What is PCI Compliance? A Guide for Businesses and Consumers
If you have ever had to enter your credit card information on a website, you have interacted with the PCI DSS. The Payment Card Industry Security Standards Council created this set of security standards to protect credit card data.
PCI compliance is a requirement for any business that processes, stores or transmits credit card information.
This article provides an overview of PCI DSS (Payment Card Industry Data Security Standard) and what businesses need to do to become compliant. It will also discuss the effects of non-compliance on customers and merchants.
In this article, you'll find:
- What is PCI DSS and Why Was it Created?
- History of Payment Security Standards
- The Evolution of PCI DSS
- What Do the PCI DSS Security Standards Entail?
- PCI Compliance Requirements
- Who Does PCI DSS Affect?
- Effect of PCI DSS on Customers?
- Benefits of PCI Compliance
- The Effects of Non-Compliance on Customers and Merchants
- How Can Organizations Meet PCI Compliance Requirements?
- Take Control of Your PCI Compliance
What is PCI DSS and Why Was it Created?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements that ensure companies processing, storing, or transmitting credit card information maintain a secure environment. This includes having a firewall, secure passwords, and other security measures.
The PCI DSS was created in response to the rising number of data breaches involving credit card information being stolen and misused. By establishing this standard, the Payment Card Industry Security Standards Council (PCI SSC) hopes to reduce the amount of stolen credit card information.
To manage and administer the PCI DSS, MasterCard, Visa, JCB, Discover, and American Express created the PCI Security Standards Council (PCI SSC). It's an independent body that provides guidance and support to organizations on how to meet the standard's requirements.
History of Payment Security Standards
Although the Payment Card Institute was established in 2004, the roots of today's payment security standards stretch back even further.
Online shopping followed as the internet became more prominent in the late 1990s. This new development was met with great joy by both retailers and consumers. However, fraudsters were not far behind.
It soon became clear that the existing security protections were insufficient to protect customer data on such a large scale. To address the situation, Visa established the Cardholder Information Security Program (CISP). Its objective was to provide retailers with security requirements for processing credit card transactions.
This was followed by MasterCard's Site Data Protection (SDP) program and the American Express Data Security Operating Policy (DSOP). These initiatives helped to pave the way for a single unified security standard across all payment card companies.
While Discover and American Express followed suit, the lack of unified security standards across all card companies made it difficult to ensure a consistent level of protection. To address this, the Payment Card Industry Security Standards Council was formed in 2006, and the PCI DSS was created.
The Evolution of PCI DSS
The evolution of the PCI DSS has been ongoing since its inception in 2004. As technology advances, so does the need for better security measures to protect customer data.
This is why the standard is regularly updated to ensure that it continues to be relevant and effective against modern threats. Over the years, there have been several changes to the standard, including a focus on encryption and authentication controls.
Version 1.2 of the security protocol was established in October 2008 to outline best practices for securing wireless networks and using antivirus software. It was followed by version 2.0 in October 2010, which introduced the concept of a penetration test and strengthened encryption processes.
After that came PCI DSS versions 3.2 and 3.2.1, released in 2018. PCI DSS 3.2.1 included additional requirements for service providers to protect cardholder data when it's transferred over the internet or stored on mobile devices. It also requires organizations to maintain a secure environment by regularly testing their security systems.
And currently, the latest version is PCI DSS 4.0, released by the PCI SSC on March 31, 2022. This version includes new requirements for secure software development and a focus on protecting cardholder data inside and outside the organization. It also provides more clarity on encryption and access controls.
What Do the PCI DSS Security Standards Entail?
In a bid to safeguard data in the payments card industry, the PCI Security Standards Council maintains high standards for merchants. These provide specifications on tools, frameworks, measurements, and support resources to help businesses keep cardholder information secure at all times.
These standards touch on prevention, detection, and how to respond to security threats. To help, PCI SSC offers the following tools:
- Self-Assessment Questionnaires - Organizations use these to validate their PCI DSS compliance.
- Payment Application Data Security Standard (PA-DSS) - This outlines best practices for creating and maintaining secure payment applications.
- Data Security Standard (DSS) - This guides how merchants can protect cardholder data.
- Pin Transaction Security (PTS) - Device vendors and manufacturers must meet specific requirements, and you can only use devices on an approved list for PIN transactions.
- List of Qualified Security Assessors (QSAs) - These organizations can help merchants validate their compliance with the PCI DSS.
- Payment Application Qualified Security Assessors (PA-QSAs) - These organizations can help merchants validate their payment applications' compliance with the PA-DSS.
- Internal Security Assessor (ISA) education program - This is a program designed to help organizations understand PCI DSS and perform internal assessments.
- Approved Scanning Vendors (ASVs) - These vendors provide regular scans for organizations to help identify vulnerabilities.
PCI Compliance Requirements
The PCI SSC has six goals that contain 12 requirements that businesses must observe to achieve and retain compliance. You must complete the following tasks outlined in the checklist to achieve this.
Goal 1
The first goal of the PCI compliance checklist is to build and maintain a secure network. After all, this is the foundation of your organization's payment card security. The two requirements that fall under this goal are:
1. Use and Maintain Firewalls
When it comes to cybersecurity, firewalls are an integral element. Firewalls provide the first line of defense against unwanted traffic, helping to prevent malicious hackers from accessing your business’ networks.
Thanks to their effectiveness in preventing unwanted traffic, using and maintaining a firewall is a key compliance requirement for the PCI DSS.
2. Change Default Passwords and Security Settings
Unfortunately, many businesses don't secure their routers, modems, point of sale (POS) systems, and other third-party products. These devices usually come with generic passwords that anyone can easily access.
After setting up the firewall, changing the default passwords and security settings is important. This helps protect against anyone who may know or guess the default credentials or settings.
In addition to changing the passwords, updating them regularly and ensuring that only authorized users have access is important. You must implement strong authentication systems like two-factor or multi-factor authentication to achieve this.
To maintain compliance, create a list of all devices and software that need some form of password or security measure to access. This device/password inventory should be updated regularly, and other basic precautions (like changing passwords often) should be taken.
Goal 2
Protecting cardholder data, also known as data protection and encryption, is the second goal. When it comes to protecting cardholder information, you must meet two requirements:
3. Protect Stored Cardholder Data
When businesses process, store, or transmit cardholder data, they must take extra precautions to protect it. Doing so involves storing data securely and using encryption whenever possible.
PCI SSC recommends a two-fold system of protecting cardholder information. It involves encrypting the data with algorithms. Furthermore, the encryption keys used to put the encryptions in place should also be encrypted.
For example, place any stored cardholder data on a separate secure server accessible only to those who need it. Also, encrypt all transmissions of cardholder data across public networks.
To keep your data safe, you should frequently scan and maintain your primary account numbers (PAN).
4. Encrypt Transmission of Cardholder Data Across Open, Public Networks
To protect cardholder data when transmitted publicly (such as when a customer places an order online), businesses should use secure protocols, such as those specified by the PCI DSS.
For example, websites must have a secure socket layer (SSL) certificate or transport layer security (TLS) certificate that is up-to-date and validated. This will help protect customers’ sensitive data when they are making purchases.
In addition, you should restrict access to cardholder data to only those who need it. This means creating a secure system of user accounts that are monitored and updated frequently.
These measures will help protect customers’ sensitive data from anyone who might try to intercept or steal it while it is in transit.
Goal 3
The third goal is to maintain a vulnerability management program. This involves monitoring and testing networks for security vulnerabilities and addressing them as quickly as possible. There are two requirements that you must adhere to under the third goal. These are:
5. Using and Maintaining Anti-Virus
It is important to install and maintain antivirus software on all computers and applications that process, store, or transmit cardholder data. This will help to detect and remove malicious software from your systems.
Furthermore, for any device that stores or interacts with PAN, it's a requirement to have an antivirus. You should also update the antivirus software regularly to ensure it is up-to-date.
Also, businesses must regularly scan their networks and applications for any security vulnerabilities. This means using an approved scanning vendor (ASV) to conduct quarterly scans of their external networks.
6. Properly Updated Software and Systems
Software and systems need to be regularly updated with the latest security patches. This ensures that any security vulnerabilities are addressed quickly before they're exploited.
You must also test any new applications before they are released to ensure they do not have any holes or weaknesses that could potentially be exploited.
Goal 4
With your vulnerability management program in place, it's time to move on to the fourth goal; implementing strong access control measures. This means limiting access to cardholder data based on the user’s role. Under this goal, there are three requirements:
7. Restrict Data Access
Making sure that only those who need access to cardholder data are granted it. This means implementing strict access control measures and ensuring user accounts are frequently monitored and updated.
One way to achieve this is to ensure that data is strictly available on a need-to-know basis. Regardless of the title, staff should only access data if they need to have it. Moreover, according to the PCI DSS, you should document and regularly update the roles that need access to sensitive data.
8. Assign Unique IDs to Each Person with Computer Access
An essential part of data security is knowing who accesses data and when. So, when employees with access to sensitive data use shared login credentials, it'll be challenging to determine who accessed the data.
Instead, create unique IDs for each user to help ensure that only authorized personnel can access data. This also helps to prevent any unauthorized access or manipulation of cardholder data.
9. Restrict Physical Access to Cardholder Data
Physical access to cardholder data needs to be restricted and monitored as well. This means setting up physical security measures like locked doors, secure cabinets, and restricted access areas.
You should also include measures to monitor and log physical access attempts and revoke user accounts when employees leave the organization.
Goal 5
It's not enough to have great infrastructure and systems in place. You need to monitor and test your networks regularly. And this is what goal 5 entails. The two requirements under this goal include:
10. Track and Monitor All Access to Network Resources and Cardholder Data
A log entry is necessary for all activities that involve primary account numbers (PAN) and cardholder data. However, the most prevalent security issue is when people don't have the right documentation or properly keep records of accessing confidential information.
To comply, you need to track how data enters your company and how often people need access. You'll also need software that logs all activity for accuracy.
11. Scan and Test for Vulnerabilities
Under this goal, you need to use a vulnerability scanning tool provided by an Approved Scanning Vendor (ASV). The ASV will scan your networks and applications to identify security issues or vulnerabilities.
By regularly running scans, you can be sure that your systems are up-to-date and that your vulnerability management program is in compliance with PCI DSS.
Goal 6
Finally, goal 6 is about maintaining a policy that addresses information security. It includes one requirement:
12. Maintain an Information Security Policy
Creating and maintaining an information security policy is the last requirement of PCI DSS. This policy should define rules, procedures, and roles related to data security. It should also address how confidential information is to be stored, transmitted, and used.
This policy should be up-to-date and approved by the board. It should also be reviewed regularly to ensure it complies with current regulations and industry best practices.
Who Does PCI DSS Affect?
The Payment Card Industry Data Security Standard affects any business that collects, stores, or transmits customer credit card data. This includes merchants, payment processors, banks, and service providers.
Organizations must show proof of compliance to any of the five payment card companies to process payments from customers. Failing to do so could lead to fines, litigation, or other penalties.
The PCI DSS requirements extend to an organization's physical and digital infrastructure. All personnel involved in handling payments must be compliant with the standard as well.
Effect of PCI DSS on Customers?
Customers play a major role in the success of PCI compliance. As an organization, you must ensure that customers know the risks associated with card payments and the steps you take to keep them safe.
By being compliant, organizations can ensure that customers' data is safe and that their card payments are secure. This can build customer trust and help establish a positive relationship between the business and its customers.
Benefits of PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) guides companies of all sizes on how to handle credit card information securely. Despite its complex appearance, compliance is vital and can be easier to achieve than initially thought - especially with the right tools.
Once you do, you'll enjoy benefits such as:
- Complying with PCI improves your reputation with business partners such as acquirers and payment brands.
- Being PCI Compliant instills customer confidence in you and your abilities, leading to increased sales and repeat business.
- Being Compliant reduces internal and external security threats, thereby reducing the risk of data breaches and fraud.
- It can help you save money by making payments more secure
- You'll find that complying with other regulations, such as HIPAA or SOX, becomes much simpler.
- If you are PCI compliant, you are likely to have improved IT infrastructure efficiency.
- Although it's only a starting point, being PCI compliant still contributes to corporate security strategies.
Ultimately, compliance with PCI DSS will help to protect customer data by demonstrating that your organization takes information security seriously. This can positively affect customer retention and acquisition, leading to increased sales and profits.
The Effects of Non-Compliance on Customers and Merchants
Non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) affects customers and merchants.
For customers, non-compliance means that their data is at risk of being compromised, leading to identity theft or financial loss. For merchants, non-compliance can lead to fines by payment card companies, legal action, and reputational damage.
It's important to note that non-compliance affects all parties involved, not just the merchants. To help protect customers and your business, it's crucial to comply with PCI DSS requirements.
How Can Organizations Meet PCI Compliance Requirements?
Organizations can meet compliance requirements by following a set of best practices outlined by the Payment Card Industry Security Standards Council (PCI SSC). These best practices include:
- Ensuring that cardholder data is secure and stored in a safe environment.
- Implementing strong access control measures to prevent unauthorized access to cardholder data.
- Conducting regular vulnerability scans to identify potential security risks.
- Ensuring that all personnel are trained and knowledgeable about secure cardholder data practices.
- Establishing an effective incident response plan to address any incidents related to cardholder data.
- Monitoring and testing networks regularly for security issues.
By following the best practices outlined by the PCI SSC, you can ensure your company remains compliant with the latest security standards and protect the data of your customers.
Take Control of Your PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a complex set of security controls designed to protect customer cardholder data. Complying with the standard can be daunting, but it doesn’t have to be.
With the right tools and processes, you can quickly and easily ensure compliance. And this is where Arctera comes into play. We have years of experience helping organizations comply with PCI as data is backed up and protected with all our available features including encryption and immutable storage support.
We offer a suite of products designed to simplify compliance and custom services tailored to your needs. In addition to the various secure access requirements we enable for our customers, we offer added protections of malware scanning and anomaly detection to scan backups for anything abnormal, and then notifying our customers.
Reach out to us today, and let us show you how you can meet your PCI requirements effortlessly.
About Arctera
Arctera helps organizations around the world thrive by ensuring they can trust, access, and illuminate their data from creation to retirement. Created in 2024 from Veritas Technologies, an industry leader in secure multi-cloud data resilience, Arctera comprises three business units: Data Compliance, Data Protection and Data Resilience. Arctera provides tens of thousands of customers worldwide, including 70% of the Fortune 100, with market-leading solutions that help them to manage one of their most valuable assets: data.
Learn more at www.arctera.io
Follow us on X @arcteraio