What is PCI Compliance? 12 Requirements & More
Contact Us | |
Free Demo | |
Chat | |
Learn about The Payment Card Industry Data Security Standard requirements and the independent body, PCI Security Standards Council, that manages and enforces the PCI DSS.
What is PCI Compliance?
PCI compliance is compliance with The Payment Card Industry Data Security Standard (PCI DSS), a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS. Interestingly, the payment brands and acquirers are responsible for enforcing compliance, rather than the PCI SSC.
In order to provide an extensive resource on PCI compliance, this article includes:
- A detailed overview of PCI SSC Data Security Standards (along with multiple resources for further review).
- The 12 requirements of PCI DSS Compliance listed out and explained.
- Benefits of PCI Compliance.
- Potential setbacks of being non-compliant.
- A roundup of collected tips from 18 PCS DSS experts.
AN OVERVIEW OF PCI SSC DATA SECURITY STANDARDS
In an effort to enhance payment card data security, the PCI Security Standards Council (SSC) provides comprehensive standards and supporting materials, which include specification frameworks, tools, measurements, and support resources to help organizations ensure the security of cardholder information at all times (particularly during the transmission of cardholder data). The PCI DSS is the cornerstone of the council, as it provides the necessary framework for developing complete payment card data security systems & processes that encompasses prevention, detection, and appropriate reaction to security incidents.
Tools and Resources Available from PCI SSC:
- Self-Assessment Questionnaires to assist organizations in validating their PCI DSS compliance.
- PIN Transaction Security (PTS) requirements for device vendors and manufacturers and a list of approved PIN transaction devices.
- Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to help software vendors and others develop secure payment applications.
- Public resources:
- Lists of Qualified Security Assessors (QSAs)
- Payment Application Qualified Security Assessors (PA-QSAs)
- Approved Scanning Vendors (ASVs)
- Internal Security Assessor (ISA) education program
The 12 Requirements for PCI DSS Compliance
1. Use and Maintain Firewalls
Firewalls essentially block access of foreign or unknown entities attempting to access private data. These prevention systems are often the first line of defense against hackers (malicious or otherwise). Firewalls are required for PCI DSS compliance because of their effectiveness in preventing unauthorized access.
2. Proper Password Protections
Routers, modems, point of sale (POS) secure systems, and other third-party products often come with generic passwords and security measures easily accessed by the public. Too often, businesses fail to secure these security vulnerabilities. Ensuring compliance in this area includes keeping a list of all devices and software which require a password (or other security to access). In addition to a device/password inventory, basic precautions and configurations should also be enacted (e.g., changing the password).
3. Protect Cardholder Data
The third requirement of PCI DSS compliance is a two-fold protection of cardholder data. Card data must be encrypted with certain algorithms. These encryptions are put into place with encryption keys — which are also required to be encrypted for compliance. Regular maintenance and scanning of primary account numbers (PAN) are needed to ensure no unencrypted data exists.
4. Encrypt Transmitted Data
Cardholder data is sent across multiple ordinary channels (i.e., payment processors, home office from local stores, etc.). This data must be encrypted whenever it is sent to these known locations. Account numbers should also never be sent to locations that are unknown.
5. Use and Maintain Anti-Virus
Installing anti-virus software is a good practice outside of PCI DSS compliance. However, anti-virus software is required for all devices that interact with and/or store PAN. This software should be regularly patched and updated. Your POS provider should also employ anti-virus measures where it cannot be directly installed.
6. Properly Updated Software
Firewalls and anti-virus software will require updates often. It is also a good idea to update every piece of software in a business. Most software products will include security measures, such as patches to address recently discovered vulnerabilities, in their updates, which add another level of protection. These updates are especially required for all software on devices that interact with or store cardholder data.
7. Restrict Data Access
Cardholder data is required to be strictly “need to know.” All staff, executives, and third parties who do not need access to this data should not have it. The roles that do need sensitive data should be well-documented and regularly updated — as required by PCI DSS.
8. Unique IDs for Access
Individuals who do have access to cardholder data should have individual credentials and identification for access. For instance, there should not be a single login to the encrypted data with multiple employees knowing the username and password. Unique IDs creates less vulnerability and a quicker response time in the event data is compromised.
9. Restrict Physical Access
Any cardholder data must be physically kept in a secure location. Both data that is physically written or typed and data that is digitally-kept (e.g., on a hard drive) should be locked in a secure room, drawer, or cabinet. Not only should access be limited, but anytime the sensitive data is accessed, it should be kept in a log to remain compliant.
10. Create and Maintain Access Logs
All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Perhaps the most common non-compliance issue is a lack of proper record keeping and documentation when it comes to accessing sensitive data. Compliance requires documenting how data flows into your organization and the number of times access is needed. Software products to log access are also needed to ensure accuracy.
11. Scan and Test for Vulnerabilities
All ten of the previous compliance standards involve several software products, physical locations, and likely a few employees. There are many things that can malfunction, go out of date, or suffer from human error. These threats can be limited by fulfilling the PCI DSS requirement for regular vulnerability scans and vulnerability testing.
12. Document Policies
Inventory of equipment, software, and employees that have access will need to be documented for attestation of compliance. The logs of accessing cardholder data will also require documentation. How information flows into your company, where it is stored, and how it is used after the point of sale will also all need to be documented.
Meet PCI Compliance Requirements
with Digital Guardian
See how Digital Guardian enables you to effectively discover, monitor and control PCI DSS data.
Benefits of PCI Compliance
Complying with PCI Security Standards seems like a daunting task, at the very least. The maze of standards and issues seems like a lot to handle for large organizations, let alone smaller companies. Yet, compliance is becoming more important and may not be as troublesome as you assume, especially if you have the right tools.
According to PCI SSC, there are major benefits of compliance, especially considering that failure to comply may result in serious and long-term consequences. For example:
- PCI Compliance standards mean that your systems are secure, and your customers can trust you with their sensitive payment card information; trust leads to customer confidence and repeat customers.
- PCI Compliance improves your reputation with acquirers and payment brands – just the partners your business needs.
- PCI Compliance is an ongoing process that aids in preventing security breaches and payment card data theft in the present and in the future; PCI compliance means you are contributing to a global payment card data security solution.
- As you try to meet PCI Compliance, you’re better prepared to comply with additional regulations, such as HIPAA, SOX, and others.
- PCI Compliance contributes to corporate security strategies (even if only a starting point).
- PCI Compliance likely leads to improving IT infrastructure efficiency.
Difficulties Posed by PCI Non-Compliance
PCI SSC also points to potentially disastrous results of failing to meet PCI Compliance. After working to build your brand and secure customers, don’t take a chance with their sensitive information. By meeting PCI Compliance, you are protecting your customers so they can continue to be your customers. Possible results of PCI Non-Compliance include:
- Compromised data that negatively impacts consumers, merchants, and financial institutions.
- Severely damaging your reputation and your ability to conduct business effectively, not just today, but into the future.
- Account data breaches that can lead to catastrophic loss of sales, relationships, and community standing; plus, public companies often see depressed share price as result of account data breaches.
- Lawsuits, insurance claims, canceled accounts, payment card issuer fines, and government fines.
PCI Compliance, as with other regulatory requirements, can pose challenges to organizations that are not prepared to deal with protecting critical information. But, protecting data is a much more manageable task with the right software and services. Choose a data loss prevention software that accurately classifies data and uses it appropriately so you can rest more easily knowing that your cardholder data is secure.
Best Practices for Meeting PCI-DSS Compliance, According to 18 PCI-DSS Experts & Security Professionals
The Payment Card Industry Data Security Standard (PCI-DSS) aims to enhance security for consumers by setting guidelines for any company that accepts, stores, processes, or transmits credit card information and credit card transactions — regardless of the number of transactions or the size of those transactions. Because of that, there are thousands of organizations spanning practically every industry that must comply with these standards.
Maintaining compliance is a top priority. To learn more about what companies need to know and do to ensure compliance with PCI-DSS, we reached out to a panel of InfoSec pros and asked them to answer this question:
"WHAT ARE THE BEST PRACTICES FOR MEETING PCI-DSS COMPLIANCE?"
Meet Our Panel of Security Professionals and PCI-DSS Experts:
Mike Baker
Mike Baker is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating and defending some of the most highly-secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.
"PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches..."
It merely means minimum standards have been achieved. As cybercriminals become more sophisticated, staying ahead of threats is a daily challenge. The card number is only a small part of what a hacker wants. The more data a hacker gets, the more complete a profile of an individual they obtain, making the data they steal that much more valuable.
Merchants need to take several measures to be compliant and prevent their POS systems from being compromised.
1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks
There are two methods by which POS data is stolen: by compromising the POS system itself using stolen credentials or by physically installing “card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, steal payment card data and PIN information directly off the card’s magnetic stripe. While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers has yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.
2. Ensure that Both POS and OS Software Is Up-to-Date
Because cybersecurity is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operating system software; retailers and restaurants that are running Microsoft Windows should ensure that patches are installed as soon as they are available.
3. Always Change Default Manufacturers’ Passwords
Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system. Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password. Changing default passwords is required as part of an organization’s compliance with PCI-DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.
4. Isolate the POS System from Other Networks
Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system. The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.
5. Always Purchase POS Systems from Reputable Dealers
Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.
Cedric Savarese
Cedric Savarese is the Founder and Chief Executive Officer at FormAssembly, a leading provider of enterprise form solutions. Cedric has been at the helm of FormAssembly, responsible for the company’s strategic direction and growth, since its inception in 2006.
"Best practices for meeting PCI-DSS compliance include..."
Identify and maintain goals and perspective
Goal - The ongoing security of cardholder data should be the primary objective behind all PCI compliance activities – not simply attaining compliance reports.
Perspective - Organizations get wrapped up in the compliance process and fail to establish long-term processes and governance for maintaining the security of cardholder information. Cardholder data is one of the easiest types of data to convert to cash. It represents almost 75 percent of all security attacks. An entity collecting cardholder data needs to consider why, where, when and what for collecting such data.
Risk and security precede compliance
It’s not about compliance. Any company can attain PCI compliance by achieving the minimum security requirements set by PCI Security Standards Council. Identifying risk associated with any data collection activity is the primary step towards security. Security in turn mitigates risks and helps organization achieve and maintain compliance. Compliance should not be the goal – it’s a guideline – risk mitigation and security should be.
Frequency of audits and scans.
It is an ongoing process, which never stops. Scan, monitor, and mitigate – there is no shortcut to this process.
Ownership
Define ownership - PCI compliance and coordinating security activities should be the primary role for the owner. The compliance manager should have adequate responsibility, budget, and authority.
Balance business priorities versus security cost and procedures
One of the biggest pain points for small businesses is balance. Businesses emphasize growth, constricting information security budget. Information security and compliance should not be seen as an added cost center. Instead, they should be considered as long-term investment.
Ian McClarty
Ian McClarty has over 20 years executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Services.
"When dealing with PCI compliance..."
Your number one priority is protecting your cardholder data (CHD). PCI has a very comprehensive set of rules to accomplish protection, but your company can keep the following best practices in mind when striving for PCI compliance.
- Segment your data – It is imperative to keep your CHD segmented from your standard company data. This entails creating a cardholder environment (CHE) that only deals with CHD. This not only protects your data but it also reduces the scope of your PCI audit.
- Encrypt your data – All CHD should be encrypted, or tokenized, from the moment you interact with your customer’s card number. This also includes ensuring this data is encrypted while at rest.
- Control access to your data – Role-based access controls (RBAC) will make your PCI compliance much easier. RBAC will ensure your HR department has no access to CHD and your system administrators have the access they need.
- Monitor your data – Set up alerts for security incidents involving CHD or anything that could compromise your CHE. Attackers usually do not compromise your data by coming through your front door, but rather do it in a methodical, hidden manner as to not alert you. Monitor even the assets that you feel are trivial but support your CHE.
Ben Zilberman
Ben Zilberman is a product marketing manager, security on Radware’s security team. In this role, Ben specializes in application security and threat intelligence and works closely with Radware’s Emergency Response and research teams to raise awareness of high profile and impending attacks. Ben has diverse experience in public network security, including firewalls, threat prevention, web security, and DDoS technologies.
"There are several practices to ensure you meet the Payment Card Industry Data Security Standard (PCI-DSS)..."
To start, you need to make sure to use encryption protocols beyond SSL/TLS, which is no longer sufficient for PCI-DSS. By June 30th, 2018, you need to have disabled SSL and early TLS protocols and upgraded to a more secure alternative. Another requirement for meeting PCI-DSS compliance is to use strong access controls to prevent unauthorized access. This includes pairing multi-factor authentication with strong passwords. These passwords should be very long, comprised of different types of characters, and avoid dictionary words. You also need to implement secure remote communication to prevent eavesdropping, keep data that flows via APIs safe, and encrypt and secure the certifications and keys. It’s also important to follow security alerts and advisories and ensure timely patching to substantially reduce the attack surface and risk level. Periodically audit your security posture as well, especially after making changes. This includes any redesign, replacement or integration of new solutions. A security audit goes hand in hand with performing code reviews to prevent exploitation of common vulnerabilities. You can do this manually or with automated scanning and vulnerability assessment tools. Finally, make sure to implement web application firewalls (WAFs) as a security policy enforcement point. If you follow these important steps and requirements for the PCI-DSS, you’ll be well on your way to ensuring compliance.
Steve Dickson
Steve Dickson is an accomplished expert in information security and CEO of Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, CA.
"The Payment Card Industry Data Security Standard (PCI-DSS) aims to..."
Enhance cardholder data security and facilitate the adoption of consistent data security measures globally. This standard applies to all entities involved in payment card processing, which includes merchants, processors, acquirers, issuers, and service providers that store, process, or transmit cardholder data or sensitive authentication data.
Here are three measures for organizations to ensure compliance with PCI-DSS:
Conduct regular risk assessments. PCI-DSS highlights the importance of conducting risk assessments in order to understand the likelihood and magnitude of harm from various threats and determine whether additional controls are necessary to protect data. You need to regularly evaluate your security posture to quickly find areas that need attention, prioritize them, and mitigate risks to an acceptable level. If a risk assessment process is not already established, define risk assessment methodology, assign roles and responsibilities, and allocate resources.
Analyze user behavior. As outlined in Requirement 10, you need to track access to network resources and cardholder data to identify anomalies or suspicious activities before they lead to security incidents. User behavior analytics can help you gain visibility into what users are doing in the IT environment and spot unusual behavior that might be a sign of insider misuse or hackers trying to gain access to IT infrastructure.
Use data discovery and classification. Requirement 3 of PCI-DSS says that companies should store data “only in specific, known locations with limited access” to protect cardholder data. Data discovery and classification can help you fulfill this requirement and identify your sensitive data, where it resides, who can access it, and who uses it in order to set appropriate levels of controls and ensure that critical information is not overexposed.
Tim Critchley
Tim is an experienced director of technology start-ups in both product- and service-focused sectors. He has been the CEO of Semafone since 2009 and has led the company from a UK startup to an international business that spans five continents. He has helped secure Series A and Series B rounds of funding from various investor groups, including the BGF and Octopus.
"Complying with the complex PCI-DSS can be quite simple through a tactic called descoping..."
The PCI-DSS considers any person, system, or piece of technology that touches cardholder data (CHD) as in scope. To simplify compliance, companies should look for opportunities to remove these entities from PCI-DSS scope (descoping) by ensuring that they are never exposed to CHD.
For example, if your organization operates a contact center that regularly accepts customer payments over the phone, you can descope your IT network infrastructure, agents/customer service representatives, call recording systems, and other telephony from compliance by using dual-tone multi-frequency (DTMF) masking technologies. These technologies allow customers to directly enter their payment card data into their phone's keypad, replacing DTMF tones with flat ones so they are indecipherable. By sending the CHD directly to the payment processor, such solutions keep the data out of the contact center environment completely. As a result, there are far fewer controls required for PCI-DSS compliance, while sensitive data is out of reach from credit card fraudsters and hackers. As I like to say, no one can hack the data you don't hold.
Jennifer Glass
Jennifer Glass is CEO of Credit Cards, NJ (CCNJ) a growing ISO in the payment processing industry. Ms. Glass has been recognized as an expert in the payment processing space by the Small Business Development Center, SCORE, many banks, several top 50 global accounting firms and more than 1,000 organizations for more than 15 years.
"First is the obvious..."
Make sure that all people in the organization are following common sense practices and not leaving credit card data (from credit card companies / major card brands) lying around and only certain people that have an absolute need have access to the secure data. Second, and this one is perhaps even more important in certain situations like what we saw in the Saks Fifth Avenue/Lord & Taylor hack – if a payment processing system is connected to the same server(s) as email and other non-payment related activities, get that payment system off the shared resource(s) and put it on its own dedicated resource with separate logins, etc. to prevent malware from attacking the same system and leaving payment details open to hackers. It's similar to the way large (cruise) boats are made these days – there are bulkheads to hold water in the event of a strike/accident so that the whole boat doesn't flood. If a hacker is limited to one area, they won't get a second win just by getting into the network on the email side with social engineered phishing attempts, etc. These are just some of the ways that businesses can be safer beyond simply completing the self-assessment questionnaires or having scans done by a security vendor because those options won't always uncover the problem areas as we have seen time and time again with these major hacks.
Ellen Cunningham
Ellen Cunningham is the Marketing Manager for CardFellow, a marketplace for comparing credit card processors. She enjoys the challenge of explaining complex topics – making her a perfect fit for credit card processing – and strongly believes in CardFellow's mission of empowering business owners through education.
"PCI compliance is roughly split into 6 'categories' with steps in each category..."
It’s a good idea to work with your credit card processor or a security company to ensure compliance, but here’s a high-level overview.
The six main areas of compliance are having a secure processing network, protecting cardholder data, protecting systems against malware, using strong access control measures, monitoring and testing networks, and creating an information security policy.
Having a secure processing network includes installing firewalls, changing default passwords to more secure options, and updating other default security settings.
Protecting cardholder data includes encrypting data during transmission, as well as following proper procedures for card storage. Most processors offer a secure vault for digital card storage to help you keep data off your servers and maintain compliance.
Protecting systems against malware includes installing and regularly updating antivirus software and patching any vulnerabilities.
Using strong access control measures means limiting employee access to cardholder information and tracking who has access to the data by a unique ID. It also includes limiting physical access to cardholder data.
Monitoring and testing networks includes tracking personnel that have access to cardholder data on your network and what they’re doing with that data, as well as testing your systems for security flaws or vulnerabilities.
Creating an information security policy involves clearly stating how your organization will deal with PCI-DSS and which employees or vendors are responsible for which components.
Jake Posey
Jake Posey is the CEO of Prepaid Program Management LLC. His company teaches FinTechs and Entrepreneurs how to launch prepaid card programs. Jake is also the lead instructor for the Prepaid Academy that offers prepaid specific compliance, IT, and PCI training.
"There are three areas I recommend companies focus on…”
The first is mini-audits. I’ve seen too many prepaid program managers wait until their auditors are about to conduct their annual review before they scan their systems for compliance. Granted, these companies are in pretty good shape, but things can fall out of compliance when you have several releases happening throughout the year. The result, however, is needing to dedicate an entire release cycle to PCI compliance instead of launching new products that will increase revenues. Companies should conduct a mini audit after each release. Each of these areas can focus on different PCI compliance areas. This, in itself, will prevent an entire release from being monopolized by PCI items.
Secondly, companies should focus more on restricted access for its employees. Many Fintechs today are filled with rockstars that can do many jobs. However, each rockstar has a specific scope of duties. His or her access should be limited to the job they are assigned, not the jobs they could be doing. In one instance, I’ve seen a programmer expose a company to $900 million in potential losses because he was testing in production and not UAT. Additionally, companies need to develop solid audit procedures to remove access for employees and contractors after they leave the company.
Lastly is investing in industry specific training. PCI covers the payments industry, but that industry is multifaceted and complex. There are different scenarios that need to be addressed by a bank who is PCI compliant versus a FinTech company who needs to be PCI compliant. Yet, most training treats everyone the same. Companies need to make the investment in training that is specific to their niche and shows examples that are relevant. Otherwise, you risk an employee rushing through the training instead of thinking through the training.
Evaldas Alexander
Evaldas Alexander is the CTO at RankPay, a top-rated SEO service that helps thousands of small businesses earn higher rankings.
"PCI-DSS compliance has several different Self Assessment Questionnaires (SAQs) that must be followed to be compliant..."
Since the different SAQs vary in length, it's beneficial to minimize company exposure to payment method details, in order to be eligible for compliance under the shortest possible SAQ. For example, one SAQ has only 13 requirements, while another SAQ has over 200! When it comes to dealing with such requirements, you should have appropriate policies and procedures documented within your internal wiki. Perform regular audits to ensure that employees are functioning within the parameters specified by your chosen SAQ. For instance, no customer service rep can update the credit card on file on behalf of a customer if you are compliant under the specification of SAQ A.
Dmytro Lanovskyi
Dmytro Lanovskyi is currently is a Chief Information Security Officer (CISSP) on one of Intellias' client projects.
"The best practices for meeting PCI-DSS compliance include..."
1. First of all, you need assigned ownership over the compliance process. Generally, it should be a security expert with relevant experience in coordinating security activities.
2. You need to start building your architecture with PCI-DSS requirements in mind.
3. Conduct an in-depth risk assessment to define security needs.
4. Provide custom and automated control over monitoring systems.
5. Detect and respond quickly to security control issues.
6. Develop performance metrics to measure success and failure.
7. Be ready to prepare a bunch of documentation for PCI-DSS certification from scratch and guarantee continuous compliance.
8. The list of documentation about your company and services you’ll need to prepare includes:
- Antivirus Policy
- Cardholder Data Policy
- Firewall and Router Policy
- Information Security Policy
- Password Policy
- Physical Security Policy
- System Configuration Policy
- System Monitoring and Logging Policy
- Testing Systems and Processes Procedure
- Information Security Incident Management Policy
- Inventory and Ownership of Assets Policy
- Application and System Development Software Policy
- Managing Service Providers Policy
- Access Control Policy
- Information Security Awareness Program
- Information Security Responsibilities Policy Statement
- Individual User Agreement Template
- Data Classification Policy
- Data Protection Policy
- Data Management Policy
9. You need to comply with PCI-DSS standards on a daily basis, even after the successful audit.
10. Consider the regular position of CISSP to control all security activities.
Geoffrey Scott
Geoffrey Scott is a payments consultant at PayMotile.com, where he collaborates daily with businesses to connect them with the payment processor most suited to handling their particular needs.
"PCI-DSS compliance is standard practice for payment processors..."
Businesses new to the world of card transactions may struggle to comply if they haven't prepared themselves. Here are a couple of best practices for businesses aiming to meet PCI-DSS standards:
1. Minimize (or eliminate) the data you're collecting from customers.
The more data you collect, the more scrutinized you'll be. For instance, e-commerce businesses who collect and store user data have to fill out a robust, 326-question form version of the PCI SAQ (self-assessment questionnaire). For companies that leave such data collection to a third party, compliance is more straightforward (and the SAQ is a lot more concise).
Not to mention, with the GDPR in effect, data collection is becoming more complicated than ever. It's a good idea to limit and closely monitor such practices, so you can reduce your company's liability in the event of a breach (or lawsuit).
2. Communicate with your payment processor.
Although how you comply to the PCI-DSS is governed by a standard set of rules, your payment processor may have additional compliance measures that you'll need to follow. When in doubt, contact them. Get explicit confirmation whenever you're uncertain about anything related to compliance. Discrepancies between you and your provider will only lead to headaches for both parties.
McCall Robison
McCall Robison is a Content Specialist for BestCompany.com. She also manages the Merchant Accounts Blog.
"What some people don't realize about PCI-DSS compliance is that..."
It isn't a one and done deal; it is an ongoing process. In order to ensure your business is complying with the PCI-DSS standards, you must do three steps periodically: assess, remediate, and report.
You must continually assess and analyze the PCI-DSS standards to make sure you are complying. If you are not fully complying, you must remediate any shortcomings and eliminate those vulnerabilities. Following this, you must make a report of this remediation and provide a new compliance statement to your acquiring bank as well as your payment card brand.
Gregory Morawietz
Gregory is the VP of Operations at Single Point of Contact. He is an IT Security Specialist with over twenty years of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting, and integrating technology for the enterprise network.
"The best practices for meeting PCI-DSS compliance are to..."
Build and maintain a secure network with systems that protect cardholder data; have a vulnerability management program and implement an access control system; monitor and test networks as well as have an information security policy in place. Have all these things available to show an auditor or for your own internal review.
Carmine Mastropierro
Carmine Mastropierro is the owner of a digital agency, three affiliate marketing businesses, and is a self published author. He has written for GQ Magazine, Postmates, Marketo, and others.
"To meet PCI-DSS compliance..."
Business owners should first ensure that their website uses an SSL certificate. This provides an extra layer of security for customers and is required by major payment gateways. It also provides insurance for end users if any money is lost during payment. Secondly, having security policies and procedures in place will further keep customer data safe. Thirdly, a requirement for PCI compliance is updated systems. Databases, browsers, firewalls, and other crucial components will need to be modern and kept current.
Chad Reid
Chad Reid is Director of Communications at JotForm, a PCI-DSS Service Provider Level One compliant form software.
"I think one of the most important aspects of meeting PCI-DSS compliance as a service provider is..."
Getting the very best 3rd-party security assessment available. When you explain to your customers that you're fully compliant, you need to show them tangible proof. Having a top-notch security assessment goes a long way. Getting a professional security assessment is valuable to your company anyway, but having a good one can show your customers you truly take security seriously.
Mike Mood
Mike Mood is the Founder of Lamood Big Hats and WalletGear. Lamood Big Hats makes hats for big heads going beyond the one-size-fits-all hats. WalletGear has men's wallets, wallet inserts, credit card holders, money clips, and more.
"One of the best practices in meeting PCI-DSS compliance is to..."
Never store credit card info on your servers. Use a third-party payment processor that is already PCI compliant like Paypal, Authorize.net, etc. Not only does PCI compliance make sure credit cards are safe, they also check other possible vulnerabilities on your server. You will need to make sure your firewall is protecting your ports and that you are using the correct ports for such items like outgoing order confirmation emails.
You will also need to do a self assessment on your internal business policies such application security. You will need to make sure your e-commerce software is up-to-date with the latest patches. If you have a physical retail store, you will need to make sure your POS system is isolated from your WiFi and maintain a list of wireless access points. If you do store customer data, you will need to have physical security setup as well.
Ilmie Sham Ku
Ilmie Sham Ku is the Content Marketing Coordinator at Blue Link ERP.
"More and more retail businesses are beginning to..."
Accept credit card payments from their customers both online and offline. Businesses are responsible for adhering to PCI-DSS standards in order to keep their customer's card information safe. This includes implementing processes and software for properly managing cardholder data, keeping firewall and virus protection programs up-to-date, and properly training employees on compliance standards. Compliance is more than just adhering to industry regulations; it also helps you earn the trust of your customers and provide different payment options to remain competitive. If your company works with cardholder information, it is important to ensure you have a system in place to protect this data. However, it can be hard to overcome some of the challenges associated with this:
- Employee habit: staff members may put credit card information in unencrypted fields just out of habit, or because they don't have easy access to an encrypted database to save the information in
- Data migration: transferring all of the credit card information your company has been storing in unencrypted fields into a secure database can be a time-consuming and tedious data migration process
In order to avoid this type of situation, managers must implement proper processes for accepting credit card information, employees must be trained on meeting PCI Compliance and any accounting software or programs used for storing card data must provide encrypted databases. Some companies may practice compliance by maintaining a secure, paper-based locked file system of account numbers. However, employees often disregard these policies during their daily routine, as it can be a time-consuming process. A better solution is to implement proper accounting software that includes completely separate, encrypted databases for storing this type of sensitive cardholder information. Implementing a proper system will require the transfer of all credit card information that your company previously stored in unencrypted fields, into a secure database. Finding a system with consultants who are knowledgeable in this area will help make the set-up and data migration process go smoothly.
Protecting sensitive cardholder data is just one important aspect of achieving full compliance with PCI-DSS standards, and should be addressed and reviewed along with all other requirements on a regular basis. Being proactive in making sure your business meets the correct PCI-DSS standards each year will save your company time and money dealing with any compliance issues, keep your customers happy knowing their data is safe, and help your business remain competitive.
Frequently Asked Questions
What does PCI compliant mean?
Being PCI compliant means that an organization complies with the Payment Card Industry Data Security Standard (PCI-DSS). These standards were developed by the Payment Card Industry Security Standards Council (PCI SSC) to protect the security of cardholder data.
What is required to be PCI compliant?
Companies need to follow twelve rules to demonstrate compliance with PCI-DSS, including:
1. Install and maintain a firewall to protect cardholder data.
2. Change vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open networks.
5. Use updated anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data on a business need-to-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to systems containing cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Test security systems and processes regularly.
12. Maintain an information security policy for all personnel.
Is PCI compliance legally required?
PCI-DSS is a set of security standards and not a law, so adherence to it is not legally required to do business. The PCI Security Standards Council (PCI SSC) mandates compliance with PCI-DSS, and merchants need to comply if they want to process credit card payments. Failure to comply can lead to fines and the loss of merchant status which can limit a company’s ability to process credit card payments.
Who regulates PCI compliance?
PCI compliance is regulated by the PCI Security Standards Council (PCI SSC) and the member payment card organizations. Fines are levied against violators by credit card companies whose information was involved in a data breach or who have found an organization to not be in compliance with PCI-DSS.
How is PCI compliance enforced?
PCI compliance is enforced by the credit card companies that are part of the PCI Security Standards Council (PCI SSC) and the banks that handle payment processing.
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.