PCI Compliance Guide

To standardize best security practices and combat credit card fraud, the PCI Security Standards Council was founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc. The goal of the group, which now includes hundreds of members, was to establish a rigorous set of security practices to protect the entire payment ecosystem from fraud and theft.

That’s no mean feat. There are billions of records breached each year. Many include financial and credit card data, because, of course, that's where the money is.

Protecting against identity theft and credit card fraud involves fortifying every step in the chain of custody of financial and transactional data. That’s why PCI compliance has become so important not only for merchants and financial services companies, but also for any business that might handle or store this type of data.

What Is PCI Compliance?

PCI compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS). As such, PCI compliance is applicable to any company of any size that accepts credit card payments. So any business that takes credit card information, stores it, processes it or transmits it needs to be PCI compliant.

PCI Security Standards comprise mostly technological security practices and solutions intended to protect payment account data throughout the payment lifecycle. The standards include practices for merchants, retailers, service providers and financial services companies as well as requirements for developers and any vendors involved in creating or supporting payment products and solutions. So PCI compliance extends from point-of-sale hardware to online shopping carts, databases, networks and the transmission of any related data.

“The goal, essentially, is to make sure no unauthorized person is able to get that data out,” emphasizes Shane Harris, Mimecast's senior director of product management.

Why Is PCI Compliance Management Important?

Private and personal information breaches can affect not only consumers and major financial services companies, but businesses of any size. Failing to manage PCI compliance can lead to leaks and attacks that result in everything from a loss of business to fines and lawsuits.

Cybersecurity is only as good as the weakest link in the chain, which is why a lack of PCI compliance can hurt a company's reputation and even prevent it from doing business with other companies. Payment processors, for example, may request compliance as part of their required reporting to payment card companies. Potential partners often request confirmation of PCI compliance as a prerequisite to entering into business agreements. And customers of technology platforms that facilitate online transactions may request proof of PCI compliance in order to demonstrate that the platform is handling data in a secure manner.

Moreover, maintaining PCI compliance helps companies prevent other attacks by using best practices for detecting, preventing and remediating data breaches. Adhering to the PCI Data Security Standard also helps companies meet related data security and privacy laws, such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Finally, following the PCI Data Security Standard helps protect businesses from attacks that can result in additional legal expenses, settlements, fines, judgments — even the termination of a company's ability to accept payment cards. 

The 12 Requirements of PCI Compliance

Here are the dozen top-level requirements, as laid out by the PCI Security Standards Council,[1] with experts’ additional input: 

1. Firewalls: Install and maintain a firewall configuration to protect cardholder data. Firewalls are the first line of defense against cyberattacks on networks and servers.
2. Passwords: Do not use vendor-supplied defaults for system passwords and other security parameters. Passwords on software, services and devices such as routers should be changed regularly.
3. Data storage: Protect stored cardholder data. All card data should be encrypted, and primary account numbers (PAN) should be scanned regularly to make sure no unencrypted data is exposed. Security codes and PIN numbers should not be stored after authentication.
4. Data transmission: Encrypt transmission of cardholder data across open, public networks. All related communications should be encrypted to prevent criminals from intercepting payment details.
5. Software: Protect all systems against malware and regularly update anti-virus software or programs. The use of current anti-virus software is required for all devices that interact with and/or store PAN.
6. Systems: Develop and maintain secure systems and applications. All software and services, not just cybersecurity software, should be patched and upgraded on a regular basis to eliminate known vulnerabilities.
7. Data access: Restrict access to cardholder data by business need to know. Regularly assess and document any employees and third parties who have access to sensitive data.
8. Systems access: Identify and authenticate access to system components. Unique IDs should be used for each account with access and include password encryption, authentication and log-in time limits.
9. Physical access: Restrict physical access to cardholder data. Any data storage and related network facilities should be secured, including the use of surveillance systems, and any paper records should be kept in a locked location.
10. Monitoring: Track and monitor all access to network resources and cardholder data. Any such access should be recorded with logging systems that track user activity in case of a data breach.
11. Testing: Regularly test security systems and processes. Systems and networks should be routinely scanned for potential vulnerabilities.
12. Policy: Maintain a policy that addresses information security for all personnel. All security practices should be documented, and policies should be established for employee training and threat response.

What Does it Mean to be PCI DSS Compliant?

PCI DSS compliance adheres to the Payment Card Industry Standard (PCI DSS), applicable to any company of any size that accepts credit card payments. Any entity that takes, stores, processes, or transmits credit card information must be PCI DDS compliant.

How Do I Validate my PCI Compliance?

There are two primary ways to validate PCI compliance. You may be required to conduct quarterly vulnerability scans and fill out an annual self-assessment questionnaire to demonstrate that your company is following the PCI guidelines. Or your business may be required to employ a certified quality security assessor to conduct annual audits of your company. Which level of validation is required typically depends on the number of transactions handled on an annual basis by a business, with those under 6 million transactions requiring less scrutiny.

However, acquiring banks (those that process credit and debit card payments) may have additional requirements for merchants or e-commerce sites, since banks and other financial services companies are the ones that stand to lose the most money in the case of fraud. They are also the ones that will be fined by the PCI Security Standards Council (reportedly as much as $10,000 a day) if there's a lack of compliance.[2]

How Do I Maintain my PCI Compliance?

Following PCI validation, companies are required to conduct annual self-assessments and regular reviews to maintain compliance. The PCI council recommends, for example, quarterly vulnerability scans, which include scanning wireless networks for unauthorized devices, testing internal networks for vulnerabilities and checking databases to ensure that all PCI data is encrypted.[3]

Additional reviews of public facing services and apps are also an integral part of PCI compliance practices, including web application penetration testing. Additional reviews of the settings on firewalls, routers and other equipment are required. And employees should undergo security awareness training on an annual basis.

It should also be noted that the PCI Security Standards Council is continually revising and updating security measures to meet new threats. So just as businesses should stay up to date with current software patches, experts say, they should also follow PCI Security Standards Council advisories and changes. 

Penalties for PCI Compliance Violations

When there is a PCI violation, penalties range from changes in agreement terms to severe financial penalties. Some card companies will increase the requirements for compliance, for example, demanding that a company that previously only had to submit to self-assessments now undergo full audits no matter how few transactions are processed annually.

For more serious infractions, a card company may no longer allow a merchant to accept credit card payments. For some businesses, this would in effect shutter the company, a severe penalty indeed.

And while a failure to comply with PCI guidelines doesn't violate any specific law, the acquiring bank may impose fines and penalties on a noncompliant company. While a listing of fine amounts per violation is not publicly available, penalties reportedly range from $5,000 to tens of thousands of dollars per month. These penalties have been imposed to enforce compliance and offset the fraudulent charges that card companies are ultimately responsible for covering.

Best Practices of PCI SSC Data Security Standards

Best practices of PCI SSC Data Security Standards include:

1. Installation and maintenance of a firewall configuration to protect cardholder data.
2. Regularly updating passwords, and avoiding vendor-supplied default passwords.
3. Encryption of all card data, and primary account numbers (PAN) should be scanned regularly to make sure no unencrypted data is exposed. Security codes and PIN numbers should not be stored after authentication.
4. Encrypt transmission of cardholder data across open, public networks. All related communications is encrypted to prevent criminals from intercepting payment details.
5. Protect all systems against malware and regularly update anti-virus software or programs. The use of current anti-virus software is required for all devices that interact with and/or store PAN.
6. Develop and maintain secure systems and applications. All software and services, not just cybersecurity software, is patched and upgraded on a regular basis to eliminate known vulnerabilities.
7. Restrict access to cardholder data by business need to know. Regularly assess and document any employees and third parties who have access to sensitive data.
8. Identify and authenticate access to system components. Unique IDs are used for each account with access and include password encryption, authentication, and log-in time limits.
9. Restrict physical access to cardholder data. Any data storage and related network facilities is secured, including the use of surveillance systems, and any paper records are kept in a locked location.
10. Track and monitor all access to network resources and cardholder data. Any such access is recorded with logging systems that track user activity in case of a data breach.
11. Regularly test security systems and processes. Systems and networks are routinely scanned for potential vulnerabilities.
12. Maintain a policy that addresses information security for all personnel. All security practices are documented, and policies are established for employee training and threat response

The Bottom Line

The PCI Data Security Standard was initially developed to protect the credit card payment ecosystem. As such, it initially only directly affected merchants and financial companies. However as businesses have become more digitally interconnected, PCI compliance has become more relevant to a wider variety of companies. “Because, if your company has any customer data on premises,” underscores Mimecast's Harris, “then security is paramount.”

[1] “PCI Security Standards,” PCI Security Standards Council

[2] “Understanding PCI Compliance Fines: Who Is in Charge of Enforcing PCI?”, Help Net Security

[3] “How to Maintain PCI Compliance Following Your First QSA Assessment,” PCI Compliance Guide