In short, PCI DSS, or the Payment Card Industry Data Security Standard, is a set of requirements to help both merchants and service providers protect sensitive customer data, prevent breaches and reduce credit card fraud.
But before we dig deeper, a brief history lesson.
Prior to 2004, the five major credit card companies of the world each had their own security program in place. Visa International, MasterCard Worldwide, American Express, Discover Financial Services and Japan’s JCB, all had individual and separate security programs that would require their respective merchants and service providers meet a minimum level of security regarding credit card transactions. Although well intended, there was no uniformity among the requirements. Merchants and service providers suffered problems ensuring compliance across the different credit card companies due to these differences. Realizing the inherent difficulties imposed upon their customers, the major credit card companies banded together to develop one, universal standard – the PCI DSS. In December of 2004, PCI DSS v1.0 was released and quickly adopted globally. PCI DSS has continually evolved to address the changing landscapes of cybersecurity and in March of 2022, PCI DSS v4.0 was released becoming the most current standard.
Unlike the Health Insurance Portability and Accountability Act (HIPAA) which in fact is a federal law, the PCI DSS is a standard, enforced and maintained by the Payment Card Industry Security Standards Council (PCS SSC). If there were ever a case of ‘policing your own’, this would definitely be it. In 2006, the five major credit card companies joined forces yet again forming the PCI SSC. Its primary objectives are to act as the governing and enforcing agency, set the standards of PCI DSS and ensure continued evolution and development of the PCI DSS. All enforcement actions are conducted via contracts between the merchants and issuing banks – something we’ll delve into a bit later.
In the opening paragraph, I mentioned that PCI DSS applies to merchants as well as service providers. So, what constitutes a merchant vs a service provider? As defined by the PCI SSC, a merchant is
“…any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC
(American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note
that a merchant that accepts payment cards as payment for goods and/or services can also be a
service provider, if the services sold result in storing, processing, or transmitting cardholder data on
behalf of other merchants or service providers. For example, an ISP is a merchant that accepts
payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
(PCI DSS Glossary of Terms, Abbreviations, and Acronyms)”.
If you’re a merchant, you’ll probably know it as you most likely signed a merchant agreement with the card issuer. But as the definition states, you could be both a merchant and a service provider depending on your actual provided services.
The description of a service provider isn’t quite as black and white. The PCI SSC defines service provider as an
“…any business entity that is not a payment brand (payment brand being one of the 5 major credit
card issuers), directly involved in the processing, storage, or transmission of cardholder data. This
also includes companies that provide services that control or could impact the security of
cardholder data (PCI DSS Glossary of Terms, Abbreviations, and Acronyms).
Anyone that offers these services on behalf of another entity can be considered a service provider. For example, your point of sale (POS) provider or payment processor would be a service provider under this definition.
A cautionary bit of information to be aware of when it comes to the service provider definition. Of distinct interest is the last sentence of the definition - a service provider may be a company that “provides serves that control or could impact the security of cardholder data.” This catch-all tends to be a point of confusion. It may make someone a service provider – and bound by PCI DSS – while not even knowing it. For example, back-office services such as billing & administration services or hosting services that accept payment on your behalf may all be bound by PCI DSS. Your particular situation may require more analysis to determine how PCI DSS applies to you.
PCI DSS security standards are based on three tenets. These tenets are –
Credit card data – Businesses must adhere to many of the 300 plus controls within the 12 security requirements discussed further down in this blog.
Protection of that data – Businesses must document exactly how and where their data is stored – preferably on a standalone system. If any credit card information is stored on systems that intermingle with other business operations, PCI DSS security requirements apply to those other non-PCI systems.
Annual PCI validation – PCI validation forms must be completed annually showing compliance.
PCI DSS has varying requirements incumbent upon the number of annual transactions conducted by the merchant. I want to be clear. It doesn’t matter if you conduct one transaction a year or one million, PCI DSS applies to you. Volume of transactions just determines the level of your involvement to become compliant. So, let’s break down the four PCI compliance levels and what they may actually mean to you and your organization. Side note, these numbers vary slightly among the different credit card companies.
Level 1: Merchants that process over 6 million card transactions annually. Service providers have a different qualifying threshold - processing, transmitting or storing more than 300,000 annual transactions.
Level 2: Merchants that process 1 to 6 million transactions annually. Service providers at this level process, transmit, or store less than 300,000 annual transactions.
Level 3: Merchants that process 20,000 to 1 million transactions annually.
Level 4: Merchants that process fewer than 20,000 transactions annually.
The level that applies to you as a merchant will determine the level of compliance to which you are bound. For example, Level 1 merchants are required to conduct quarterly vulnerability scans of their networks as well as submit an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA) who then submits it to the DSS SSC on behalf of the merchant. This report, upon the completion of the annual assessment, proves your full compliance and certification.
Level 2 merchants vary slightly. Depending on the credit card brand, level 2 merchants must still conduct a quarterly scan but instead of being required to submit an ROC by a QSA, level 2 merchants may be eligible to conduct a self-assessment questionnaire (SAQ). This SAQ is just what is sounds like – a statement of compliance completed and submitted by the merchant itself. You choose and complete the SAQ applicable to your organization, have it signed off by a managing member and send it to the appropriate payment brand attesting you are compliant.
Level 3 and 4 merchants are all eligible for a self-completed SAQ but still require the quarterly vulnerability scans. As can be seen above, service providers break down into two distinct levels – levels 1 & 2.
What do all these levels mean for you? Which SAQ applies to you? Well, the appropriate SAQ is dependent upon on how you process credit cards and how and where you handle/store cardholder information. You, the merchant, are responsible for choosing the correct SAQ. Though the nuances of properly choosing the correct SAQ is out of the scope of this week’s post, we here at Quantum Vigilance are always willing to assist you as you navigate these waters, but I digress.
So, what are the actual physical and logical requirements of ensuring the safe handling of credit card data and the subsequent transactions? The PCI SSC has created 12 security controls that must be implemented to ensure compliance with the PCI DSS. In essence, they are:
Install and maintain a firewall configuration to protect cardholder data
Do not use default passwords and other default security parameters
Protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data to a need-to-know basis
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Create & maintain a policy that addresses information security for all personnel
These 12 steps are just the minimum. Each step will obviously need to be assessed and applied properly to your particular situation.
You may be asking yourself what exactly are the repercussions for failing to comply? As mentioned earlier, PCI DSS is not a law. It’s a set of guidelines enforced contractually between the merchant and its bank. But that doesn’t mean the fines aren’t hefty. Typically speaking, fines range from $5,000 to $100,000 per month for non-compliance by the actual credit card companies depending on the volume of the merchant. And if you account for the costs of recovery for the actual breach along with the costs of increased audits, legal fees, customer notification mailings, lost business, you can see that a security breach incident can far exceed the initial penalty.
Now that we have a 30,000-foot understanding of PCI DSS, how does it all come together? First, you must determine if your organization requires a PCI certification or, if being PCI compliant is merely enough. If you are a level 1 merchant, you are required to become PCI certified. Levels 2, 3 & 4 have the option to choose. PCI certification differs from compliance in that the PCI certification is a much more in-depth, longer and costly audit by an outside QSA. Becoming PCI certified shows the utmost commitment by your organization in meeting PCI DSS compliance standards. Think of it this way. Being PCI compliant is a self-assessment of your current environment and a certification is conducted by a 3rd party. Becoming PCI certified ensures compliance but being just compliant doesn’t necessarily mean you are certified - just something to consider.
Once you have decided which route to take - a route already determined if you happen to be level 1 - you must then assess and take inventory of your entire environment. Determining where all credit card transactions take place, how any relevant data is stored and transmitted, and who has access to the system. You must determine the proper SAQ applicable to your organization and determine your level of compliance. This will provide you with a clear picture of your situation. You can then use it to shore up any shortcomings and close the gap towards overall compliance.
An Attestation of Compliance (AOC) will then be completed showing you have fulfilled every compliance step. This document is signed off by a managing member, director or executive and submitted to any of your partnering banks or credit card companies.
Lastly, the PCI DSS is an ongoing endeavor. You cannot assume that because you are compliant in 2022 you will, by default, be compliant in 2023. You must continually evaluate and monitor your situation and reassess in a years’ time.
PCI compliance is an ongoing process to ensure you and your organization is doing everything it can to ensure the security of your customers payment card information. This has been an information heavy post and between all the acronyms (SAQs, AOCs, QSAs, oh my), the levels, and the certification vs compliance nuances it can be easy to get lost. We would like to close by stating that while compliance standards and regulations are a requirement for doing business, they are not meant to be seen as the pinnacle of cybersecurity for your business. These are the things that you must minimally do to qualify to do business securely. This is equivalent to closing your door when you leave home. At a minimum you want to close the door to ensure that you aren’t advertising to the world that anyone can walk in. The next level would be to lock the doors. The next iteration would be to install surveillance cameras and a security system with a sign on the front lawn stating as much. I do not trust my home to be minimally secure and I certainly do not want my business to be minimally secured.
Quantum Vigilance will help you meet your compliance needs while securing your organization above and beyond today’s challenges and into tomorrow.