The Diligent team

GRC trends and insights

PCI DSS compliance explained

The Payment Card Industry Data Security Standard (PCI DSS) is a framework of requirements to ensure secure payment card transactions. All organizations that process or store cardholder data will need to prove compliance for their bank or card issuer. This includes merchants, shops or businesses which process card payments, and the companies which store, process or transmit cardholder data as a service.

The standard aims to reduce the risk of payment card fraud on a global scale. It sets the baseline IT security processes and practices to make cardholder data secure. Clear requirements outline the steps to achieve both physical and digital data protection within an organization. It’s recognized as the global standard for securing cardholder data.

Organizations will need to prove compliance through an auditing process. The intensity of audit depends on the volume of card transactions the organization processes each year. There are a series of compliance levels to fit the relative complexity of the company or business.

This guide explores the PCI DSS, who needs to be compliant, and outlines the requirements for PCI DSS compliance.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is the global standard for ensuring secure payment card transactions. PCI DSS sets requirements for secure operation of payment transaction systems. It also provides requirements for companies that develop the software and devices used in card transactions.

Any merchant or business which processes payment card transactions will need to be compliant with PCI DSS. The standard is not law, but is generally enforced by the card issuers or bank through contractual agreements. Put simply, organizations need to prove compliance with the standard to process card payment transactions.

The standard was created through a combined effort involving the main payment card issuers. They combined their existing cardholder data security programs to make one, global standard in the form of PCI DSS. The first version of the standard was released in 2004.

The card issuers subsequently founded the Payment Card Industry Security Standards Council, which oversees and updates the PCI DSS. The council is made up of founding companies Visa, MasterCard, JCB International, American Express, and Discover Financial Services.

The standard has wide-ranging requirements that help to improve and strengthen an organization's entire IT network. With guidelines around IT security policy, user management, and data storage, it can build on existing IT service standards like the ITIL Framework.

Who needs to be PCI DSS compliant?

It is a requirement for companies or businesses that process, store, or transmit payment card data. Such businesses will be classed as a merchant, a service provider, or a mix of both. Both merchants and service providers need to prove compliance to their banks or card issuers.

A merchant is a store, business, or company that sells products or services and processes card payments. This could be a retailer, e-commerce website, or shop. All sizes of merchant business which accept card payments will need to be PCI DSS compliant to a certain level.

There are four levels of compliance for merchants, relative to the total amount of card transactions processed by the business across a year. The PCI DSS helps merchants use secure payment processes to protect customers from the risk of card fraud. It ensures there are clear policies in place for payment card data security.

A service provider is a company or organization which processes, stores or transfers card details and data as part of their service or product. Examples may include a secure payment software company or provider of physical card machines. PCI DSS helps ensure the technologies underpinning card transactions are developed to be secure.

What are the PCI DSS compliance levels?

Because of the sheer variety and size of businesses that need to achieve PCI DSS compliance, there are different levels of assessment to reach compliance. There are 12 requirements for organizations to achieve PCI DSS compliance, and these will be outlined later in this guide. Organizations will meet these requirements depending on the level of compliance needed.

PCI DSS compliance levels for service providers

There are two levels of PCI DSS compliance for service providers. The level is set through slightly different criteria depending on the card issuer. But the amount of transactions processed by the service provider each year is a straightforward indication of their required compliance level.

• Service provider Level 1 PCI DSS compliance is for services which process or store more than 300,000 card payments each year.
• Service provider Level 2 PCI DSS compliance is for services which process or store less than 300,000 card payments each year.

Organizations will be audited on-site by an accredited Qualified Security Assessor to achieve Level 1 compliance. Level 2 compliance requires organizations to complete an internal audit and submit a self-assessment form.

Merchant PCI DSS compliance levels

There are four possible levels of PCI DSS compliance for merchants. The level is set by the number of payment card transactions the business works through annually.

• Merchant Level 1 PCI DSS compliance is for merchants processing more than six million card payments every year.
• Merchant Level 2 PCI DSS compliance is for merchants processing between one and six million card payments every year.
• Merchant Level 3 PCI DSS compliance is for merchants processing between 20,000 and one million card payments every year.
• Merchant Level 4 PCI DSS compliance is for merchants processing less than 20,000 card payments every year.

To achieve PCI DSS compliance, all organizations must be assessed in some way. Once assessed, merchants will need to submit an ‘attestation of compliance’ form as proof.

Organizations that need to achieve level 1 compliance will need to be assessed through an external audit. The audit will be completed by an accredited Qualified Security Assessor on-site. The assessor will evaluate whether PCI DSS’s requirements are being achieved, then submits a report on compliance.

Organizations that need to achieve level 2 to 4 compliance can perform a self-assessment instead of the external audit. This is through a self-assessment questionnaire.

What is PCI self-assessment?

Merchants that need to achieve a compliance level of 2, 3, or 4 can complete a self-assessment questionnaire. The same applies to service providers that need to achieve compliance level 2.

The type of self-assessment questionnaire is relative to the way the organization processes card payments. The organization will choose the questionnaire that fits their cardholder systems, processes, and settings.

For example, there are numerous self-assessment questionnaires for both face-to-face and e-commerce retailers. It is also dependent on the different methods of accessing payment terminals and processors.

Each self-assessment questionnaire reflects different business settings. Organizations can review eligibility criteria to understand which questionnaire to complete. This way, the assessment is tailored to the merchant’s or service provider’s unique situation.

The self-assessment questionnaire is a form which is filled in and submitted to prove compliance. Usually, merchants will submit the completed self-assessment questionnaire to the bank that holds their merchant account.

The types of self-assessment questionnaires are:

Self-assessment questionnaire A

For e-commerce or telephone-order merchants that have outsourced cardholder data collection, storage and processing to a third-party provider. It’s only applicable if there is no processing or transmission of cardholder data of any kind on the merchant’s system. This isn’t for face-to-face merchants, only card-not-present businesses. The third-party provider needs to be PCI DSS compliant.

Self-assessment questionnaire A-EP

This option is for e-commerce merchants only. Similar to self-assessment questionnaire A, the merchant will have outsourced card payment processing to a third-party provider. However, in this case the merchant’s website will affect the security of the payment in some way. Again, the third-party provider will need to be PCI DSS compliant.

Self-assessment questionnaire B

For merchants with no electronic storage for card payment data, who instead use imprint machines or dial-out terminals. Card data machines will have no internet connection, so this isn’t applicable to e-commerce retailers. Merchants in this case will usually only retain paper receipts which may contain cardholder data.

Self-assessment questionnaire B-IP

This option is for merchants using standalone payment terminals which are connected to payment processors via IP connection. Merchants will not store cardholder data electronically. This option isn't for e-commerce retailers.

Self-assessment questionnaire C-VT

For merchants using a virtual terminal within a web browser, which stores no cardholder data. The virtual terminal or virtual payment application must be developed by a PCI DSS compliant provider. In this case, merchants will have to input the cardholder details into the virtual terminal, which can’t take any data directly from the card. E-commerce merchants aren’t eligible.

Self-assessment questionnaire C

This is for merchants and retailers with a payment system connected to the internet, but with no digital data storage. Cardholder data is processed by a system connected to the internet. E-commerce merchants aren’t eligible.

Self-assessment questionnaire P2PE

This option is for merchants using payment terminals with point-to-point encryption. The system must be approved by the Payment Card Industry Data Security Council. Because of this approved status, the self-assessment questionnaire is more straightforward than other options. Merchants in this case are usually taking payments face-to-face with customers. E-commerce merchants are not eligible.

Self-assessment questionnaire D

This option is for merchants and retailers that are not eligible for all other self-assessment questionnaires. It is also used by service providers, businesses providing a card payment related service to other companies.

What are the benefits of PCI DSS compliance?

By strengthening and protecting card payment transactions and storage, organizations can mitigate the risk of cardholder data getting into the wrong hands. Cardholder fraud is an issue that impacts businesses and consumers from across the world. Data breaches are an integral consideration for any business’s risk management strategy.

The PCI DSS sets the global baseline for best practice card data processes and procedures. Organizations can avoid costly data breaches which have the potential to damage reputation and incur financial penalties from regulators.

PCI DSS is designed to fit the size and unique circumstances of merchants and service providers. This means it’s straightforward to implement in an organization.

The benefits of PCI DSS includes:

• Ensure best practice card payment processes to protect customer data.
• Mitigate data breaches and lower the risk of card fraud.
• Embed information security standards which are recognized across the world.
• The standard is tailored to all sizes and styles of merchant business.
• Maintain contractual agreements with banks which require compliance.
• Avoid massive regulatory fines caused by data breaches, staying in compliance with regulations like the EU’s General Data Protection Regulation (GDPR).

The 12 PCI DSS requirements explained

The Payment Card Industry Data Security Standard has 12 requirements for organizations to achieve compliance. The 12 requirements are split into six different ‘control objectives’ or aims. These are the areas organizations should focus resources into improving, to secure cardholder data processes.

The six control objectives cover different aspects of the cardholder data environment. This might mean strengthening the network, setting IT security policy, or fixing vulnerabilities. These steps not only improve cardholder data security, but also drive wider improvements in cybersecurity defense and IT risk management.

In practice, organizations will be assessed against different recommendations depending on their setting or compliance level. But an overview of the objectives and requirements is important in understanding what the PCI DSS is designed to achieve.

Here are the 12 requirements of PCI DSS, broken down into the six overall control objectives of the standard.

Objective: Maintain a secure network

This objective focuses on strengthening the organization’s network which processes or stores cardholder data. The standard helps to avoid exploits in an organization’s system, with steps to limit unauthorized external access. The objective is met through organizations complying with the first two PCI DSS requirements:

1. Maintain proper firewall configuration to protect the system and network

Firewalls are vital to protect cardholder data on internal systems and networks. By setting up and maintaining a firewall, organizations can avoid unauthorized external access to sensitive data. A firewall is an important factor in maintaining the security of the whole network.

1. Configure systems to avoid default passwords and settings

System configuration is a major element of any IT governance policy. Factory default settings and passwords supplied by the vendor are well-known avenues for exploitation. Configuring settings and new passwords limits the risk of cardholder data breaches.

Objective: Protect cardholder data

This is a clear objective for any organization which processes cardholder data. The aim is to encrypt the movement of any data, and minimize the amount of cardholder data which is stored by the organization.

To achieve this objective, organizations must comply with two requirements:

1. Protect stored cardholder data

To protect cardholder data, a clear policy should be in place on the retention, disposal, and secure storage of data. Overall, the cardholder data that’s retained and stored should be kept to the absolute minimum. Any cardholder data that is stored will need to be encrypted, to mitigate the damage from data breaches.

1. Encrypt transmission of cardholder data across open networks

Cardholder data needs to be encrypted when sent or received over a public or open network such Bluetooth or the internet. In most cases, data will be sent to the payment gateway during the transaction process. Proper encryption of this cardholder data can help to protect from data breaches and unauthorized access during transmission.

Objective: Maintain a vulnerability management program

Vulnerabilities in the cardholder data environment will need to be proactively managed and resolved to ensure best practice cybersecurity. This should be achieved through strong IT governance policies and management. By strengthening vulnerabilities, the organization helps to lower the risk of data breaches and unauthorized access to cardholder data.

To achieve this goal, organizations must prove compliance with two PCI DSS requirements:

1. Use regularly updated anti-virus software

Up-to-date anti-virus software or programs are a key defense against malware and cyber threats. Networks and systems should have antivirus software to limit the risk of cybersecurity incidents and data breaches. Software should be kept up-to-date to protect against evolving risks and viruses.

1. Develop and maintain secure systems and software

Software is regularly patched and updated by the vendor to fix vulnerabilities or security issues. Keeping software and systems up-to-date should be a key part of any IT governance strategy.

All systems within the network should be patched and updated to limit the risk of exploitation. This requirement also focuses on the security of any applications or software which has been developed by the organization.

Objective: Implement strong access-control measures

Managing user privileges is an important element of a secure IT network. By restricting and managing access to cardholder data, an organization can lower the risk of data breaches. This goal limits the access of sensitive data to authorized members in the organization.

Organizations need a clear understanding of which individuals have access to the network, in both a physical and digital sense. Managing access makes it easier to trace the source of a cybersecurity incident.

This objective is achieved through compliance with three PCI DSS requirements:

1. Restrict access to cardholder data on a need-to-know basis

IT governance policies should deny access to critical systems and sensitive data by default. Restricting access protects cardholder data from being reached. Unauthorized access to user accounts is a common cybersecurity issue, often resulting from phishing scams. Restricting data access on a need-to-know basis helps keep data secure.

1. Assign a unique ID to each computer user in the network

Identifying users within an organization’s network is integral to any access-control measures. Unique identification of users allows account privileges and access to be securely authorized.

In the case of any data breaches or cybersecurity incidents, unique IDs help track the issue to its source. This saves valuable time in securing cardholder data during an incident, and helps the organization piece together the chain of events.

The requirement also outlines the authentication of users through passwords or two-factor authentication. This is important for any IT Governance strategy, strengthening the security of the whole organization.

1. Restrict physical access to cardholder data

Cardholder data is as much at risk from physical data breaches as from cybersecurity incidents. Physical access to cardholder data should be managed to avoid on-site data breaches. This means management of visitors to areas which hold or transfer data such as an organization’s server.

Physical card payment devices should be secured and monitored to avoid tampering. Substituted or modified devices are a common factor in card fraud, so physical systems should be kept secure.

Objective: Regularly monitor and test networks

The cardholder data network should be regularly tested and monitored to expose suspicious activity or potential breaches. By logging user activity within the network, cybersecurity incidents can be reviewed and traced to the source.

Consistent monitoring of the system helps to proactively highlight irregular activity or access of cardholder data. The system should also be tested to identify any vulnerabilities.

This objective is achieved through compliance with two PCI DSS requirements:

1. Actively track and monitor access to cardholder data and network resources

Monitoring and logging access to network resources and cardholder data systems is an important part of reacting to data breaches. User interactions should be logged with all parts of the cardholder data system, creating a digital trail for internal audits.

The requirement highlights the need for at least three months of these logs to be available for review. A process for regular analysis of these access logs should be set. This will help identify any potential breaches or irregular activity.

1. Regularly test security processes and systems

Systems, networks and software should be regularly tested to highlight any potential vulnerabilities which could be exploited. This includes the detection and monitoring of wireless access points and scanning of both internal and external networks.

By regularly testing systems and networks, organizations can find and fix vulnerabilities in the network. Closing these vulnerabilities can stop them being exploited by external cyber threats.

Objective: Maintain an information security policy

The final goal of the PCI DSS is to ensure organizations have an information security policy in place. The policy is an integral part of any cybersecurity risk management strategy, and outlines responsibilities across the organization.

A cybersecurity incident response plan is a key part of this policy. It helps organizations proactively respond to serious incidents or data breaches.

This goal is achieved through compliance with the last PCI DSS requirement:

1. Maintain an information security policy for all employees or contractors

An information security policy is an important way to maintain and develop processes for good data practice. The policy should be accessible and used by all employees. It is a key way to highlight responsibility for cardholder data security. In fact, a security awareness program for employees is an integral part of the requirement.

Part of the requirement deals with a formal assessment of risk to cardholder data. This process helps to identify vulnerabilities and critical parts of the IT system. A heightened awareness of risk in turn helps to regularly review and improve the security policy for best effect.

Achieving PCI DSS compliance

Tracking and maintaining PCI DSS compliance within an organization may seem complex. Diligent Compliance software will help.

Keep track of internal audits, perform compliance monitoring, and securely store your IT security policy all in one place.

Streamline PCI DSS compliance. Book a demo with Diligent today.