To Whom Does PCI DSS Apply

To Whom Does PCI DSS Apply

Key Points

  • PCI DSS is a global cybersecurity standard that applies to any cloud-hosted company that stores, transmits, accepts, or processes cardholder data and sensitive authentication data. Depending on the annual Visa transaction volumes, companies are assigned different PCI compliance levels (Levels 1-4).
  • PCI DSS protects two types of data: cardholder data that includes the cardholder’s name, primary account number, service code, and card expiration date, and sensitive authentication data that includes card validation codes (CVV, CVC2, CAV2, CID), tracking data from the magnetic stripe or card chip, and PIN and PIN blocks.
  • PCI DSS was implemented by the PCI Security Standards Council founded by five major card payment companies (MasterCard, Visa, American Express, Discover, and JCB) to prevent cybercriminals from accessing personal consumer financial data throughout the card-processing ecosystem. Although not legally binding, it is adopted by financial entities worldwide as a security standard to prevent financial fraud.

Introduction 

The Payment Card Industry Data Security Standard (PCI DSS) was created by the PCI Security Standards Council (PCI SSC) to protect sensitive transaction data and keep it secure from cybersecurity threats. 

The PCI SSC is an independent organization founded in 2006 by major payment card companies like American Express, MasterCard, Visa, JCB International, and Discover Financial Services. Its primary job is to supervise the establishment and evolution of the PCI DSS. 

The PCI DSS is a set of security standards meant to protect payment systems from financial fraud, data breaches, and theft of cardholder data (CHD). The primary players in the payment card industry needed a way to align and standardize their security requirements, hence the birth of PCI DSS.

The latest version 4.0 was rolled out on March 31st, 2022, which has made automated mechanisms to prevent phishing compulsory. The previous PCI DSS version 3.2.1 will cease to be active on March 31st, 2024—which means you have two years to comply with the latest requirements. 

To whom does PCI DSS apply? Let’s explore the security standard in detail in this article. 

Who Does the PCI DSS Apply To

Who does PCI-DSS apply to?

Any cloud-hosted company that processes, accepts, transmits, or stores payment card information must adhere to the PCI DSS irrespective of its size or transaction volume. 

PCI DSS also applies to merchants, issuers, acquirers, and processors—basically any entity involved in card payment processing. This means that if you accept debit cards, prepaid cards, or credit cards online, over the phone, or in-person to receive payment, then PCI DSS applies to you—whether you store card data or not.

Companies that collect sensitive authentication data like card verification values and complete track data also fall under its ambit.

Should you, as a cloud-hosted company, outsource payment processing to third-party vendors to reduce risk exposure, you still have to make sure that the credit card payments are secure and your vendors are complying with PCI DSS requirements. 

who does pci-dss apply to

What type of data does PCI DSS protect?

PCI DSS protects two types of data:

  • Cardholder data – includes the full Primary Account Number (PAN) along with expiration date, cardholder’s name, and service code.

PCI DSS version 3.2 allows cardholder data to be stored and doesn’t mandate that it be made unreadable. But it requires you to minimize storage and implement clear disposal and data retention policies. 

  • Sensitive authentication data – includes PIN and PIN blocks, card validation codes (CVC2, CVV, CAV2, CID), and tracking data from a card chip or magnetic stripe.

PCI DSS version 3.2 mandates that sensitive authentication data should not be stored, even if it is encrypted. Once authorization is done, all such data should be unrecoverable.

You may store PAN data but it must be unreadable in every storage location such as logs, backup files, and portable digital media. According to PCI SS, you can use one-way hashes, truncation, index tokens and pads, and key-based encryption to make sensitive authentication data unreadable.

Since a hashed and truncated version of the same PAN can be used to reconstruct the data, if your cloud-hosted company uses both, you must implement additional security measures to prevent hackers from retracing the PAN data.

What is the purpose of PCI-DSS?

Merchants, or entities that accept payment cards with the logo of the five members of the PCI SSC (MasterCard, Visa, American Express, JCB, and Discover), are low-hanging fruit for perpetrators of financial fraud. 

Each time a merchant processes, accepts, or transmits payment data, it exposes itself to a potential data breach. Often, such merchants have poor security systems that enable cybercriminals to easily steal sensitive consumer financial data. 

Vulnerabilities may exist in several areas of the card processing ecosystem:

  • Point-of-sale (POS) devices
  • Wireless hotspots
  • Personal computers
  • Unsafe transmission of card data to service providers
  • Paper-based storage

PCI DSS ensures that payment card transactions are as secure as possible. Since credit card issuers and banks typically refund customers in case of fraudulent purchases, they have a vested interest in backing this cybersecurity standard. 

Thus, even though PCI DSS is not legally binding nor does it supersede any national or local laws, it is uniformly adopted by in-scope organizations all over the world.

Who Does PCI DSS Requirements Apply To

When did PCI DSS become mandatory?

PCI DSS became mandatory after version 1.0 was released on December 15, 2004. However, we have already noted that it is not a legal requirement but a security standard. 

So, “mandatory” here means that when cloud-hosted companies or merchants sign contracts with payment card companies and banks that handle payment processing, being PCI DSS compliant is a prerequisite.

For cloud-hosted companies like you, PCI DSS compliance and cardholder information security are assessed via a self-assessment questionnaire (SAQ), which also includes an Attestation of Compliance (AOC). The AOC attests to your company’s compliance with PCI DSS. 

If a data breach occurs in your transaction systems that is deemed to be caused by a failure to implement the PCI DSS correctly, your card company or payment processor may impose sanctions. You could be required to pay a hefty fine or pay for an assessment to prove that your security systems have been improved.

PCI DSS Who Does It Apply To?

If your cloud-hosted company accepts card payments, you must be PCI DSS compliant. There’s no “certification” for PCI DSS compliance, instead, you prove your compliance through self-assessment i.e. by completing the SAQ and the AOC. 

There are four PCI compliance levels determined by your Visa transaction volumes over a 12-month period:

PCI DSS Who Does It Apply To
  • Level 1 companies must provide an annual Report on Compliance (RoC) that includes an audit by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). 
  • Level 2-4 companies may complete the SAQ that has different versions to cater to different businesses and payment processing methods.

Note that compliance level requirements may slightly differ based on card schemes. For instance, MasterCard requires level 2 companies to complete the SAQ with the help of a QSA or ISA. 

Non-compliance with PCI DSS attracts fines, but not in the general sense of the word. Instead of forking out separate fines for violations, penalties are baked into contracts between cloud-hosted companies and card payment companies or payment processors.

Penalties are levied per month of non-compliance and may increase with increasing periods of non-compliance. Amounts could go up to $100,00 per month and card payment companies may choose to terminate their contracts with you. If you face a data breach, your compliance level could be increased. 

Worse still, you could be put on the Merchant Alert to Control High-Risk (MATCH) list that bans you from processing card payments anymore. 

Conclusion

Now that you’re clear about who PCI DSS applies to, your cloud-hosted company must meet cardholder security standards to ensure that your transactions are secure.

PCI DSS compliance requirements may seem overwhelming but they can be boiled down to three steps performed regularly—assess, remediate, and report. By adopting a proactive approach to mitigating potential network security concerns like data breaches, you can easily unlock your company’s growth. 

Let Sprinto help you with PCI DSS preparations that include automated evidence collection, a clear checklist of requirements, security monitoring, managed implementation, and zero-touch audits. 

FAQ: Who Does PCI DSS Requirements Apply To

  • What are PCI DSS requirements?

PCI DSS gives the benchmark for technical and operational requirements that will protect consumer sensitive data. 

There are 12 core requirements that together cover almost 200 security controls:

  1. Install and maintain network security controls 
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Use strong cryptography to protect cardholder data when transmitting over open, public networks
  5. Protect systems and networks from malicious software 
  6. Implement and run secure systems and software applications
  7. Restrict access to cardholder data and system components by business need-to-know
  8. Establish the identity of users and authenticate access to system components
  9. Limit physical access to cardholder data and network resources 
  10. Log and monitor access to network resources and cardholder data
  11. Test security systems and processes regularly
  12. Implement policies and programs to address information security
  • What are the PCI DSS levels?

There are four PCI DSS levels determined by the volume of transactions processed each year:

  • Level 1 = Companies that process over 6 million transactions per year
  • Level 2 = Companies that process 1 million – 6 million transactions per year
  • Level 3 = Companies that process 20,000 – 1 million transactions per year
  • Level 4 = Companies that process less than 20,000 transactions per year
  • Card data covered by PCI DSS includes ______.

Card data covered by PCI DSS includes the primary account number (PAN), the cardholder’s name, the card expiration date, and the security code.

Posted in: