PCI Compliance & Credit Cards: 7 Things You Need to Know
Understanding the core guidelines and how they interact is crucial to PCI compliance
No matter how big an organization is, so long as it accepts payments online, it will always face pressure to meet the requirements of PCI compliance for credit card transactions. Storing, processing, and transmitting credit card information requires a great deal of data, which increases the risk of potential breaches and leaks.
To ensure they’re prepared to meet enterprise-level payment processing challenges, SMBs and startups must lay a strong foundation for PCI compliance during the growth stage. Doing so reinforces strong security controls, which will help businesses continue to meet PCI compliance regulations as they scale up. First, organizations need a baseline understanding of PCI compliance, its role, and the dangers of non-compliance.
Jump to a section…
Core Components of PCI Compliance for Credit Cards
There are twelve total components of PCI compliance that organizations need to be aware of, each one with an exhaustive list of sub-requirements. Currently, two published, accepted versions of PCI DSS compliance exist, v3.2.1 and v4.0. Version 4.0 was introduced in March 2022 and will become the sole standard at the end of March 2024, giving organizations time to transition to the new requirements.
The twelve major requirements of PCI DSS 4.0 are:
- Requirement 1: Install and Maintain Network Security Control
- Requirement 2: Apply Secure Configurations to All System Components
- Requirement 3: Protect Stored Account Data
- Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Requirement 5: Protect All Systems and Networks from Malicious Software
- Requirement 6: Develop and Maintain Secure Systems and Software
- Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
- Requirement 8: Identify Users and Authenticate Access to System Components
- Requirement 9: Restrict Physical Access to Cardholder Data Sections
- Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
- Requirement 11: Test Security of Systems and Networks Regularly
- Requirement 12: Support Information Security with Organizational Policies and Programs
The PCI Security Standards Council offers a 360-page document explaining the requirements (and sub-requirements) in detail. However, the core thrust of PCI compliance for credit card processing is that organizations must encrypt and secure credit card data, regularly test that credit card information is being retained safely, and limit access to stored credit card data.
You’ve just been given an introduction to PCI-DSS compliance’s 12 requirements. Make sure you meet them all with our Complete PCI Compliance Checklist.
Processing Credit Card Transactions
More than 108.6 million credit card transactions occur daily in the US, and each one requires sensitive data to change hands. Major card networks require that organizations are PCI compliant to process this data, but what does the process entail? The answer is found in Requirement 4 of the PCI compliance guidelines.
At its core, Requirement 4 dictates that personal account numbers (PAN), which refer to the unique numbers on a payment card, are encrypted using cryptography. The data can be encrypted before being transmitted, during the session over which the data is transmitted, or both, but it must be encrypted at some point along the processing journey. Doing so allows organizations to process the transaction without fear of bad actors intercepting sensitive information.
PCI-Compliant Credit Card Data Storage
No organization wants any of its information to be subject to a data leak, but the stakes are far worse when credit card information is put at risk. However, the PCI Security Standards Council has authored clear-cut standards for PCI compliance credit card storage requirements. The most accurate summation for the standards is “restrict and encrypt.” Access to data should be restricted, and all data should be encrypted.
Most of the requirements at least touch on how to store credit card data in a PCI-compliant organization. It needs to go in a secured, encrypted environment, and all access must be logged. Access should also be restricted by business need to know, which in the case of credit card data, is typically a minuscule number of employees.
Regularly testing that credit card data is stored securely is paramount. Catching a batch of processed credit card transactions is lucrative for bad actors, but the enormous pile of credit card data that an organization might store on its network is a veritable treasure hoard.
PCI Compliance for Credit Cards Over the Phone
While most of today’s transactions are processed via a payment kiosk or online portal, it’s not uncommon for an organization to take credit card information over the phone. However, those transactions must still respect PCI compliance standards. Organizations that will take credit card information over the phone must establish a set of best practices to eliminate the risk of breaking PCI compliance.
Some core guidelines are:
- Never record an interaction where payment information is being processed over the phone.
- Never write down credit card numbers for over-the-phone transactions. Enter all information directly into a terminal.
- Make sure employees are taking additional steps to combat fraudulent over-the-phone purchases. For instance, if an over-the-phone buyer isn’t sure of their street address, that’s a red flag.
Penalties of Failing to Comply With PCI Credit Card Compliance
Failing to comply with PCI compliance guidelines can result in large fines and irreversible damage to an organization’s reputation. The payment card industry has established penalties up to $500,000 per incident for security breaches, while the negative press after a breach can be the death of a company. Additionally, a data breach can result in an organization being subject to lawsuits and settlement payments, which will likely scale with the size and severity of the breach.
Examples of PCI Non-Compliance
Major organizations have often become non-compliant with PCI guidelines and faced the consequences. Target’s 2013 security breach, which resulted in the credit card information of more than 40 million customers leaking, is one of the most notable PCI non-compliance breaches. Ultimately, Target paid out $18.5 million in settlements to 47 US states and over $200 million in legal fees during the ordeal.
Perhaps the most notorious incident of PCI non-compliance is the Equifax data breach of 2017, which exposed the personal information of 143 million people. A House Oversight Committee found that the breach would have been “entirely preventable” had it followed proper protocols, such as the guidelines found in PCI compliance documentation. Equifax ultimately agreed to payout a $700 million settlement over the breach, $425 million of which was part of a restitution fund.
Automating PCI Compliance
Establishing the security controls necessary for maintaining PCI compliance standards can be complex. The systems required to encrypt and store data take time and resources to develop, which increases go-to-market times. For startups and SMBs, that’s precious time wasted. However, organizations can shave weeks off the development pipeline with DevSecOps automation, ensuring they meet PCI compliance guidelines with as little effort as possible.
Reduced development pipelines are a significant benefit, but finding the best partner to fulfill the automation process is crucial. DuploCloud can help. Our DevSecOps automation platform can dramatically reduce the time and cost necessary to achieve compliance with PCI compliance guidelines, as well as other standards like SOC 2 and HIPAA. Get a demo today for a personalized walkthrough of our platform’s capabilities.