Safeguard customer payment information with this PCI DSS standard
Nothing says “necessary evil” like compliance standards. These regulations may slow go-to-market times, but they serve the crucial function of protecting businesses and consumers alike from misconduct and data breaches. PCI compliance is among the most important standards for financial transactions; if your business takes credit card payments, it’s vital that you meet the Payment Card Industry Data Security Standard (PCC DSS) as laid out by the Payment Card Industry Security Standards Council (PCI SSC). That means everything from the neighborhood dive to the latest fintech disruptor needs to meet this compliance standard.
But what is PCI compliance? What, specifically, can be used as a PCI compliance definition? What are the different levels of compliance? And who makes the call about whether a business is compliant? Read on to find out.
What Is PCI Compliance?
The letters in PCI compliance stand for payment card industry; PCI compliance refers to meeting the 12 customer payment data security standards set by the PCI SSC. Whenever your business accepts, transmits, processes, or stores credit card data, it must do so according to PCI rules. The granular specifics of compliance vary according to the agreement between a business, its merchant or payment service provider, and the payment card networks.
Individual contract quirks notwithstanding, the broad intent of PCI compliance remains the same: to safeguard payment information from bad actors, cyberattacks, and human error. To that end, PCI requires that companies incorporate measures such as cardholder data encryption, antivirus software, strict user authorization rules, and audit histories. Companies that handle a larger volume of transactions are typically subject to more stringent rules around compliance, and compliance must be renewed annually.
Merchant account providers, which provide businesses with the merchant bank accounts necessary to conduct credit card transactions, often have PCI compliance-related requirements written into their terms and conditions. Payment service providers such as Square and Stripe often replace the need for merchant accounts and, therefore, frequently take on some PCI compliance responsibilities — but not all.
Receiving PCI compliance necessitates meeting the proper standards and performing the proper self-assessment on the PCI SSC’s website. Larger companies will need to hire a third-party auditing firm, but companies of any size can benefit from adding automation to their compliance efforts.
Need to brush up on the basics of PCI Compliance? Check out The Complete Guide to PCI Compliance.
12 PCI Compliance Requirements
There are 12 components to PCI compliance, each with a number of finer points that can be tailored to individual businesses and their payment agreements. Here are all 12, with some examples of the attendant finer points.
- Install and maintain a firewall to protect cardholder data
- Test network connections; restrict connections to untrusted networks; compile system documentation
- Do not use vendor-supplied defaults for security parameters or passwords
- Disable unnecessary components; maintain an inventory of system components in use; encrypt system access
- Protect stored cardholder data
- Limit data storage amount and time to legal, regulatory, or business requirements; dump sensitive authentication data after authorization
- Encrypt cardholder data when transmitting it across open, public networks
- Apply cryptography and security protocols to sensitive cardholder data; never send primary account numbers (PANs) over end-user messaging tech such as iMessage; train relevant employees
- Use and regularly update antivirus software or programs
- Use antivirus software on all systems; keep them up to date; do not allow them to be disabled by unauthorized users
- Develop and maintain secure systems and applications
- Establish a process for identifying vulnerabilities; protect system components from known vulnerabilities; install critical security patches in a timely fashion
- Restrict access to cardholder data by business need to know
- Limit system component and cardholder data access to only those whose jobs require access; set default to "deny all" access unless specifically allowed; ensure documentation
- Assign each user a unique ID
- Ensure easy identification of users; employ proper authentication management through individual passwords or biometrics; implement multi-factor authentication
- Restrict physical access to cardholder data
- Door locks and cameras to protect areas where cardholder data is stored
- Track and monitor all access to network resources and cardholder data
- Create and review secure audit trails; retain them for at least one year
- Regularly test security systems and processes
- Test and inventory wireless access points; scan for vulnerability quarterly; monitor traffic
- Maintain information security policy for all personnel
- Establish, maintain, and on an annual basis review a security policy for all personnel; implement a risk assessment process; define proper use of critical technologies
For the full breakdown of all 12 requirements, refer to the PCI DSS 3.2 standards and the document library on the PCI SSC website.
Give yourself a leg up the next time you need to review PCI requirements by downloading a copy of our free PCI Compliance Checklist:
What Are the PCI Compliance Levels?
PCI compliance levels refer to the different standards businesses must meet according to their credit card transaction volumes. The more transactions they perform, the higher their level and, correspondingly, the higher their security standards. Each of the five major credit card providers — American Express, Discover, JCB, Mastercard, and Visa — has its own program for compliance and thresholds for the different compliance levels.
With that said, many make their level delineations at similar scales of business. For Visa, the levels break down as follows:
- Level 1 businesses process more than 6 million Visa transactions per year across all channels
- Level 2 businesses process between 1-6 million Visa transactions per year across all channels
- Level 3 businesses process between 20,000 and 1 million ecommerce Visa transactions per year
- Level 4 businesses process fewer than 20,000 ecommerce Visa transactions or up to 1 million total Visa transactions per year
If a business suffers a data breach, that can cause their compliance level to rise to a higher standard of security going forward. Credit card networks can also raise a company’s PCI compliance level at their discretion.
Who Enforces PCI Compliance?
Although the PCI SSC created the PCI compliance standard, enforcement falls upon the individual card providers and payment processors. PCI compliance is not a legal or regulatory standard; it’s maintained only so long as the participating payment companies enforce it. If you opt not to use a payment processor or offer services outside the scope of such a provider, you’ll need to reach out to individual credit card companies for their specific requirements.
If meeting PCI compliance requirements seems daunting, worry not: DuploCloud is here to help. Our no-code DevOps automation makes it easy for cloud-native apps to ensure secure and compliant tools and controls. That automation also makes migrating to the cloud more effortless than ever. To find out more about how DuploCloud can help bring your business into PCI compliance, read our whitepaper.
