Why PCI Compliance is Critical for Businesses

The Payment Card Industry Data Security Standard (PCI DSS) plays a crucial role in protecting cardholder data for businesses that accept credit card payments. This set of security guidelines is mandated by major credit card associations such as Visa, Mastercard, American Express, and Discover. Adhering to these guidelines is essential for businesses to ensure the safe handling of credit card data, helping to minimize the risk of fraud and security breaches.

As a business owner or professional, it’s essential to understand the importance of PCI compliance and its requirements. In this post, we’ll summarize the requirements for each merchant level based on the number of transactions processed annually and the twelve overarching PCI requirements. We can’t emphasize enough the importance of complying with these standards, as incompliance may result in significant consequences, such as fines, loss of business, and ongoing audits to demonstrate compliance.

Determining which PCI requirements you must comply with and actually implementing the standards can be an arduous process. What’s more, PCI Compliance isn’t a one-and-done event. Audits must be regularly completed to maintain compliance. Exact Payments has partnered with SecurityMetrics to offer a simplified PCI compliance process for our clients. Be sure to check out the additional resources below for more on how and why to maintain your PCI compliance. 

What is a Merchant? 

For the sake of clarity, a merchant, as defined by PCI, encompasses any entity that receives payment cards featuring the logos of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as a means of payment. It’s important to recognize that a merchant accepting payment cards for goods and/or services could also function as a service provider if the services offered involve the storage, processing, or transmission of cardholder data for other merchants or service providers. For instance, an Internet Service Provider (ISP) acts as both a merchant, accepting payment cards for monthly billing, and a service provider by hosting merchants as clients.

Merchant Levels 

PCI requirements are determined by your merchant level, which is based on the number of transactions processed annually. This section provides you with an overview of the varying merchant levels and lists the key PCI requirements for each level. 

Level 1 Merchant 

Merchants processing more than 6,000,000 transactions annually must meet the following PCI requirements: 

• Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) 
• Quarterly network scan by Approved Scanning Vendor (ASV) 
• Penetration Test 
• Internal Scan 
• Attestation of Compliance Form 

Level 2 Merchant

Merchants processing 1,000,000 – 6,000,000 transactions annually must follow these key requirements: 

• Annual Self-Assessment Questionnaire (SAQ) if the organization has a certified Internal Security Assessor (ISA) on staff or Onsite Assessment conducted by a PCI SSC-approved Qualified Security Assessor (QSA) 
• Quarterly network scan by ASV 
• Attestation of Compliance Form 
• Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan)

Level 3 and Level 4 Merchants

Level 3 merchants are e-commerce merchants that process 20,000 to 1,000,000 transactions annually. Level 4 merchants include small eCommerce businesses and those that process less than 20,000 transactions annually. These are typically smaller businesses that may only have a few point-of-sale terminals or those that don’t handle a high volume of card data. These two levels of merchants must meet these requirements: 

• Annual SAQ 
• Quarterly network scan by ASV 
• Attestation of Compliance Form 
• Additional requirements depending on SAQ type (e.g. Penetration Test, Internal Scan)

The 12 PCI DSS Requirements

This list is a high-level summary of each PCI requirement. PCI requirements are a comprehensive set of standards with additional protocols you will need to investigate and address. You can find more detailed information on the PCI website.

1. Install and maintain a firewall configuration to protect cardholder data

In today’s digital landscape, having a physical card is no longer a necessity for cybercriminals to steal sensitive customer information. That’s where the significance of robust firewall measures comes into play.

Firewalls act as a virtual barrier between your trusted business network and untrusted networks like the internet, constantly monitoring and regulating the flow of traffic based on predefined security rules. It’s crucial to equip every device accessing your organization’s network — including employee computers and mobile devices — with firewall software.

To maintain optimal security, organizations should establish firewall and router standards, allowing for efficient testing of equipment whenever hardware or software changes arise. It’s also a good practice to review configuration rules biannually, limiting untrusted traffic only to essential communication protocols required for processing cardholder data. This approach helps create a secure environment, safeguarding both businesses and customers from potential cyber threats.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Network hardware and software, like routers and firewalls, often come with pre-set credentials, making it easy for cybercriminals to breach your network’s security. To prevent unauthorized access, always update default usernames and passwords for your hardware and software. Employ strong, unique passwords, combining upper and lowercase letters, numbers, and special characters. Regular updates to passwords are highly recommended.

3. Protect stored cardholder data.

Cardholder data, such as the primary account number, cardholder name, and expiration date, is different from sensitive authentication data like CVV, track data, PIN/PIN Block, and EMV chip data. When adhering to PCI standards, it is crucial to limit the storage of cardholder data to what’s required by law, regulatory standards, or business needs.

Organizations must store the bare minimum, track retention time and location, and conduct quarterly purges. Encryption and tokenization, the process of replacing sensitive data with a non-sensitive token, should be employed to ensure data security.

4. Encrypt transmission of cardholder data across open, public networks

Even when cardholder data isn’t stored, security threats exist during the data transmission process. To safeguard sensitive data, PCI DSS mandates encrypting it using industry-standard protocols prior to transmitting over open, public networks, such as the Internet, Wi-Fi, Bluetooth, and mobile networks. Employing encryption technology is crucial, as it renders intercepted data unreadable, thereby ensuring the safety and privacy of cardholder information.

5. Use and regularly update antivirus software or programs

A crucial aspect of PCI DSS is actively monitoring your entire network for vulnerabilities using robust anti-malware and antivirus software, covering all devices — including laptops, servers, mobile devices, workstations, and any other equipment employees use to access your network, both locally and remotely.

Maintaining a secure network demands anti-virus mechanisms that consistently remain active, use up-to-date signatures, and generate auditable logs. Let’s break down these elements:

• Always active: Your anti-virus software must be continuously scanning for potential threats, as cybercriminals employ new tactics and vulnerabilities emerge regularly.
• Latest signatures: Keeping your anti-virus signatures updated is crucial to detecting and blocking the most recent malware strains in real-time.
• Auditable logs: Generating and maintaining detailed logs are vital, not only for compliance purposes but also for post-incident investigations and audits.

6. Develop and maintain secure systems and applications

To ensure the safety of transactions, it’s essential to identify and prioritize potential vulnerabilities in the system. This process involves implementing software patches to eliminate identified risks.

Typically, vendors provide these security patches to quickly repair specific programming code issues. It’s of utmost importance to keep all critical systems up-to-date with the latest software patches in order to prevent exploitation. Additionally, less-critical systems should also be patched as soon as possible, following a risk-based vulnerability management program.

For independent software providers (ISVs), it’s crucial to keep clients informed about security patches and any necessary deployments. Any code created or developed by an ISV must comply with PCI DSS standards. Furthermore, all new and updated code should not only be tested for known vulnerabilities but also assessed for potential unknown weaknesses. 

In the card data environment, patching should be applied to all systems, such as:

• Operating systems
• Firewalls, Routers, Switches
• Application software
• Databases
• POS terminals

7. Restrict access to cardholder data by business need-to-know

The “need-to-know” principle limits users’ access rights to the bare minimum data and privileges necessary for them to perform their job responsibilities effectively. Implementing role-based access and situational-based access control is the cornerstone of the “need to know” requirement. Simply put, it authorizes or denies access to card data based on a user’s role and the specific circumstances or reasons for requesting the data. While unauthorized users, such as criminals, are evidently denied access, some authorized users may also face access denial if the situation does not warrant the need for card data.

Keeping a documented list of all users requiring access to the card data environment, along with their corresponding roles, is crucial for merchants and service providers. This list should include the users’ role definitions, current and expected privilege levels, as well as the data resources needed to carry out their tasks on card data.

8. Assign a unique ID to each person with computer access

A fundamental principle of PCI standards is ensuring strong and unique user credentials.  Opting for easily guessable, shared usernames and passwords puts your business at risk. To eliminate such risks, insist on individual user IDs for everyone with access to cardholder data. This unique identification method enables businesses to trace any action back to the specific individual responsible.

Moreover, pairing unique IDs with robust passwords further reinforces authentication security. Best practices go a step further, demanding multi-factor authentication or the use of at least two methods: biometrics, passwords, or a token device. When it comes to remote network access, this authentication becomes even more crucial.

Lastly, safeguard against unauthorized leaks by rendering passwords and passphrases unreadable during transmission and storage using state-of-the-art cryptography techniques.

9. Restrict physical access to cardholder data

It’s vital to ensure that only authorized individuals — including full-time or part-time employees, contractors, consultants, vendors, and guests — gain access to server rooms or other spaces where cardholder data can be accessed. This means they must be explicitly authorized, whether their access is regular or strictly temporary. To achieve this, consider implementing access control methods such as keys, badges, biometrics, or other systems to effectively restrict unauthorized individuals from entering these secure areas.

Besides restricting access, monitoring and logging the entry and exit of individuals is essential. Dedicated security personnel should vigilantly enforce these security rules, and additional systems should be in place to quickly identify unauthorized individuals.

Don’t forget the secure storage of media as well. Video footage, access logs, and other sensitive data must be safely stored offsite and only on an as-needed basis. Make sure to destroy any media that is no longer required for business or legal purposes.

10. Track and monitor all access to network resources and cardholder data

By implementing regular monitoring and testing of their networks, businesses can swiftly identify and remediate potential vulnerabilities. One of the critical measures for achieving this is real-time monitoring and logging of all user activities, which enables organizations to track and analyze system activity. This comprehensive approach helps them stay alert to suspicious activities and thoroughly investigate security breaches.

Another crucial component of PCI DSS compliance is establishing audit trails that connect specific users to their network activity. By synchronizing time-stamped data, businesses can accurately pinpoint the cause of a compromise, thereby safeguarding customers and their sensitive information. The PCI DSS also mandates the maintenance of robust audit trail records that meet certain standards, including securing and storing the audit data for no less than one year.

11. Regularly test security systems and processes

Testing security controls is particularly necessary when environmental changes occur, such as deploying new software or code or modifying system configurations. The responsibility of businesses also extends to quarterly identification and documentation of all authorized and unauthorized wireless access points.

To optimize system security, organizations must perform internal and external network vulnerability scans at least quarterly or following any substantial change to the network. Ongoing requirements include penetration testing and the utilization of intrusion detection and prevention systems to ensure that systems remain resilient against evolving threats.

Another essential practice for securing your business data and system integrity is monitoring changes to files using a change detection solution. This tool alerts personnel to unauthorized modifications, including changes, additions, and deletions of critical system files, configuration files, or content files. It’s vital to compare critical files at least weekly and have a response plan in place for addressing any detected file changes.

12. Maintain a policy that addresses information security

A robust security policy not only sets the tone for a company’s entire security framework, but also informs employees of their crucial roles in safeguarding sensitive data. Ensuring that all staff members are aware of the importance of cardholder data protection is a cornerstone of compliance with Payment Card Industry (PCI) standards. However, we cannot emphasize enough that an effective security policy doesn’t stop there. It includes regular updates, formal risk assessments, and a designated person or team to manage its implementation.

Remember, securing your organization’s data and maintaining PCI compliance is a continuous process that includes regularly updating and fine-tuning your cybersecurity measures. By staying vigilant and proactive, you ensure that your sensitive data remains protected, which ultimately leads to a safer business environment for both your organization and customers.

Additional Resources From SecurityMetrics

• How Exact Payments Helps You With PCI Compliance
• Top 5 PCI Blog Posts for SMBs
• PCI DSS Compliance FAQ: What is PCI Compliance?
• SecurityMetrics PCI Support FAQ
• PCI FAQs Video for SMBs
• PCI Basics for Merchants