What Is PCI DSS? Your Guide to Credit Card Compliance

Your customers shop via mobile devices, desktops, wireless hotspots, applications and other channels that put their data at risk. To help secure your payment systems and protect user data, credit companies require you to follow strict compliance guidelines. PCI DSS is the global standard for credit card compliance, and PCI DSS 3.2 outlines the most recent set of requirements.

What Is PCI DSS?

As a merchant, customers should feel safe purchasing in your store, on your website or via your mobile application. But with new savvy cyber security threats on the rise, safeguarding every data entry point is no easy feat.

The Payment Card Industry Digital Security Standards (PCI DSS) is the global data security standard for merchants and service providers that process, store or transmit cardholder data.

If your business accepts or processes American Express, Discover, JCB, Mastercard or Visa payment cards, PCC DSS applies to you. The PCI Security Standards Council, founded by a handful of major payment card brands, administers PCI DSS and related security standards. By outlining and enforcing security best practices, PCI DSS helps protect merchant and customer data. Here are the foundational goals of PCI DSS compliance:

  • Remove sensitive authentication data and limit data retention.
  • Protect systems and networks, and be prepared to respond to a system breach.
  • Secure payment card applications.
  • Monitor and control access to your systems.
  • Protect stored cardholder data.
  • Finalize remaining compliance efforts, and ensure all controls are in place.

PCI Compliance Levels

Your PCI DSS requirements depend on how many payments your business processes yearly. Businesses fall into one of four categories:

PCI Compliance Level 1

Level 1 is the strictest compliance tier, applying to companies that process over 6 million Visa and/or Mastercard transactions each year. If you fall within this range, you must have yearly on-site audits and a network scan by an approved scanning vendor.

PCI Compliance Level 2

Companies that process 1 million to 6 million Visa and/or Mastercard transactions each year qualify as PCI Compliance Level 2.

PCI Compliance Level 3

This includes companies that process 20,000 to 1 million Visa and/or Mastercard ecommerce transactions each year.

PCI Compliance Level 4

Level 4 covers companies that process fewer than 20,000 Visa and/or Mastercard ecommerce transactions each year. This also applies to all companies that process up to 1 million Visa transactions each year.

If your company falls into PCI compliance Levels 2, 3 or 4, you must complete an annual PCI DSS Self-Assessment Questionnaire and undergo quarterly network security scans with an approved scanning vendor. 

Important Requirements for Credit Card Compliance

PCI DSS 3.2 is the latest set of compliance standards, updated in 2017. Here’s an overview of the requirements for credit card compliance:

1. Build and Maintain a Secure Network and Systems

Maintaining secure systems has evolved to include more requirements for merchants and service providers, including:

  • Firewalls to protect cardholder data
  • Strong password measures
  • Regularly purging unnecessary data (including data on the magnetic strip or chip) unless it’s required for business, legal or regulatory reasons
  • Masking permanent account numbers when displayed
  • Encrypting cardholder data across public networks
  • Documenting and implementing procedures to protect encryption keys for cardholder data from misuse
  • Rendering all sensitive authentication data unrecoverable after authorization unless it’s justified

2. Maintain a Vulnerability Management Program

Vulnerabilities in your network or systems allow criminals to access PAN and other valuable cardholder data. Often, you can counteract these threats by installing vendor-provided security patches within a month of release to perform a quick-repair job for specific programming code. Beyond security patches, PCI DSS 3.2 also requires you to:

  • Protect all systems against malware
  • Regularly update antivirus software or programs on personal computers and servers — including security procedures, system design, implementation or internal controls
  • Keep all anti-virus mechanisms up-to-date
  • Verify that users cannot disable or alter anti-virus
  • Perform periodic scans and generate audit logs
  • Use reputable outside sources to identify and rank security vulnerabilities
  • Perform annual application vulnerability assessments or install automated software that detects and prevents web-based attacks

3. Implement Strong Access Control Measures

To bridge potential security gaps, you need to control access at every data entry point. To remain PCI-compliant, you must put systems and processes in place to limit access based on job responsibility. To further control access, you also need to:

  • Assign unique identifications to trace authorized users
  • Use strong cryptography and authentication methods
  • Render all passwords and phrases unreadable during transmission and storage.
  • Use multi-factor authentication to secure individual and remote access to the cardholder data environment
  • Restrict database and physical access to cardholder information through entry controls such as ID badges to easily distinguish between onsite personnel and visitors
  • Require visitor logs to maintain a paper trail of visitor information and activity.
  • Physically secure all media both internally and externally and store media backups in a secure off-site location
  • Destroy media when it’s no longer needed for business or legal reasons

4. Regularly Monitor and Test Networks

Without regular monitoring and testing, digital security measures will be little to no help. You need to know whether they actually work. Otherwise, you could allow suspicious activity or security vulnerabilities to slip through the cracks. To secure your network and systems, PCI DSS 3.2 requires you to:

  • Regularly test system components, processes and custom software
  • Generate audit trails of suspicious activity
  • Review logs and security events to spot anomalies or suspicious activity daily
  • Run quarterly internal and external network vulnerability scans
  • Test for the presence of wireless access points every quarter, maintain an inventory of authorized and unauthorized wireless access points and develop incident response procedures
  • Do annual penetration testing for both application and network layer threats from both an internal and external perspective and after network updates
  • Address vulnerabilities exposed during penetration testing and retest them to ensure they’re resolved
  • Detect and prevent network intrusions using intrusion prevention techniques
  • Monitor traffic at the perimeter and inside the cardholder data environment, and alert personnel to suspected compromises

5. Maintain an Information Security Policy

Beyond taking the steps to protect your network and applications, you also need to document an information security policy so all employees understand how to safeguard customer information. In PCI DSS 3.2, this includes:

  • Establish, publish, maintain and disseminate a security policy that your organization reviews yearly
  • Perform an annual risk assessment process that identifies critical assets, threats and vulnerabilities.
  • Implement usage policies
  • Clearly define security responsibilities
  • Screen potential personnel
  • Implement an incident response plan to respond immediately to a system breach and review it quarterly
  • Outline procedures for service providers that handle cardholder data

Becoming PCI compliant is not a one-time project. It’s an ongoing investment in digital security and customer trust.

To make sure you’ve ticked every box, you need to work with a trusted digital security expert who has successfully helped other merchants remain PCI compliant.

Need immediate help with credit card compliance? As experts in cyber security and compliance, Agile IT understands the steps involved in becoming PCI compliant. Schedule a call with a security expert today to discuss your needs.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.