Global digital card payments grew by an annual rate of 20 percent in 2020 compared to 2019, and this trend is witnessing a non-linear upward growth. In 2020, 900+ million online transactions were processed, which rose to 2.14 billion in 2021.
This upward spike in card transactions also means bad actors and hackers now have a broader pool to target and extract sensitive information maliciously.
As an organization processing card data via online portals or POS (Point of Sale) devices, you should be PCI DSS (Payment Card Industry Data Security Standards) compliant to avoid administrative penalties and reputational damage to the brand. But, becoming PCI DSS compliant is easier said than done. The PCI DSS process is exhaustive, time-consuming, and expensive.
With this article, we aim to simplify the complicated process by demystifying the PCI compliance framework and helping you identify the different levels of compliance, while we briefly explain the 12 PCI DSS requirements and the steps to become PCI DSS compliant.
We’ve also included a PCI DSS compliance checklist for you at the end of the article. This checklist is exhaustive with 45 checkboxes. Working with the checklist should help gain momentum in your PCI compliance journey.
What is PCI DSS Compliance?
In 2004, the founding members of PCI DSS, i.e. VISA, MasterCard, JCB International, and Discover Financial Services, came together and drafted a regulatory framework to protect user credit card data from fraudulent activities.
The PCI DSS compliance framework was implemented to enable organizations processing electronic transactions to implement the processes and policies required to maintain a strong security posture to protect cardholder data. The latest revision, i.e. PCI DSS version 4, launched in March 2022, introduced reforms to a few existing security rules to make the framework more flexible and easy to use among others, and can be easily implemented with the help of the PCI DSS compliance checklist.
We’ve included a more detailed explanation on the PCI DSS Version 4 further along this article.
Specific policies and security controls must be implemented to protect organizations and the payment card data they process from security incidents. These policies and controls vary based on the volume of transactions organizations process annually.
Organizations processing cardholder data become PCI DSS non-compliant when controls and measures to enable data security are not in place.
The cost of non-compliance is high, and even one non-compliance incident could potentially hamper the business processes of small and medium-scale businesses.
Level 1: Processes over 6 million transactions annually, and any organization that VISA determines as Level 1 should implement Level 1 grade controls.
Level 2: Processes 1 million to 6 million annual transactions. Level 2 grade controls and policy implementation is required.
Level 3: Processes 20,000 to 1 million e-commerce transactions in a year. Level 3 grade controls and policy implementation is required.
Level 4: Processes up to 20,000 e-commerce transactions a year and organizations that process up to 1 million total transactions a year. Implementation of Level 4 grade controls and policies is required.
Also check out: Best practices of PDI DSS
12 PCI DSS Requirements
Based on your organization’s PCI DSS requirements, the complexity involved in managing your PCI DSS compliance journey will vary.
For organizations to be PCI DSS, they must implement controls, security policies, and administrative processes designed to protect card data from unauthorized access. The PCI DSS framework mandates organizations to comply with the 12 requirements detailed in the framework.
Requirement 1: Install and Maintain a Firewall
For an organization to remain PCI DSS compliant, all their security systems must be protected from unauthorized traffic from unknown sources. A firewall ensures unregulated inbound or outbound traffic isn’t allowed access to your internal secure systems.
A good firewall must:
*Filter and allow access only to authorized traffic to the business environment
*Automatically decline all unauthorized traffic access
*Protect all your POS devices connected to wireless networks
*Authorize all outbound traffic from your business’ card storage environments
*Automatically log all the changes implemented, even in instances where changes were implemented by authorized entities in the business environments, with reasons justifying why said change was necessary.
Requirement 2: Don’t Use Default Passwords
Do not rely on vendor-generated default usernames and passwords for software, firewalls, routers, POS devices, and more. Therefore, the second requirement of PCI DSS is to change default settings and use passwords with solid scores.
Requirement 3: Protect Cardholder Data
All cardholder information that enters your business environment must be protected. To provide holistic protection, organizations must know how the cardholder data flows through their internal systems – Places it gets stored in, the teams that have access to it, how it leaves your business environment (if applicable), and how to safely dispose of sensitive data. This requirement also mandates that organizations mask the PAN(Personal Account Number). Masking only makes the last few digits of the card visible.
Requirement 4: Encrypt Transmission
Unlike the earlier requirement, this requirement focuses on protecting card data by deploying encryption methods to protect it from malicious attacks when transmitted via open, closed, private, and public wireless channels. Often organizations overlook the protection of cardholder data when transmitting them via the internet. Instances of unauthorized access to sensitive data during transmission have been reported in the past.
Requirement 5: Protect Against Malware
Installing basic antivirus software to prevent malware will not do the job—requirement five details how organizations should constantly update their antivirus software and apply regular patches. Advanced antivirus solutions must be installed across servers, firewalls, laptops, desktops, and mobile devices with access to business environments. This software should always be active and continuously scan logs.
Requirement 6: Develop and Maintain Secure Systems and Applications
To develop and deploy security systems, knowing which part of your business environment is the least secure is essential. Organizations can reach this conclusion only after conducting an internal risk assessment. A risk assessment gives you complete visibility into your existing security systems and identifies areas that require patching. Deploying new security measures in such areas ensures a strong security posture. This requirement also recommends organizations to continuously apply patches and remediation measures across their business environments including servers, POS devices, POS operating systems, laptop and desktop operating systems, and firewalls.
Requirement 7: Restrict Access to Cardholder Data
Requirement seven discusses how organizations should control and limit access to sensitive user information. In addition, measures to manage access controls for employees should be implemented. For example, access may be granted on the basis of seniority, a justified need to access secure data or job-role-based classifications. This requirement also asks organizations to document their access control procedures.
Requirement 8: Assign Unique IDs
This requirement of PCI DSS enforces organizations to assign unique user IDs to employees. This prevents the occurrence of a security breach and doubles up as an efficient tracking mechanism to isolate the source of an internal breach.
Requirement 9: Restrict Physical Access to Cardholder Data
This requirement focuses on the physical aspects of cardholder data security. Physical assets with access to sensitive data like desktops, paper files, and servers come into the scope of this requirement. Access to physical data should be restricted, and measures to limit unauthorized physical access to such assets should be implemented by using RFIDs(Radio Frequency Identification). Organizations should also install electronic surveillance systems and store surveillance recordings for a 90-day minimum period.
Requirement 10: Monitor Access to Network Resources and Cardholder Data
Bad actors attack physical and wireless networks to gain unauthorized access. Hence, it is crucial to implement security measures for all network resources and constantly log and audit network logs. PCI DSS also requires organizations to send the network activity logs to a centralized server for daily review.
According to this PCI compliance requirement, every organization is required to hold time-synchronized audit trail records of their network activities dating back to one year.
Requirement 11: Regularly Test Security Systems and Processes
Malicious attackers constantly look for vulnerabilities in an organization’s security systems to penetrate their defenses and gain access to sensitive information.
Organizations must conduct periodic tests on their wireless scanners, say every quarter, to identify access points that could be used to gain unauthorized access.
They should also scan their external facing domains and IPs by a PCI DSS-Approved Scanning Vendor (ASV).
Every quarter, organizations should conduct vulnerability management scans to test their security systems annually by undergoing penetration tests to determine the weakness in their security net to deploy patches.
Requirement 12: Create and Maintain an Information Security Policy
Organizations should have an internal infosec policy that covers employees, the leadership team, and vendors, if any.
The infosec policy should be classified into two sections: internal and third-party. The internal infosec policy should be read and acknowledged by every employee in your organization.
An essential part of the infosec policy is to conduct internal background checks on every employee in your organization. This ensures that the wrong hands don’t gain access to sensitive card data.
Download your PCI DSS Compliance Checklist
The Future of PCI Compliance
PCI DSS launched its version 4.0 (V4) in March 2002 by replacing its predecessor version 3.2 to become the most updated PCI DSS compliance framework.
Organizations currently compliant with version 3.2 have till March 2024 to become compliant with Version 4 of PCI DSS.
Objectives of PCI DSS V4:
V4 aims to promote security as a continuous process.
- Every requirement now has assigned roles and responsibilities
- Guidance information will now be available to understand, implement, and maintain security
- The report section is now updated with areas to highlight improvements, offering greater transparency than its predecessor. That’s a win for report viewers.
Security methods to protect user card data must evolve with the changing security landscape. Here are a few new updates that the V4 brings:
- The MFA (Multi-Factor Authentication) requirement is tighter
- The requirement that details password policy is now updated
- New standards to deal with e-commerce and phishing have been introduced
Increased flexibility allows organizations to reach their security goals in innovative ways.
- Group, shared, and public accounts are now permissioned
- Risk analysis is now targeted. This allows organizations to set their desired frequency for risk analysis
- Customization is now included in deciding how organizations reach their goals for security and compliance.
Better and Improved verification methods will be introduced.
The Sprinto Way of Becoming PCI DSS Compliant
Becoming PCI DSS compliant can be exhaustive and time consuming. Implementing the hundreds of PCI DSS controls, monitoring its many checks and alerts, and keeping a continuous tab on your security posture as you grow can get daunting. Sprinto automates repeatable tasks and gives you a dashboard overview of your compliance. It also offers a unique continuous monitoring feature that gives you an entity-level compliance health check of your organization.
Talk to us to learn how Sprinto is tailored for your compliance needs, no matter your PCI DSS level.
How do you comply with PCI DSS?
Complying with PCI DSS can be daunting, especially if you do it for the first time without seeking help. Using the PCI compliance checklist from the article can help you make significant strides in the right direction if you are planning to take the DIY route. Alternatively, you can consult with a compliance expert, onboard a GRC service provider as well.
Most organizations seek assistance from compliance automation software like Sprinto to smoothen and shorten their compliance journey.
What are the four things PCI DSS covers?
PCI DSS covers these four things:
- To protect cardholder data stored in your business environment.
- To use Antivirus solutions and regularly update them to enable maximum security.
- To Ensure that access to cardholder data is regulated by access control systems, i.e. on a need-to-know basis.
- To monitor networks and servers storing cardholder data constantly, saving their logs in a centralized server every 24 hours with time stamps.
3. What are the four PCI Levels?
Based on the annual number of transactions, organizations are classified into 4 levels. These are called PCI Compliance levels.
Level 1: Over 6 million transactions annually
Level 2: 1 million to 6 million annual transactions
Level 3: 20,000 to 1 million e-commerce transactions in a year
Level 4: 1 million to 6 million annual transactions