benefits, namely:

• avoiding the penalties of non-compliance,
• identifying security weaknesses and vulnerabilities regarding credit card information,
• maintaining their reputation and their customers’ trust.

Is PCI Compliance Required by Law?

Unlike imperative cybersecurity regulations like the HIPAA Act for healthcare sectors, PCI compliance for is not exclusively required by law.

To clarify, some US states (Nevada, Minnesota, and Washington have already implemented PCI DSS into their laws) mandate that businesses should make equivalent provisions for PCI.

While laws that enforce PCI compliance are not widely adopted, it’s deemed a mandatory security standard since it’s highly advised for businesses to adhere to it due to the benefits it brings. With the first iteration of v1.0, PCI DSS compliance became mandatory in December 2004.

Compliance is mandated by the contracts that are signed by the businesses. Non-compliant businesses don’t break the law per se — states where compliance is enforced by law notwithstanding — but they'd likely be in breach of contract, due to which they can face legal action.

The business may be ultimately sanctioned by the card brands and the entity that handles their payment processing. This is what “mandatory” means in this context.

What Are the Penalties for Non-Compliance With PCI?

Technically, a merchant isn’t directly fined for non-compliance, but their payment processors and/or card brands like Visa and MasterCard are if they are found working with a non-compliant merchant. In most cases, the payment processor automatically passes on the fines to the merchant in violation.

The PCI compliance violation fines enforced by payment brands (at their discretion) to an acquiring bank may vary from $5,000 to $100,000 for every month the business hasn’t yet achieved compliance.

Additionally, the business can be imposed with costs from $50 to $90 per customer who has been affected by the data breach. For big banks, such fines are manageable, but for small businesses, it could spell bankruptcy.

Small businesses may be obliged to complete a compliance assessment (for a fee), to prove that their card security has since improved.

Major businesses may be obliged to do PCI assessments that are carried out by third-party entities, despite not having suffered a security incident.

Which Businesses Should Comply With PCI?

PCI compliance applies to any organization or merchant (including international merchants/organizations), regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data.

Businesses must comply with PCI standards if:

• They process three or more transactions a month;
• Use third-party payment processing;
• If credit card data passes through their servers despite not storing said credit card data.

Even businesses that handle card transactions over the phone must comply with PCI, as they fall under the category of businesses that store, process, or transmit payment cardholder data.

How Can Businesses Become PCI-Compliant?

For businesses, PCI DSS compliance refers to the obligations laid down by PCI requirements. Those are dictated by the PCI Security Standards Council, which provides businesses with the right guidelines and tools for PCI compliance.

The 12 Fundamental Compliance Requirements for PCI

The PCI DSS specifies 12 technical and operational requirements businesses are required to be compliant with. The requirements refer to the 4.0 version, but they also apply to the 3.2 version.

They are broken down into six adjacent groups called "control objectives" that require businesses to:

• Build and maintain a secure network;
• Protect cardholder data;
• Maintain a vulnerability management program;
• Implement strong access control measures;
• Monitor and test networks regularly;
• Maintain an information security policy.

Additionally, the requirements are separately elaborated into three segments for better clarification:

• Requirement declaration, which is the main description of the requirement.
• Testing processes, which are the proper methodologies that are done by the specified assessor in order to confirm that the requirement is properly followed and implemented.
• Guidance, which further explains the main goal and purpose of the requirement, and gives context that can help assist businesses in properly defining the requirement.

Although each of the PCI DSS versions has its own separate model of the six requirements and different sub-requirements, the twelve requirements have not significantly changed since the standard was implemented:

1. Implement and Maintain Network Security Controls

As the first step of PCI compliance, businesses are required to mandate a strong and secure network for improved data protection via the use of firewalls, as well as improving network security controls to avoid unauthorized access.

2. Implement Secure Configuration

Businesses must have a secure configuration for all of their system components.

Third-party products like modems, routers, and POS (point of sale) systems usually have very vulnerable,predictable passwords, and weak security measures.

Instead of using the vendor’s default passwords and security parameters, businesses need to have uniquely-tailored and customized security measures.

Inventory management and regularly changing the passwords as additional safety measures, are equally important.

3. Safeguard Stored Account and Cardholder Data

This is the most important requirement of the PCI DSS scope.

PCI DSS Requirement 3 ensures that cardholder data is protected from breaches by requiring businesses to implement two-fold protection of cardholder data and to improve storage methodologies.

For PCI compliance, it is absolutely essential that businesses protect cardholder data like PANs (primary account numbers) in two ways:

• encrypting stored cardholder data with strong algorithms that are put into place with encryption keys,
• regularly scanning them to prevent any potential unencrypted data.

Businesses can ensure strong PAN encryption by using truncation and redaction methodologies, as well as one-way hashing, which makes PAN impossible to read when stored.

PCI compliance Requirement #3 also includes data retention and storage policies, requiring businesses to decrease how long and how frequently they store cardholder data.

While all stored cardholder data needs to be encrypted, encryption is not enough for compliance with Requirement #3 of PCI DSS. Businesses must also hide card verification codes (CVCs; not to be confused with CVSs) and personal identification numbers (PINs) once the authorization code is complete.

4. Have Improved Cryptography During Transmission of Cardholder Data

This requirement enables businesses to protect card data both while at rest (storage) and while moving (during transmission) across open, public networks.

Cardholder data travels through multiple channels like payment processors and homes, and it must be properly encrypted, while account numbers must never be shared.

5. Improve and Maintain Protection Against Malware

There are many malware types and other malicious methods hackers can use to reach protected data.

Businesses are required to be constantly vigilant by improving, updating, and maintaining their antivirus software on all devices that use PAN.

There are many POS providers that have anti-malware and antivirus software that may prevent direct installations for further protection.

6. Update and Maintain Systems and Apps

Businesses must ensure their firewalls, anti-virus software, and other software are updated at all times. The newest patches protect against recently discovered vulnerabilities and virus databases.

7. Limiting Digital Access to Cardholder Data

Companies need to limit access to cardholder data and have it exclusively on a need-to-know basis. This is one of the most important steps for maintaining strong security for financial data and records.

Entities and personnel without prioritized access to this information must not have access at all. Essentially, if they don’t need access to sensitive data, they mustn’t and shouldn’t have it.

Moreover, instances where employees and entities with authorized access use and access the data should be well monitored and recorded.

8. Limiting Physical Access to Cardholder Data

Hackers aren’t the only reason for data theft — it can also get stolen “offline.” Therefore, all types of cardholder data must be properly stored and safeguarded in a protected location. This means both physical and digital data.

To comply with this control, businesses should deploy appropriate security measures, such as CCTV-protected perimeters along and security personnel.

9. Assign a Unique ID for Each Authenticated User

Individuals with access to cardholder data and system components should have individual credentials and an authenticated identification, namely a unique ID.

Authorized users must have their own access IDs. Under no circumstances should a single login be used by different staff members. This allows security systems to properly identify and monitor authorized users, as well as improve protection against unauthorized access.

Additionally, this can help forensics figure out if the user has mishandled or compromised data.

10. Monitor and Reporting When Network Resources and Cardholder Data Are Accessed

As an overlooked and continuously violated requirement, companies must seriously consider the process of logging and monitoring network resources and cardholder data.

Businesses must create and maintain logs every time cardholder data is accessed, along with log entries from PAN activity.

For better organization, protection, and overview, all data within a company should be precisely documented — how and why it’s handled, where it’s stored, and where it moves.

11. Conduct Frequent Tests for Security Systems, Processes, Networks, and Devices

Businesses must regularly conduct scans and vulnerability tests for networks, processes, and security systems to prevent malfunctions, data mishandling, workplace errors, and employee misconduct.

12. Create, Implement, and Maintain Information Security Policies for Information Security

Businesses need to establish, support, disseminate, and annually maintain information security that is addressed by organizational policies and programs. This is to be done according to the changing risk environment.

A comprehensive information security policy should include the following:

1. Purpose
2. Audience
3. Information Security Objectives
4. Authority and Access Control Policy
5. Data Classification
6. Data Support and Operations
7. Security Awareness Training
8. Responsibilities and Duties of Employees

Learn how to create an effective information security policy.

PCI DSS Compliance Levels (Merchant Levels)

Before they set up their compliance, businesses must first determine their merchant levels.

Credit card companies adhere to their own validation levels of PCI compliance. The levels are based on how many card transactions and payments the business processes annually.

They are divided into four merchant levels:

• Merchant Level 1: Processing over 6 million transactions
• Merchant Level 2: Processing between 1-6 million transactions
• Merchant Level 3: Processing between 20,000-1 million transactions
• Merchant Level 4: Processing less than 20,000 transactions

In order to find a suitable list of 12 PCI requirements and PCI questionnaires, businesses need to be sorted in compliance levels first.

Generally, the criteria applied will be based on those set by Visa and Mastercard, the predominant payment card brands.

The current PCI DSS documents can be found on the PCI Security Standards Council website.

More details about PCI compliance and which requirements and questionnaires suit your business can be found on the PCI Council Merchants website, their Getting Started Guide, and their Quick Reference Guide.

PCI DSS Compliance Auditing

Each of the five major credit card members of the PCI SSC have their own data security standards. To achieve PCI DSS compliance, organizations must also complete a CDE (cardholder data environment) audit.

A cardholder data environment is the segment of a business that handles cardholder data. By auditing their CDE, businesses can demonstrate their PCI security standard, as well as their adherence to the 12 compliance requirements.

CDE auditing can be done via:

SAQ (Self-Assessment Questionnaire)

Businesses need to submit an SAQ, or self-assessment questionnaire, to their payment brand or acquirer (merchant bank).

These questionnaires serve as a checklist for PCI compliance, and they help reveal any vulnerabilities and inconsistencies in the organization’s credit card infrastructure, as well as requirements that are not yet met.

They come in nine, uniquely tailored types. For example, “Questionnaire type A” is for companies that process transactions solely through third-party entities, while “Questionnaire type B” is for standalone online payment terminals.

Merchants should consult with their bank or payment brand to determine if they’re obliged or allowed to fill out.

Businesses can either conduct and fill out their own separate Self-Assessment Questionnaire (SAQ) or file it via a certified QSA (Quality Security Assessor).

Picking a suitable questionnaire for the business depends on the business environment and the merchant’s level. 

External Vulnerability Scan

Businesses need to go through an external, non-intrusive vulnerability scan conducted by an ASV (Approved Scanning Vendor) once every 90 days.

Vulnerability scanning is used to review businesses’ networks and web applications. It also checks the device and software configuration for any vulnerabilities via IP addresses, ports, services, as well as GUI interfaces, and open-source technologies.

RoC (Report on Compliance)

All Level 1 Visa merchants (and some Level 2 merchants) that are undergoing a PCI audit must complete an RoC, or report on compliance, to verify their compliance.

The report can be completed by a QSA (Qualified Security Assessor) or by an ISA (Internal Security Assessor).

After a completed questionnaire, a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and a submitted AOC (Attestation of Compliance) to their acquirer, the merchant finally receives a PCI compliance certificate that can be presented to business partners and customers.

PCI Compliance Scoring and CVSS

Businesses can see how they meet requirements and maintain PCI compliance according to the evaluations of a Council-certified ASV (Approved Scanning Vendors), which is a data security service that can scan businesses for vulnerabilities on a quarterly schedule.

The scanning is based on a CVSS (Common Vulnerability Scoring System), which is an industry open standard, as the main criterion of evaluation. It’s a computation of base metrics that calculates the network security risk of a vulnerability.

A CVSS rates vulnerabilities on a scale of 0 to 10. The higher the score, the more severe the risk. A merchant is considered PCI-compliant if its network security components have vulnerabilities with a CVSS base score that’s lower than 4.0.

By maintaining a good PCI compliance score, businesses can prepare for or satisfy other cybersecurity regulations, cybersecurity strategies, and guidelines.