The 12 Basic Requirements for PCI-DSS Compliance. Are You Up to Date?
More and more consumers are shifting their shopping online, forcing some businesses to rethink data protection. Keeping customers’ personal data safe is paramount, and not just for ethical reasons: the legal ramifications of a data breach could be felt for a long time. It might even be enough to put a company out of business.
For merchants, the cornerstone of data protection is maintaining PCI-DSS compliance. This involves meeting or exceeding mandated requirements and complying with a specific set of data-protection protocols.
Sounds simple enough. There’s more to the equation than simply following one or two rules, though. In this article, we’ll take a detailed look at PCI-DSS, and see where it came from and what it means to be PCI-compliant. We’ll also give you some tips and best practices for PCI compliance.
Recommended reading
- Dispute Apple Pay Transaction: How Does The Process Work?
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Terminal ID Number (TID): What is it? What Does it Do?
- How Do Credit Card Numbers Work? What do the Numbers Mean?
- What is PSD2? How it Impacts Banks, Businesses & Consumers
- P2P Payment Use in eCommerce Jumps 66% in 2024
What is PCI-DSS Compliance?
The Payment Card Industry Data Security Standard (or PCI-DSS) is a set of 12 information security standards. To be compliant, businesses must adhere to these standards when accepting, transmitting, processing, and storing customer credit card data to prevent loss or fraud.
Credit card use skyrocketed in the 1980s and 19990s, leading to concerns about the security and the integrity of cardholder data. The rise of eCommerce has increased that concern, largely because customers’ data is used and stored electronically.
Online consumers like the convenience of having merchants keep card information on file. At the same time, they want to know their data is safe from hackers.
The PCI-DSS (typically shortened to just PCI) protocol was created to improve payment account security throughout the transaction process. Certification is mandatory for any entity wishing to accept credit cards. Compliance is not a legal requirement, but even government agencies are held to the mandates.
The Payment Card Industry Council (www.pcisecuritystandards.org) administers and governs the continued development of PCI standards. The council doesn’t enforce compliance, however; that job is handled by five major payment card brands (American Express, Discover, JCB International, Mastercard, and Visa), often with assistance from acquiring banks.
What are PCI-DSS Compliance Requirements?
There are 12 PCI DSS compliance requirements, broken up into six control objectives:
- Maintaining a secure network
- Protecting account data
- Managing vulnerability
- Controlling data access
- Monitoring and testing networks
- Maintaining an information security policy
The PCI-DSS compliance requirements are extremely detailed, but here’s an abridged version of what organizations must do to stay compliant:
Build and maintain a secure network
1. Install and maintain firewalls to protect cardholder data
Rules for allowing or denying access need to be reviewed at least bi-annually.
2. Change default passwords
Factory-default usernames or passwords for operating programs and devices can’t be used: they’re too easy to guess.
Protect cardholder data
3. Protect stored cardholder data
All cardholder data must be encrypted, truncated, or tokenized; account numbers can only be partially displayed.
4. Encrypt transmission of cardholder data
Across open networks and include account numbers sent over email, instant messaging, text, or chat.
Maintain a vulnerability management program
5. Regularly update anti-virus software or programs
Stay up to date on every device or system used to access the system (including remote systems).
6. Develop and maintain secure systems and applications
Deploy an ongoing process to identify and classify security risks and vulnerabilities.
Implement strong access control measures
7. Restrict physical access to cardholder data
Keep it on a need-to-know basis, allowing users to access only the specific data they need to do their job.
8. Assign a unique ID to each authorized user
Require an appropriately complex password. Remote access must require two-factor authorization.
Regularly monitor and test networks
9. Restrict physical access to cardholder data
Use video cameras and electronic access tracking. Destroy any portable media containing cardholder data.
10. Monitor access to network resources
Create an audit trail using tracking tools and log reviews that can be monitored for suspicious activity.
Maintain an information security policy
11. Regularly test security systems and processes
Include wireless access points, files, exposed external IPs, and other internal vulnerability points.
12. Address information security for all personnel
Annually publish and distribute a security plan and employee awareness training.
If you’re thinking that these requirements are all based on common sense precautions, you’re right. However, everything must pass an audit process performed by a certified Quality Security Assessor (or QSA) to be sure it qualifies for compliance.
PCI DSS 4.0: Changes & Updates
On March 31, 2022, the PCI Council amended the Data Security Standards to address new and trending threats to cardholder data. The update focused on 4 key goals:
- Ensuring the standard meets the current needs of the payments industry
- Promoting the focus on security (rather than compliance) as an ongoing process
- Adding flexibility for other methods of achieving compliance objectives
- Enhancing validation methods
The biggest change brought by PCI DSS 4.0 is the option of using a customized approach (i.e. non-standard solutions that still meet requirements). This will give you more flexibility, but will undoubtedly require additional vetting, review, and analysis of the process used.
Other updates to the requirements are largely changes in wording or clarifications. A downloadable PDF with all PCI DSS 4.0 changes is available from the PCI council.
What are the Levels of PCI Compliance?
PCI-DSS compliance is required for any organization that accepts, transmits, or stores cardholder data. That said, the required level of implementation will vary for different parties.
The four levels of compliance reflect the perceived risk the company presents. Before diving into that, though, here are a few acronyms you need to know:
- SAQ: Self-Assessment Questionnaires
- AoC: Attestations of Compliance
- ASV: Vulnerability scans of Approved Scanning Vendors
- RoC: Reports on Compliance
Now that we’ve clarified that point, though, here is a basic rundown of the four levels of PCI compliance:
Classification Level | Merchant Characteristics | Compliance Requirements |
Level 1 | Companies that process over 6 million credit card transactions per year, or companies that experienced a breach resulting in data loss within the last year | Requires an RoC completed by a certified QSA and quarterly ASV scans |
Level 2 | Companies that process 1 - 6 million credit card transactions per year | Requires an RoC completed by a certified QSA OR an SAQ and AoC depending on the credit card company requirements, plus quarterly ASV scans |
Level 3 | Companies that process 20,000 - 1 million credit card transactions per year | Requires both an SAQ and an AoC |
Level 4 | Companies that process fewer than 20,000 credit card transactions per year | Requires both an SAQ and an AoC if requested |
While the above chart presents a general idea, PCI DSS compliance levels are not standardized across the industry. Each credit card brand has its own specific compliance checklist based on transactions for that particular card brand.
It’s als important to note that PCI compliance is not a “one-time” matter. You must revalidate your PCI compliance each year by submitting documentation matching your compliance level.
PCI-DSS Compliance & Service Providers
Outsourcing tasks to third parties can save time and money, but it can also jeopardize your compliance. Even when you follow all regulations internally, your efforts can be negated by a single non-compliant provider in the chain.
Any group that deals with cardholder data on your behalf must be PCI-DSS compliant, but PCI validation of compliance may not be required. That means providers may only be adhering to certain aspects of the regulations… or possibly none at all. Worse, those providers themselves may work with other parties, meaning your compliance could be dependent on the compliance of a contractor’s contractor.
As with merchants, PCI compliance for service providers is split into different levels. Many service providers are Level 2 compliant, giving them limited authorization to handle sensitive customer data. Level 1 compliance, however, demands much stricter security standards and is far less common.
How Much Does It Cost to Become PCI-DSS Compliant?
The easy answer: it depends.
Compliance costs will vary based on multiple factors. The size and type of the business, the number of processed transactions, and the data storage and transmission methods all influence costs.
The range of costs can be wide. For example, prepping a business for certification involves upgrading networks and station security, implementing antivirus software, training staff, and so on. Total costs can run anywhere from $5,000 to $35,000 or more.
Then there are the costs of acquiring the actual certification. The Self-Assessment Questionnaire mentioned above is a document that walks you through each step of the standard to see if the implementation meets requirements.
Getting an SAQ can cost between $15,000 to $50,000. That’s enough certification for most businesses. But again, it takes more effort to achieve Level 1 PCI DSS compliance. In addition to the basic SAQ, level 1 status necessitates a Report on Compliance (RoC) audit by a Qualified Security Assessor, which can raise the price as high as $200,000. Unfortunately, these aren’t “one and done” expenses; you will need to pay for certification every year.
That’s not the only ongoing compliance cost, either. Security upgrades, training, testing, and more must also happen annually. And, if your processor helps with maintaining compliance, they may send a bill that averages $100,000 annually.
Best Practices for PCI Compliance
If you plan to keep compliance over the long term, you need to stick to best practices. This will make the renewal process easier and potentially less expensive. The PCI council offers 10 suggestions for helping to maintain compliance on an ongoing basis:
- Create a security strategy that includes monitoring, reporting, and auditing compliance measures on an ongoing basis.
- Develop a formalized set of policies and procedures that addresses adherence requirements, supported by clearly defined processes.
- Identify and track KPIs (key performance indicators) to monitor the performance of security controls and compliance programs.
- Assign compliance responsibility to a central figure to ensure that important tasks or deadlines don’t get accidentally overlooked.
- Focus on security and risk management with the idea of achieving compliance as a result of securing data assets and IT infrastructure.
- Continually monitor controls and assess security risks. Regularly test programs or policies that could undermine compliance efforts.
- Identify and respond to failures in your systems, and use that information to anticipate and resolve issues.
- Review, monitor, and document controls to gauge the effectiveness, efficiency, and status of security controls.
- Continuously monitor third-party vendors to ensure they maintain the Payment Card Industry Data Security Standard and have Level 1 security practices in place.
- Constantly evolve security practices to reduce the likelihood of exposing sensitive PCI data. Keep security measures up to date on emerging risks.
Is Chargebacks911® PCI Compliant?
Yes. Chargebacks911 is entirely PCI-DSS Level 1-compliant.
To protect our customers — and their customers as well — our facilities undergo a regular, meticulous audit process designed to ensure consistent compliance with PCI standards. All employees receive training in proper data security behaviors and are required to adhere to security best practices.
Our servers, software, and internal practices are designed to meet or exceed PCI-DSS requirements. With our turnkey solution, merchants never need to worry about PCI-DSS regulations impacting their approach to chargeback mitigation.
Don’t take responsibility for your service provider’s missteps. Chargebacks911 — along with all the services and industry integrations we connect — is your resource for PCI-compliant chargeback mitigation. Contact us to learn more about protecting your business and your customers.
FAQs
What is PCI DSS?
The Payment Card Industry Data Security Standard (or PCI-DSS) is a set of 12 information security standards. To be compliant, businesses must adhere to these standards when accepting, transmitting, processing, and storing customer credit card data to prevent loss or fraud.
What is PCI compliance?
Being PCI compliant means adhering to a set of 12 information security protocols outlined by the Payment Card Industry Data Security Standard (or PCI-DSS).
Who is required to be PCI compliant?
Compliance is mandatory for any organization which collects, handles, transmits, and/or stores personal cardholder data. At the same time, not all are held to the same requirements; different compliance levels may have more or less stringent stipulations.
Is PCI compliance required by law?
There are no federal PCI laws mandating or enforcing PCI compliance. However, there are almost always negative repercussions for companies that do not comply with PCI standards.
What happens if you are not PCI compliant?
A non-compliant business that experiences a data breach may receive large fines, fees, and penalties from the credit card networks, among other costs. They may be liable for any fraud that resulted from the breach. They may suffer the closing of their merchant account and possibly lose their card-acceptance privileges altogether.