PCI DSS compliance – that is, the security standard to protect the personal data of credit card users – can feel insurmountable. The Payment Card Industry Security Standards Council (PCI SSC) wrote more than 100 pages of detailed data security standards, and the reading necessary to understand the security standards can feel overwhelming. Meeting PCI DSS standards means understanding your cardholder information, where you store it, and how you protect it. With that in mind, below is an introduction to the materials provided by the information security standard.
What Is PCI DSS Compliance?
In 2004 many card brands such as American Express, Visa, MasterCard, Discover Financial Services, and JCB International established a group of security requirements known as the Payment Card Industry Data Security Standard (PCI DSS). This compliance program, overseen by the Payment Card Industry Security Standards Council (PCI SSC), strives to protect credit and debit card transactions against fraud and data breaches.
Although PCI compliance is not required by law, the PCI SSC mandates that every company wanting to process credit or debit card transactions must comply. Companies that refuse to follow the standard risk losing their rights to process credit card transactions.
What Is the PCI Compliance Scope?
Determining the appropriate scope of PCI DSS is the most challenging part of the review. When determining size, you need to define your cardholder data environment (CDE), which is any area of your computer or networked IT systems or processes that store and transmit cardholder data or sensitive payment authentication data. The PCI standard describes “system components” as network devices, servers, computing devices, and all applications; and provides six specific examples:
- Security services, segmentation services, or services impacting security.
- Virtual components, including machines, switches/routers/appliances, applications/desktops, and hypervisors.
- Network components.
- Server types.
- Internal and external applications.
- Anything connected to the CDE.
In addition, companies must perform an annual review to verify the accuracy of the PCI DSS compliance reporting and assure appropriate vulnerability management.
Who Must Comply with PCI DSS?
All retailers, banks, and service providers that want to process credit card transactions must comply with PCI DSS, but “compliance” differs from one company to the next based upon the quantity of transactions a company conducts annually. Compliance is classified into four compliance levels, and what an organization must do to comply depends on the categorization level.
Level 1. Businesses fall into this category when they execute more than 6 million credit or debit card transactions annually. They must go through an internal audit once yearly, conducted by a PCI-accredited auditor. Additionally, they must submit a PCI scan by an Approved Scanning Vendor (ASV) once every three months.
Level 2. These businesses execute 1 million to 6 million transactions annually. Once a year they must complete an evaluation using a Self-Assessment Questionnaire (SAQ). A quarterly PCI scan is also necessary.
Level 3. These businesses execute 20,000 to 1 million e-commerce transactions annually. They are required to finish an annual evaluation using the pertinent SAQ. A PCI scan every quarter can also be necessary.
Level 4. This category applies to businesses that execute up to 1 million physical transactions yearly, or fewer than 20,000 e-commerce transactions annually. A quarterly PCI scan may be necessary, as well as annual review via an SAQ.
How do you conduct a PCI audit?
Conducting a PCI DSS compliance audit is a critical process to assess and ensure the security of cardholder data within an organization. PCI DSS is a set of security standards designed to protect sensitive payment card data. Here are the general steps to conduct a PCI audit:
Determine Scope:
- Identify all systems, applications, and processes that store, process, or transmit cardholder data (CHD) or are connected to the cardholder data environment (CDE).
Understand PCI DSS Requirements:
- Familiarize yourself with the current PCI DSS requirements and compliance guidelines, which can change over time.
Assign Responsibilities:
- Designate individuals or teams responsible for various aspects of the audit process, including the audit leader, assessors, and technical experts.
Data Gathering:
- Collect information about the organization’s network architecture, policies, and procedures related to cardholder data.
Identify Vulnerabilities:
- Use network and application scanning tools to identify vulnerabilities and weaknesses in the CDE and other systems that may impact security.
Gap Analysis:
- Compare your current security measures against PCI DSS requirements to identify gaps in compliance.
Remediation:
- Address and remediate any security vulnerabilities or compliance gaps identified during the gap analysis.
Documentation:
- Document all processes, procedures, and controls in place to protect cardholder data. This includes network diagrams, data flow diagrams, and written policies.
Self-Assessment Questionnaire (SAQ) or ROC:
- Depending on your organization’s size and transaction volume, you may need to complete a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC). The ROC is typically required for larger organizations or those with more complex infrastructures.
Penetration Testing:
- Conduct penetration testing to simulate attacks and identify vulnerabilities that may not be apparent through automated scans.
Review and Validate:
- Review all documentation, assessments, and test results to ensure compliance with PCI DSS requirements.
Report Findings:
- Prepare a comprehensive report that includes all findings, vulnerabilities, remediation efforts, and a plan for ongoing security improvement.
Submit Compliance Report:
- If necessary, submit your ROC or SAQ to your acquiring bank or payment card brands for validation and approval.
Ongoing Monitoring and Maintenance:
- PCI compliance is not a one-time event; it requires ongoing monitoring and maintenance. Implement continuous security monitoring and update security measures as needed.
Remediate and Re-audit:
- Address any deficiencies or vulnerabilities identified during the audit and subsequent monitoring. Repeat the audit process as required to maintain PCI compliance.
Report to Senior Management:
- Provide a summary of the audit results and compliance status to senior management and stakeholders.
Educate Staff:
- Ensure that employees are trained and aware of their roles and responsibilities in maintaining PCI compliance.
Remember that PCI compliance is an ongoing process, and it’s essential to stay up to date with the latest PCI DSS requirements and security best practices to protect cardholder data effectively. Consider consulting with a qualified PCI auditor or security expert to ensure a thorough and accurate assessment of your organization’s compliance.
Your PCI Audit Checklist
In addition to the core PCI DSS requirements, consider including these common items in your compliance checklist:
- Network Diagrams: Document your network architecture, including the flow of cardholder data.
- Data Flow Diagrams: Illustrate how cardholder data moves through your organization’s systems and networks.
- Policies and Procedures: Ensure that your organization has written policies and procedures in place that align with PCI DSS requirements.
- Penetration Testing: Verify that penetration testing is conducted regularly and that vulnerabilities are addressed.
- Incident Response Plan: Confirm the existence and effectiveness of an incident response plan for handling security incidents involving cardholder data.
- Employee Training: Ensure that all personnel are trained and aware of their responsibilities for PCI compliance.
- Third-Party Agreements: Assess agreements with third-party service providers to ensure they are compliant with PCI DSS.
- Physical Security: Review physical security measures in place to protect cardholder data, such as access controls and surveillance.
- Change Management: Evaluate the change management process to ensure that changes do not introduce vulnerabilities.
- Logging and Monitoring: Check the logging and monitoring practices to ensure suspicious activities are detected and investigated.
- Cardholder Data Storage: Verify that cardholder data storage is kept to a minimum and securely stored, if necessary.
- Encryption: Ensure encryption is implemented wherever necessary, including for data in transit and data at rest.
- Vendor Management: Assess the security of third-party vendors and service providers that have access to cardholder data.
Remember that this PCI DSS compliance checklist should be tailored to your specific organization’s size, scope, and complexity as well as PCI compliance requirements. It’s also crucial to stay updated with the latest version of the PCI DSS and consult with qualified PCI assessors or auditors to ensure a comprehensive audit process.
Frequently Asked Questions About PCI Compliance
What are the consequences of not completing a PCI audit?
Failing to complete a PCI audit or not achieving PCI compliance can result in various consequences, which can be significant for businesses that handle payment card data. The specific consequences can vary depending on the circumstances and the level of non-compliance. Here are some common consequences:
- Financial Penalties: One of the most immediate and severe consequences of non-compliance is financial penalties. Acquiring banks and payment card brands may impose fines on businesses that do not meet PCI DSS requirements. These fines can vary widely depending on the severity of non-compliance and the number of payment card records exposed.
- Increased Transaction Costs: Non-compliant organizations may face higher transaction fees and costs from payment card brands and banks. These fees are often imposed to compensate for the increased risk associated with non-compliant businesses.
- Loss of Merchant Account: Acquiring banks may terminate the merchant account of a non-compliant organization. Losing the ability to process credit card transactions can have a detrimental impact on a business’s revenue.
- Legal Consequences: Non-compliance can lead to legal action from customers, payment card brands, or regulatory authorities. Customers affected by a data breach may file lawsuits against the business for negligence, resulting in potentially significant legal expenses and damages.
- Reputation Damage: A data breach or non-compliance can severely damage a business’s reputation. Customers may lose trust in an organization that cannot safeguard their payment card data, leading to a loss of business and future revenue.
- Increased Security Risks: Failure to comply with PCI DSS leaves an organization vulnerable to security threats and breaches (such as from hackers and other threat actors), which can lead to data theft, financial losses, and legal liabilities.
- Loss of Business Opportunities: Many organizations require proof of PCI compliance as a prerequisite for conducting business. Non-compliance may prevent a business from partnering with or securing contracts from companies that prioritize security.
- Mandatory Remediation: In the event of non-compliance, organizations will be required to address the deficiencies and vulnerabilities identified in their systems and processes. This can be costly and time-consuming.
- Regular Security Assessments: Non-compliant businesses may be subject to more frequent security assessments, audits, and scrutiny from regulatory authorities, payment card brands, and acquiring banks.
- Suspension or Revocation of Card Acceptance Privileges: Acquiring banks or payment card brands may suspend or revoke a business’s ability to accept credit card payments until PCI compliance is achieved.
To avoid these consequences, organizations that handle payment card data should prioritize PCI compliance and undergo regular assessments and audits. Achieving and maintaining compliance not only helps protect sensitive data but also preserves the organization’s financial stability and reputation. It’s important to work with qualified PCI assessors and follow the PCI DSS guidelines diligently to reduce the risk of non-compliance.
Do I Need Network Segmentation to be PCI Compliant?
Network segmentation is the process of isolating the CDE from other information in your organization. While not required as a part of PCI DSS compliance, segmentation is a way to reduce scope, cost, difficulty of implementation, and risk.
If you have a non-segmented network (also called a “flat” network), the entire network is considered to be in scope and must be reviewed. Putting up internal firewalls or separating routers can keep information separate. You should restrict cardholder data to as few locations as possible. In addition, make a dataflow diagram to document this for PCI DSS compliance purposes.
Proving segmentation means verifying the isolation of systems that store, process, or transmit information. Remember, however, that network configuration and legacy technologies can be problematic. When these are standardized across a whole organization, it can make the mapping easier.
How do Wireless Networks Fit into PCI Compliance?
Any point-of-sale technology (including a website), line-busting technology, or WLAN used to store, process, or transmit cardholder data is part of the CDE, and therefore must be tested. PCI-DSS compliance is less cumbersome when using wireless technology for non-sensitive data only.
Can I Use Third-Party Service Providers/Outsourcing to Manage My PCI DSS Requirement?
If you use a third-party service provider, assess its services carefully. The contract should delineate which parts of the PCI-DSS requirements are covered by you and which by the service provider.
The service provider needs to prove its compliance. It can do this by either:
- Annual assessments, done independently and provided to the provider’s users.
- On-demand multiple evaluations at the request of each client.
If the service provider chooses to do its annual assessment, the customers must ensure that the assessment covers their compliance needs and is part of the contract.
What Are The Best Practices For Implementing PCI DSS Into Business-as-Usual Processes?
As with all compliance, your program will strengthen if you create a culture of compliance to the point that it becomes second nature. PCI lists six ways that an organization can make this happen.
- Monitor everything from security systems to access control. You should have an information security policy in place with remote and physical access guidelines. You may want to adopt a multi-factor authentication policy as well to mitigate unauthorized access.
- If something goes wrong, have processes in place to respond quickly. This includes restoring security controls, figuring out the reason for failure, addressing what caused the loss, finding a way to mitigate the cause of failure, and resuming monitoring. Conduct regular risk assessments and vulnerability scans to predict where vulnerabilities may lie.
- Review any changes to the environment before putting them into action such as access points and public network usage.
- Always assess the risk of those changes to PCI compliance.
- Review any PCI DSS requirements that are triggered by the changes.
- Update your scope and controls – do not rely on default settings as business needs can and will change.
- If you have any changes in your organizational structure (such as mergers or acquisitions) , remember to review the impact on scope and requirements.
- Do periodic reviews to prove continued compliance, and assure you have all the documentation to back up those reviews. This means looking at the written policies/procedures and assuring that people follow them.
- Review all your hardware and software. If you have hired vendors, review their PCI DSS compliance annually.
As a Qualified Security Assessor (QSA), How Do I Sample Business Facilities/System Components?
If you are a large organization with a lot of locations, you can choose to review a random sampling of components for your PCI DSS audit. You cannot, however, decide to inspect only a tiny portion of your whole environment, or review only a sample of requirements. In other words, your entire environment needs to be compliant equally. You sample the location of the information, not the conditions themselves.
Samples should consider two criteria: business facility samples, and system component samples. Business facilities are the physical locations where information is stored; system components are the software and hardware used in those physical locations. These samples must be representative and large enough to capture a good landscape snapshot.
When selecting your samples, you need to think about the following:
- You can make your sample smaller if you have a centralized, standardized process and controls that everyone has to follow. If you don’t have a standardized process, then your sample must be big enough to show that every location complies with PCI DSS.
- If each business area has its way of doing things, the sample needs to assure that each of these methods of compliance is reviewed.
- If everyone handles compliance independently and no standards exist, the sample needs to be more significant to survey all the different ways the various facilities do things.
- System component samples need to ensure a review of every type and combination used. This means making sure that different versions of applications, platforms, and hardware are documented.
Whenever you choose to sample:
- Document how you made the decisions about location, component, and sample size.
- Document and validate which of the sample types above you used (organization standards, business area standards, location standards).
- Explain why the sample is a good overview of everything in your organization.
Compensating Controls
Review all your compensating controls annually.
Compliance Management with ZenGRC
Failure to comply with PCI DSS can bring severe consequences for any retailer, bank, or other commerce provider. You must take securing cardholder data seriously.
The ideal way to abide by PCI DSS regulations is to employ software that automates compliance, notifies you when you err, and tracks your progress so that you can easily pass certification audits.
ZenGRC does all of these tasks and more. Our program:
- Determines where you comply with more than a dozen regulatory and industry guidelines and where you fall short by probing your system and networks.
- Displays results on a simple dashboard with instructions on closing compliance gaps in the form of checklists.
- Assists you in creating vendor questionnaires and compiling replies. It tracks processes, so you always know how your compliance efforts progress.
- Notifies you immediately of compliance shortcomings. Self-audits are carried out with a few clicks.
- Records your compliance-related activity for an entire audit trail in our unique “single source of truth” repository.
PCI DSS compliance can be straightforward. The current, stress-free route is only a click away. Get in touch with us to schedule a demo and start your PCI DSS compliance journey the ZenGRC way.