PCI Compliance

---

 PCI compliance refers to the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS applies to any company, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. There are several requirements that companies must meet to be PCI compliant, including maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, and regularly testing and monitoring networks. Failure to comply with the PCI DSS can result in fines and other penalties from the credit card companies.

• PCI compliance level 1: All merchants that process over 6 million transactions annually or that Visa/Mastercard identifies as meeting level 1 requirements. Additionally, if your company has experienced a security breach that puts account or cardholder data at risk, you’ll be moved to level 1.
• PCI compliance level 2: All merchants that process between 1 million and 6 million transactions annually.
• PCI compliance level 3: E-commerce merchants that process between 20,000 to 1 million transactions per year.
• PCI compliance level 4: E-commerce merchants processing fewer than 20,000 Visa/Mastercard transactions annually or other merchants processing fewer than 1 million Visa/Mastercard transactions annually.

The PCI DSS requirements state that “PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.” So if your company accepts card payments — online or over the phone— then PCI DSS applies to you.

“PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.”

But companies have different PCI requirements depending on how they handle payments, the number of payments they handle or process, and their type of business. To understand what PCI compliance level you need to achieve your obligations, you should look at the self-assessment questionnaires from the PCI Security Standards Council (PCI SSC) or seek expert advice.

If your company takes credit card payments, your customers need to trust that you will keep their details safe. Achieving PCI compliance shows your customers that you take their data security and privacy seriously, doing all you can to safeguard their payment details and other personal information.

There are 12 requirements that companies need to meet to achieve PCI compliance. You can use this PCI DSS compliance checklist to understand the different requirements specified in the data security standard to help your company protect your customers’ payment card data. 

Firewalls control incoming and outgoing traffic to your network. They are often the first line of defense against hacks and attempted data breaches. You'll need to properly configure your firewall and routers to protect cardholder data against unauthorized access.

The default settings for servers and applications don't meet PCI standards. This includes passwords, usernames, and default security settings because these are often well known by hacker communities and may be shared online. You should upgrade your settings for all new and existing devices and hardware instead of using the default settings.

The PCI SSC advises companies to minimize their risk by "not storing cardholder data unless absolutely necessary." If you do store cardholder data on your network, it must be encrypted using proper algorithms and security keys, and you need to know how long it will be stored.

This requirement also specifies how to display cardholder details. You shouldn’t display the full payment card details, but you can show the first six or last four digits.

Hackers often attempt to intercept or divert data while it's in transit, so you must encrypt sensitive information — such as cardholder data — during transmission, and during storage. To comply with this requirement, you need to encrypt cardholder data before transmission to reduce the risk of data being compromised during transit.

There are so many ways malware (including viruses) can enter your company network, such as employee emails or using the internet. You should have antivirus software installed across your network, including servers, workstations, laptops, and mobile devices used by anyone in your company.

Your antivirus software should be updated to the latest version, and you should perform regular scans. Malware trends change rapidly, so if your antivirus software is out of date, you may not be protected against the latest malware threats.

Hackers exploit security vulnerabilities to gain access to your systems. You can maintain secure systems and protect your customers’ data by installing vendor-provided security patches. For critical security patches, PCI DSS requires you to install these within one month of release.

Not everyone in your company needs access to customer data; PCI DSS requirements specify that you should only have access to credit card data on a "need-to-know" basis. "Need-to-know" is when you are granted access to the least amount of data needed to perform your job.

You should have documented policies to set out who in your company has access to cardholder data based on job roles, level of seniority, and why they need access to that data.

Every person in your company should have their own username and password to access your systems. This minimizes the risk of other parties gaining access to your systems via a shared user account. It also means that employees are accountable for their own actions. In the event of an internal data breach, malicious activity can be traced back to the specific user whose account has been compromised.

To achieve PCI compliance, you should follow password best practices — using complex passwords containing both letters and numbers and more than seven characters. It also specifies using multi-factor authentication when possible.

You should restrict the number of people who have access to servers, workstations, and paper files where you store or transmit cardholder data to minimize the risk of a data breach.

The PCI DSS requirements specify that you should use video cameras and entry controls at physical locations like data centers and file storage. Doing so allows you to monitor and control who has access to these locations.

PCI DSS requires all network systems to be protected and monitored. This is because it's near-impossible to identify the cause of a data breach without accurate, up-to-date activity logs. You should keep network activity logs and review them daily to identify any potential security breaches or suspicious activity. The PCI DSS provides guidance on what types of activity to log and how long to store activity logs for.

PCI DSS specifies regular testing for system components, processes, and software to ensure your security controls and processes are up to date. It specifies particular types of testing that should take place regularly:

• Test wireless access points quarterly to identify all authorized and unauthorized wireless access points.
• Run internal and external network vulnerability scans at least quarterly.
• Perform network penetration testing annually.

The final PCI requirement focuses on creating, implementing, and maintaining a strong security policy for your organization that helps all employees understand the sensitive nature of cardholder data and their responsibility to protect it. Your information security policy should ensure that everyone in the company — whether employees, management, or~~ ~~third parties (contractors or consultants) — understands their role in keeping your customer data protected.