PCI Compliance 101: Definition and Benefits

May 16, 2021

How often do you shop online? How many times a day do you make purchases with your credit or debit card?

In this day and age, we rarely use cash to pay for anything.

We pay for our morning coffee, our monthly rent, and our bills with our credit cards.

So, how do we know our credit card data is being stored correctly and safely?

In 2004, we decided that we needed a set of rules and protocols for handling sensitive credit card information to ensure that it was being handled safely and efficiently.

And now, we have the term “PCI compliance.”

In this guide, we will cover the essentials of PCI compliance, including what it means, how it should be used, and what happens if a company doesn’t adhere to these regulations.

What is PCI Compliance?

ecommerce pci compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance is the set of rules and protocols that credit card companies must follow to ensure the security of credit card transactions in the card payments industry. It is a set of guidelines that dictates the storage, transmission, and encryption of credit card information and cardholder data.

Payment card industry compliance must be followed by all businesses that accept credit card payments. PCI compliance is mandated by court precedent, so there are penalties for companies that do not follow the strict guidelines.

Who is in Charge of Regulating PCI Compliance?

The merchant level of your business will depend on the number of credit card transactions you complete each year.

The merchant levels range from under 20,000 transactions per year to over 6 million transactions per year. Each merchant level has different requirements for PCI regulatory standards.

        • Level 1 – This level is defined as any company that processes more than 6 million Visa, Mastercard or Discover transactions or 2.5 million American Express transactions per year. These companies are required to submit an Annual Report on Compliance (ROC) and conduct a quarterly network scan by an Approved Scan Vendor (ASV).
        • Level 2 – Merchants processing anywhere from 1 to 6 million Visa, Mastercard, or Discover transactions or 50,000 to 2.5 million American Express transactions per year. These merchants must conduct an Annual Self-Assessment Questionnaire (SAQ), conduct a quarterly network scan by an ASV, and complete an attestation of compliance form.
        • Level 3 – This level is defined as any merchant that processes between 20,000 and 1 million e-commerce transactions each year. They must provide an SAQ, a network scan by an ASV, and a compliance form.
        • Level 4 – This level is the lowest and reserved for companies that process less than 20,000 e-commerce transactions per year. Each business must comply with the merchant’s acquiring bank and submit an SAQ.

What Are the Benefits of PCI Compliance?

Since we use our credit cards so much, it is important that businesses are PCI compliant to protect our financial information. The major benefit for consumers is that we have peace of mind that our credit card data is secure when we make a purchase.

The benefit of PCI compliance for companies is they are less likely to have a data breach. Data breaches could result in the loss of millions of dollars for large merchants. It could also result in lawsuits and loss of customers. PCI compliant companies avoid fines and penalties from the FTC, acquiring banks, and governmental agencies in other countries.

Companies that follow PCI compliance protocols are trusted by consumers; therefore, it helps build brand reputation. More consumers will work with merchants who protect their data versus companies who experience a data breach.

6 Objectives of PCI Compliance

The 6 objectives of PCI compliance are the end goals for its requirements, which we will discuss later in this guide. An overarching objective can help companies understand how PCI compliance is essential to their business operations.

Establish and Maintain a Secure Network

A while ago, a criminal would have to physically enter a building to steal cardholder data or sensitive data.

Now, since cardholder information is transmitted across networks, a cybercriminal can hack into the network and have access to cardholder data. It is important that companies processing card data have secure networks without security flaws.

Protect Cardholder Data

This might go without saying, but the main goal of PCI standards is to ultimately protect cardholder data with every transaction they make. This includes the storage of card data online, the transmission of cardholder data with each transaction, and encrypting this transaction over secure networks.

Every time you buy something online or pay for your morning coffee, you should feel confident that your card data will not be exposed to a cyberattack.

Create Vulnerability Management Protocols

Information security personnel should be aware of how to test and secure all applications that a company uses to process card payments.

It is important to only use programs from reputable software vendors that conduct their own testing before the software is deployed.

Control Access to Data

As few people as possible should have access to cardholder data, including within a secure company. Information security employees should be responsible for restricting this access and maintaining data integrity.

Monitor and Test Networks and Security Measures

This objective was designed to preempt an attack to extract cardholder data from a network. It is crucial that every security measure in place is tested regularly by different employees.

Since attackers often change their approach to accommodate for changing security protocols, it is critical that a secure network is updated accordingly.

Train Personnel

We recommend training every employee on security protocols quarterly to keep them up to speed with changing technology.

Even employees that are not directly involved in the information security or IT department should be aware of how their actions can affect security.

12 Requirements of PCI DSS Compliance

These 12 requirements are the driving force for the 6 objectives of PCI compliance. Each requirement was designed to help companies that process credit cards maintain PCI DSS security policy and ensure that the user’s payment card data is stored and transmitted safely.

Firewall

A firewall is a device that controls all connections, both internal and external, on a company’s network. Firewalls are used in conjunction with routers to ensure that only the desired connections with desired permissions are accessing the network.

PCI DSS standards require a firewall configuration to protect cardholder information. It should be built to allow for testing when a change occurs. A router configuration should identify every connection to cardholder information, including wireless connections.

PCI compliance stipulates that a firewall should deny every connection from an untrusted network. It should also contain a rule set to deny public access connections unless it directly pertains to the cardholder data. Information security employees should install firewall software on every computer that employees use to access the company network.

Passwords

Every secure system starts with a strong password. This requirement for PCI DSS compliance requires passwords to be changed from their defaults for system passwords configuration to a strong password to prevent a breach. It also requires all other settings on the firewall to be changed from their default state.

All web-based or browser-based consoles should be encrypted, especially if they can be used for administrative access.

Protect All Stored Cardholder Data

In general, cardholder data should never be stored on the system unless it is critical to the business operations. If the data must be stored, it should be stored in a limited capacity and for a limited time. You should also ensure all authentication data is not stored after it is authenticated.

The primary account number (PAN) should never be stored. If it is necessary to store PAN information, then it must be encrypted and invisible. The PAN information must never be fully visible. You may show the first 6 digits and the last 4 digits. However, you must never display full magnetic stripe data.

Encrypt Cardholder Data Across Public Networks

When data is being transmitted over public networks, you must encrypt it using SSL/TLS or IPSEC cryptography.

Open, public networks include some wireless technologies and GSM networks, which is the primary mobile phone network. Your network must never send card information using end-user messaging.

Anti-Virus Software and Programs

It is critical to maintain and update every security program you have installed on your network and networked computers. Many data breaches are initiated by employee web browsing practices or emails. You should have an email security program installed to check every email that comes through the system to ensure it is not a phishing email.

Every employee computer should have up to date virus protection software. It should run a scan every day when the user is out of the office to ensure every system is free of vulnerabilities.

Every scan should provide the information security team with a log they can check. PCI compliant organizations will check these logs frequently to plan for future attacks.

Secure Systems and Applications

Cyberattacks happen when a new vulnerability is detected. You must maintain the latest versions of every installed program on your computer network. Many small updates are critical security patches that can help protect your business from future attacks.

If a critical security update is released, then it should be deployed within at least a month.

Restrict Access to Data

It is important that employees maintain a vulnerability management program, which will restrict access to sensitive data. Implement strong access control measures that can be changed if needed. Only personnel that need access to sensitive data to perform their job functions should have access to the information. Cardholder data should not be visible to all personnel, but rather on a business need-to-know basis.

To restrict access to cardholder information, the information security manager should create a protocol that will deny all privileges to employees unless otherwise stated.

Unique IDs

To protect cardholder data, every user within a company should have a unique ID for access to network resources and cardholder data. Every unique ID should have a strong password that only the user knows. A unique ID will ensure that every time an employee accesses sensitive information, it can be tracked and logged.

Restrict Physical Access to Cardholder Data

This requirement for compliance ensures that someone cannot break into a facility and corrupt the installation or data center. It requires the use of video cameras on entry and exit points of the building. It also requires the use of access cards to the main entrance of the building. Every time an employee uses their access card, a system will log the time and date they entered and exited the building.

Track All Access to Data

Strong access control measures require every event to be logged and connected to a specific employee, especially if it involves administrative access. If you have implemented all of the other access control measures that we mentioned, then logging events connected with cardholder data will be much easier.

Test Systems and Storage

One of the most important PCI DSS requirements is the ability to maintain systems and processes that can be tested as often as needed. The payment card industry data security protocols change often with updated security standards. Your network should be able to adapt to changing industry standards. You should be able to conduct penetration testing to find flaws within your system and correct them before they are exploited.

Maintain Information Security Protocols

You should develop an information security policy and publish, maintain, and disseminate the information to every employee. The information security policy should explain to users how to operate network systems in accordance with the Payment Card Industry Data Security Standard procedures. It should cover all PCI compliant operations and explain the risks and vulnerabilities.

We recommend conducting training every quarter to inform employees of new changes and updates that pertain to PCI compliance. In this training, you should help employees understand the common ways that data breaches happen, including phishing emails and web browsing mistakes, and how to avoid them.

Who Has to Follow PCI DSS Standards?

Every company that accepts credit card payments must follow PCI DSS compliance standards. This applies to every company that processes, stores, or transmits credit card data and cardholder data over a network.

It should be noted that even if you process only a few credit card payments per year, you are still responsible for maintaining PCI compliant security systems and processes.

What Are the Merchant Levels of PCI Compliance?

The merchant level of your business will depend on the number of credit card transactions you complete each year. The merchant levels range from under 20,000 transactions per year to over 6 million transactions pe

The most prominent reason for such standards is to fight the ever-growing issues of credit card fraud. Massive amounts of credit card data stolen from companies are now a regular occurrence and need a solution.

In 2015, card data from 5 million Saks and Lord & Taylor’s customers was stolen. Stories emerge every week from all around the world, with similar cases of card theft. IT companies in New York have been a prominent target for card data theft over the last decade.

The PCI SSC was formed in 2006 to help manage the standards set out by the PCI DSS and ensure companies stay compliant to protect both the company and its customers. Compliance with PCI at it’s most basic function is to ensure that there is payment account security throughout the every transaction process conducted by a company.

The PCI DSS is overseen and managed by the PCI SSC to ensure all standards are adhered to. The PCI SSC was created by the major card brands, including Visa, MasterCard, and American Express.
PCI compliance is required by any company or organization of any size that processes card payments.

What is PCI required by companies?

To be compliant, a company must follow this checklist:

  • Protect and safeguard cardholder data using a firewall.
  • Uses custom passwords and unique and robust security standards.
  • Ensure all cardholder data is protected at all times.
  • Cardholder data should be encrypted to ensure secure file sharing sent across open public networks.
  • High-quality and trustworthy antivirus software is mandatory.
  • Antivirus software must be regularly updated.
  • Any applications for cardholder information must have secure systems in place.
  • Access to cardholder information is heavily restricted and limited by need-to-know.
  • Those with access to cardholder data must have unique identifiers.
  • There must not be any physical access to cardholder data
  • All-access to cardholder information must be logged and reported.
  • Regularly test the security systems in place.
  • Have an information security policy in place that employees are informed of and is regularly reviewed.

If the above checklist is complete and adhered to, a company is PCI compliant in the eyes of the PCI SSC. Failure to uphold these standards can result in financial penalties, which vary depending on the size of the breach plus other criteria.

These requirements may appear to be easy to comply with, but on closer inspection, the reality is far more complex, especially for large enterprises.

PCI compliance should not be taken lightly, it will take some serious thought and work to become compliant.

Do I need PCI compliance for my business?

If your organization runs a physical or online commerce system, you will likely need to be PCI compliant.

PCI compliance is not just for large organizations with multiple businesses. Even single brick-and-mortar businesses need to be compliant. Anywhere a credit card is used to process a payment and is connected to your merchant account requires compliance.

To determine what level of compliance is needed for your organization, the PCI DSS will evaluate the size of your business and the number of channels used for processing payments. This includes in-store, online, and over the phone.

Those running a SaaS-based e-commerce store without access to cardholder data can breathe a sigh of relief. Your need for PCI compliance is significantly reduced. Your SaaS provider will likely have PCI compliance in place, and as you’re a customer using their software, you aren’t significantly affected.

Just because your business operates on SaaS-based commerce software does not mean you’re free of any compliance. For example, Magento has regular breaches of cardholder data because their clients are not PCI compliant, and you don’t get compliance by merely working with Magneto.

Where do I start with PCI compliance?

Getting started with PCI compliance can be confusing and overwhelming. If you need help navigating the process and need more information on PCI compliance, contact us today.

We specialize in helping IT companies in New York with PCI compliance and help your business no matter the size or industry.

Let Triada Networks help you get PCI compliant to give you peace of mind and stay focused on your business’s more important aspects.
Schedule a consultation today to speak to one of our qualified and professional members of staff about PCI compliance.

Check out one of our PCI compliance case studies for a previous client and other cybersecurity services we offer.

Schedule A Free Consultation