You are Here Because One or More of These Points Apply to You.
- One of your sales deals are blocked, and you want to get things moving
- You want to see through the jargon and wish to know how the PCI DSS compliance journey will look for your business
- You want a clear breakdown of the time and resources you’d have to invest in passing the audit
- You are a fintech player, and you anticipate a future need for Compliance
The PCI DSS audit process is not easy. Following the PCI DSS compliance guidelines are one thing, and becoming audit-ready is another. But worry not. This article helps you understand the process and suggest steps and ways to go about it.
But first, the Myth Busters.
Most common myths about PCI DSS
Myth 1) PCI DSS doesn’t apply to small merchants who process just a few transactions yearly.
In reality: You need to be compliant even if your business processes one credit card transaction. You wouldn’t need an audit, but you still have to comply.
Myth 2) PCI DSS applies to e-commerce companies only.
In reality: Every business that stores, processes, or transmits cardholder information has to be PCI DSS compliant. So even if your business occasionally processes transactions through POS devices, you’d have to be compliant.
3) If I’m 80% compliant, I’m good to go!
In reality: Unlike SOC 2, you cannot choose which TSCs apply to you. With PCI DSS, you must comply with all the six principles and 12 security standards. So, being 80% compliant is not being compliant.
4) I don’t process credit card data. My business only deals with ATM debit card data. I probably don’t need to be compliant
In reality, many debit cards can be used on credit card networks, which puts them under the purview of PCI DSS.
And so on.
These are a few questions your Auditor could ask when you file your PCI DSS Self Assessment Questionnaire (SAQ). But, of course, as a business owner, you might not know these nuances, and that’s where we aim to be of assistance.
With this article, we aim to :
Demystify the PCI DSS compliance process with the least amount of lawyer-speak
– Help you understand if your business needs to get compliant, and
-Help you get started in your compliance journey pci-dss compliance
What is PCI DSS Compliance?
In 2006 major credit card brands (American Express, Discover, JCB, Mastercard and Visa) and financial institutions formed a set of security standards that outlined security measures for protecting customers’ payment card data when transacting with merchants and merchants’ vendors and service providers. This set of security standards was called PCI DSS.
Cybercriminals are constantly trying to steal cardholder data. This sensitive information is an accessible doorway to fraud and identity theft, financial losses, reputation damage and irreparable harm to a brand’s customer relationships when left unguarded. Suppose you are a merchant or a service provider who deals with, stores, or processes payment card information. In that case, you must become PCI DSS compliant to minimize such instances from occurring.
Why do you need PCI-DSS Compliance?
Bad actors illegally access billions of dollars worth of customer information every year. The PCI DSS framework minimizes the risk of this or any other fraud happening to cardholders or merchants processing credit card information.
With PCI DSS, you can encourage better security practices within your supply chain by requiring your suppliers to meet the same standards to keep user data secure. It lays down 12 essential controls applicable to merchants and service providers to remain compliant.
PCI DSS covers a range of areas that must be implemented to protect cardholder data, including access controls and password management, physical security and documented security policies.
What Happens When You Are Not PCI DSS Compliant?
Ignoring your PCI compliance protocols or neglecting PCI DSS requirements can land you on the wrong side of the law.
The cost of non-compliance is steep, with monetary fines ranging from $5000-$100,000 (depending on the nature of non-compliance). In terms of non-monetary aspects, your access to promote card-based technology transactions on your business platforms could be rescinded too.
Here’s a list of the repercussions you could face for being non-compliant:
Both credit card companies and banks charge fines – of $5,000 to $100,000+ per month. And suppose a business gets fined and continues to ignore its PCI compliance requirements, it can even be removed from the credit card processing network. As a result, the organization would no longer be able to process credit card payments for its customers. This could be devastating for businesses that rely on credit cards for their sales.
2) Bad Actor Instance
PCI DSS compliance doesn’t make your business breach-resistant. And when a PCI DSS-compliant business becomes a victim of an incident, the penalty amount is significantly reduced. The reason being the organization, in context, did everything required to protect and secure its systems in ways that the PCI DSS compliance framework dictated.
Besides, a data breach adds to the financial burden of a business as they will need to do the following:
- Hire an investigation team to identify the source of the breach
- Conduct mandatory credit monitoring for customers whose data was compromised
- Deal with lawsuits, if any
- Handle loss of revenue driven by merchants cancelling partnerships (when your business is non-compliant consistently)
The average cost of dealing with each recorded victim is $150. When multiplied by the number of people affected by a breach, this value can get quite expensive.
In case of data breaches, businesses are typically sued by vendors and customers. For example, Target had to pay a fine of $18.5 million when sensitive information related to 40 million accounts was made public following a breach.
4) Impact on the Revenue and Brand
When sensitive information is put at risk, the client’s trust in the organization nosedives, leading to negative word-of-mouth publicity and loss in brand equity. In addition, a bad reputation makes it harder to attract new customers or retain existing customers, directly affecting future profits.
PCI DSS Levels of Compliance
The PCI DSS compliance is a set of requirements that help prevent payment data breaches and payment card fraud.
These requirements, however, don’t apply to all eligible organizations. Instead, they are applicable based on the four compliance levels determined by the volume of transactions organizations handle yearly.
Even if you are a PCI Level 4 organization (you process less than 20,000 transactions a year), the cost of non-compliance isn’t less; it is directly proportional to your effort to become compliant.
Level 4 businesses are often considered easy targets and most susceptible to a data breach scenario.
Six PCI DSS Compliance Goals
PCI DSS lays down 12 security standards applicable to merchants and service providers to remain compliant. These standards broadly cover six bucketed goals that your business would require to comply with to get the certification.
1) Build and Maintain a secure network
2) Protect Cardholder Data
3) Maintain a Vulnerability Management System
4) Implement strong Access Control measures
5) Regularly monitor and test networks
6) Maintain an information security policy
Understanding the 12 Security Standards PCI DSS Compliance Goals
As a business, you are expected to comply with all the 12 standards discussed in the section below that work towards contributing to one or more of the above-mentioned goals.
1) Maintain a Strong Firewall Configuration
A strong firewall configuration must be put in place to protect your customer information, such as payment card/transaction-related information. The security controls for this requirement are designed to monitor and secure ongoing and incoming data transmission.
What to do: Having your production environments protected is essential.
What not to do: Deploying a heavy application for users like your creative designers with no access to production environments or critical business information.
2) Do not Use Default Settings for your Password Management Tools
Default settings are generic and easy to guess. These settings are commonly found in most servers, internet routers, firewalls, wireless printers, mail suites, etc. In addition to listing all endpoints and cloud assets that could be manipulated, this security requirement also mandates you to manually apply an algorithm-generated ‘strong’ password and change it periodically.
3) Protect the Data
You must encrypt user data using advanced hashing algorithms, tokenization methods, or other encryption methods that meet global standards. To do this well, vendors need visibility into all resources that currently store user information, including data types such as shared spreadsheets, logs, and unused databases, all of which can become vulnerabilities.
4) Encrypt Transmission
Bad actors are always looking for the weakest links to access critical information; processing card transactions over public networks is one such weak link. You should know how and where card data is sent or received as a business owner. Using secure transmission protocols like SSH and TLS can minimize the chances of a wrong actor instance during data transfer.
5) Protect your Antivirus Software
All devices with antivirus software installed must be regularly updated to ensure protection against malware. However, there are instances where the attack is first targeted toward the antivirus program itself. Constantly updating your antivirus program on mobile devices, laptops, desktops, and other endpoints helps you detect malware and take necessary actions to remain secure.
6) Maintaining Security
The PCI DSS requirements emphasize a security protocol that constantly scans for vulnerabilities and deploys patches. In addition, the cloud environment, including operating systems, POS endpoints, software, hardware (routers, switches), and firewalls, should be constantly monitored and updated.
7) Role-based Access Control
payment card information should be accessible only on a need-to-know basis to prevent data exposure within the business. You need to document all the users with access to such critical data. This list should call out their designations, duties, and access to this information helps them perform their jobs.
You must provide each user with a unique ID before allowing them access to system components and/or cardholder data. Unique user IDs ensure that when someone accesses cardholder data, that activity is traced to a known user, and accountability is maintained.
9) Limiting Access to Physical Data
Have security measures that limit physical access to sensitive data related to payment cards.
Installing surveillance tech, handling physical entry and exit points, and maintaining access logs of surveillance information is essential to remaining compliant. The most common protection measure is encryption? Others include user access control, using different electronic/magnetic storage media states, and surveillance technology.
10) Continuous anomaly monitoring
On a day-to-day basis, look for anomalies that could penetrate your security measures. Then, run audits and maintain an audit trail of all the security reports for at least 365 days. Working with security specialists such as SIEM, CSPM, and CASB vendors can help you get this done effectively.
11) Run Periodic Tests
New vulnerabilities are created daily, making it easy for bad actors to penetrate your defences. To ensure that your security posture is maintained, you must run the following tests.
- Wireless Site Survey – Driven by an increase in the use of mobile devices and the associated risks, your IT team should perform quarterly surveys to identify unauthorized access points.
- Regular scans – All IPS exposed in the CDE should be scanned every quarter. You can source these tools from a PCI DSS-approved vendor.
- Vulnerability scans – Run quarterly scans to look for vulnerabilities within your internal systems.
- Application and Network penetration testing- You must conduct these tests annually.
12) Infosec protocols for employees
It would help if you practiced rolling out [updated] employee handbooks to keep them informed of the happenings in the information security space regardless of their job profile. This helps them know what is expected of them to maintain a strong security posture outside the IT purview.
Every employee must undergo training for:
- Identifying vulnerabilities in systems, risks thereof and their impact on the business
- Training toward user awareness
- Incident response and damage mitigation
According to this security rule, all the employees of your organization are expected to undergo background checks.
PCI DSS Compliance Requirements
Step 1: Define the scope of Compliance for your business
The scope of PCI DSS certification is defined by the volume of transactions your organization processes annually.
- PCI Level 1: Businesses processing over 6 million transactions per year
- PCI Level 2: Businesses processing 1 million to 6 million transactions per year
- PCI Level 3: Businesses processing 20,000 to 1 million transactions per year
- PCI Level 4: Businesses processing less than 20,000 transactions per year
Step 2: Internal Risk Assessment
Risk assessment helps designers, owners and operators of information systems identify, prioritize and manage threats to the confidentiality, integrity, availability and authenticity of cardholder data. Organizations can use risk analysis to identify risks related to information system values and decide how they will be controlled and managed.
As a result of this analysis, primary and permanent (inherent) risks are evaluated, and prolonged or residual risks (configuration and change controls or not using processes, etc.) are examined. In addition, the risk assessment should address the information system values classification’s appropriateness and whether appropriate rules are applied.
Your risk management strategy should look into these aspects:
- Have a plan to evaluate how the security controls are tested and periodically assessed for efficiency and effectiveness
- Have measures in place to address high-risk areas
- Implement continuous penetration tests to look out for new vulnerabilities
- Draw a line between production and non-production systems
- Make an inventory of the critical systems and internal controls
- Identify business risks, assign a likelihood and impact to each of them
- Deploy policies and procedures to mitigate them
What not to do:
- Run security risk sweeps only when you are asked to produce a risk assessment report
- Keeping the risk assessment inhouse and not including external experts for an unbiased outcome
- Work in silos without communication among your teams
Step 3: Gap Analysis & Remediation
PCI DSS Gap Analysis is an initial step in the compliance program. It helps organizations streamline their journey to achieve PCI Compliance. This assessment will help them determine where they are currently standing, giving them direction toward achieving Compliance.
This assessment helps you understand your compliance status and prepares you for the on-site assessments required to achieve Compliance.
A gap analysis exercise aims to identify deficient controls that could lead to a failed audit report.
The next step after identification is to remediate said controls or deploy new ones to ensure the PCI DSS compliance requirements are met.
Usually, a PCI gap analysis is performed by an assessor who maps the critical information processes and technical infrastructure to determine the PCI controls required to be implemented. And this process usually takes between 5-7 days to complete.
Sprinto, at its core, is designed to seek gaps in the compliance framework and enable you to work towards closing any future gaps.
Step 4: Policies and Procedure Mapping
The 12 security standards mentioned above must be mapped to the six goals PCI DSS compliance aims to achieve. This mapping should be executed as controls to aspects wherever applicable.
There will be instances where one control maps multiple goals and security standards in one go. There will also be times when you’d have to map more than one control to execute a fool-proof security condition for a single security standard or goal.
Going through this task for the 12 security standards and its 251 sub-sections can be daunting. But that’s where automation saves the day. Having a singular view of the mapping & evidence for policies and security measures ensures that you do not miss out on submitting essential critical evidence to the Auditor during an audit.
This exercise also helps you identify things that do not apply to your business. Not including such elements in your audit report ensures a bloat-free audit preparation period and a lean-mean audit SAQ for the Auditor to review.
- Map internal controls to PCI DSS goals and security standards
- Identify and eliminate out-of-scope systems (with a justification for each)
- Map controls to protect points where card data enters, gets stored, and exits the organization
Step 5: Continuous Monitoring
Continuous monitoring and assessing the compliance posture is imperative in your compliance journey. Being compliant is not a one-time task. To remain compliant over a period of time, you must constantly monitor the controls you have in place to ensure data security while continuously assessing ways to implement new effective models while reducing costs.
Most monitoring and assessment models can be automated. Automating this function empowers your business to move away from the cyclic/periodic monitoring model to a more hands-on version triggered with every new instance.
Protecting secure passwords is one of the critical security requirements of PCI DSS. In this, a good trigger automatically runs the control every time a new user is added. A check could also be triggered in the subsequent follow-up instance to see if the password requirements are met.
What usually gets overlooked in continuous monitoring are aspects where automation can only be enabled to a certain extent.
Another example, if an employee exits your organization, automatically removing their access to your entire business environment is impossible. However, a good control could be instilled that reminded/alerted the good folks in the People/HR team about this and helped them prioritize managing access controls.
At Sprinto, we understand that your business solutions and their needs are dynamic. Every day cloud-hosted companies harness the power of multiple cloud service providers across various platforms. Unfortunately, manually maintaining track of all those assets is nearly impossible, and being compliant is a more demanding job.
We automate the monitoring and assessment process to ensure that you have the visibility you need to remain compliant throughout the year and fix patches that need fixing when patches show up. We believe a good mix of automation and human involvement is the best way to make the compliance process seamless.
Step 6: Fill out the Self-assessment Questionnaire (SAQ)
Filling the Self Assessment Questionnaire is no simple task either. Compliance frameworks, at their core, are subject to interpretation. Your interpretation as a business owner and an auditor of the same point in the questionnaire could be different.
The next step for Level 2, 3, and 4 businesses is filling out the Self Assessment Questionnaire (SAQ) and submitting a report on Attestation of Compliance (AOC).
Level 1 businesses must fill the SAQ, an AOC, and get a Security Assessor’s Report on Compliance (ROC). This assessor should be from the list that the PCI recommends.
With our 16 White glove onboarding sessions, we help you map your controls required for a security posture and help you answer your SAQs.
How Sprinto helps you achieve PCI DSS Compliance Certification
We conducted extensive research with an active accredited auditor network to understand how they evaluated audit reports of different organizations across industries.
This made us approach Compliance so differently that it catapulted us light years ahead of our competition.
We worked our way backwards. We started with the Auditor.
The answers to these questions helped us define how we would improve our clients’ compliance journeys.
- How does the Auditor read an audit report?
- What does a good audit report look like according to an auditor(s)?
- What are the questions they commonly ask businesses when the evidence submitted seems insufficient?
- What are the most common things businesses miss in their audit reports?
- Are there instances where businesses submitted the report having misinterpreted a specific compliance requirement? If yes, how did it affect their audit score?
- Did their audit report contain information on sections that did not apply to them?
- Who does PCI DSS Apply to?
And so on.
We realized that the best way to submit an audit report is by presenting it the way the Auditor wished to see it.
With this critical piece of intel, we built the ‘Sprinto Auditor Dashboard‘. This Dashboard gives the Auditor a single view of an audit report with precise segmentation for controls set in place, evidence to prove that the controls laid in were working effectively, documentation for people processes, and so on.
With this, we significantly reduced compliance audit times by making it easier for an auditor to complete an audit.
This revelation made it clear that the one-size-fits-all template used across the industry was more a bane than a boon.
The templated approach had to go.
Here’s what we did instead:
Step 1: Bespoke solutions were designed for every business – this way, the client’s time & resources are spent only on things that apply to them
Step 2: Define the scope of work applicable to their business and map security parameters in the form of controls
Step 3: Deploy checks to ensure that the controls are working efficiently.
Step 4: Catalogue the new evidence in a format the auditor network prefers
Step 5: Submit this evidence to the Auditor
Step 6: Walk away from an explosion like Tony stark.
How we simplify the PCI Compliance DSS journey for your business
Sprinto is purpose-built to offer a ‘unique-to-you’ compliance solution. At its core, Sprinto is powered by a proprietary automation engine that automates most of the legwork that goes into getting your business compliance validated
Step 1: Entity-level Mapping for a More Robust Security Posture
Any compliance aims to strengthen the security posture of an organization. The templated approach is rigid and approaches Compliance from a ‘checking a box’ perspective. Sprinto understands that securing individual entities checks multiple boxes and is time and cost-efficient.
Mapping controls to compliance requirements also ensure that as you grow your business, your future compliance requirements are addressed seamlessly with Sprinto.
To simplify this:
The 12 PCI DSS requirements are mapped to 6 key goals of PCI DSS compliance and broken down into entities. Each entity is then individually addressed to ensure that your business has all the controls and checks to ensure a seamless audit.
Step 2: Implementing Edge Cases
Edge cases are not uncommon. An edge case could lead to an exception of Compliance in your report, and a templated approach towards Compliance does not account for these occurrences.
An edge-case could be as simple as one of your employees being away from work for maternity/paternity leave and hence not being able to encrypt their laptops or update their operating systems. You could encounter 100 more edge cases like these in your compliance journey.
In the templated approach towards Compliance, because the employee mentioned above could not complete their device encryption, this case would be marked as an exception in your report.
With Sprinto, you can mark these instances as edge cases with supporting evidence when submitting your audit report. In addition, the custom auditor dashboard we’ve built enables Auditors to review these edge-cases and consider why something was not done.
Step 3: Cataloging Evidence Automatically
Sprinto is built to automatically collect and catalogue the evidence required for a compliance audit. This saves our users (founders, CTOs, VP engineering, VP-Product) hundreds of hours in taking screenshots, documentation, assortment, creating and sharing 100s of drives in the pre and post-audit process.
We want clients to be able to focus on developing their next world-changing idea and not hustle through the intricacies and nuances of the compliance process.
Step 4: Submitting an Audit Report or SAQ
The scope of becoming PCI DSS certified will be defined by the volume of transactions your organization processes annually.
At Sprinto, we understand that you’d need the most hand-holding in the initial phase of your compliance journey. We’re here with global, 18-hour customer support coverage when you need us.