The PCI DSS, the acronym for Payment Card Industry Data Security Standard, is a set of security standards developed in 2004 by major card brands such as Visa, MasterCard, and American Express. The Payment Card Industry Security Standards Council (PCI SSC) governs the compliance scheme to protect debit and credit card transactions from data theft and fraud.

Although the PCI SSC lacks the legal authority to compel compliance, it is a requirement for any company that accepts credit or debit card payments. PCI certification is also one of the best ways to protect sensitive data and information, allowing businesses to build long-term and trusting relationships with their customers.

What is a PCI DSS Certification?

PCI certification ensures card data security at your business through a set of requirements established by the PCI SSC. These include several well-known best practices, such as installing firewalls, data encryption, and the use of anti-virus software. In addition, companies must restrict access to cardholder data and monitor access to network resources.

PCI-compliant security is an asset that informs customers that their transactions with your company are secure. In contrast, the cost of non-compliance, both monetary and reputational, should be sufficient to persuade any business owner to prioritize data security.

A data breach is likely to have severe consequences for a business since it exposes sensitive customer information. A violation may result in payment card issuer fines, lawsuits, decreased sales, and a severely harmed reputation.

Following a breach, a business may be forced to stop accepting credit card transactions or pay more subsequent charges than the initial cost of the compliance. Investing in PCI security procedures goes a long way toward protecting other aspects of your business from malicious online actors.

There are 12 requirements for PCI compliance;

  1. Install and maintain a firewall to protect cardholder data.
  2. Do not use system passwords and other security parameters provided by the vendor.
  3. Protect stored cardholder data.
  4. Encrypt cardholder data transmission across open, public networks.
  5. Use and keep anti-virus software or programs up to date.
  6. Create and maintain safe systems and applications.
  7. Limit access to cardholder data to those with a business need to know.
  8. Assign a unique ID to each person who has computer access.
  9. Restrict any physical access to cardholder data.
  10. Track and monitor all network resources and cardholder data access.
  11. Security systems and procedures should be tested regularly.
  12. Maintain an information security policy for all employees.

The Four Levels of PCI DSS

As we mentioned earlier, the PCI DSS is a set of requirements to help organizations prevent payment data violations and card fraud. This cooperation between major card brands ensures that card payments are protected accordingly. And for this, the first step is an evaluation -based on your level-, a quarterly network scan and Attestation of Compliance Form.

So, let’s have a look at the levels of PCI. There are four compliance levels that are based on the number of annual transactions of an organization. The first level includes merchants that process more than 6 million card transactions, and the second level contains merchants with 1 to 6 million transactions annually. The other two levels cover relatively smaller businesses: level 3 with 20,000 to 1 million transactions and level 4 with less than 20,000 transactions annually.

How to Determine Your PCI DSS Level?

Merchants may assess their PCI compliance level by working with their merchant services provider or using their provider’s reporting software. Because of the size and scope, Level 1-3 merchants have more specific compliance criteria. They are much more likely to have internal IT and enforcement departments to enforce and track compliance systems.

Most merchants who classify as small or medium-sized enterprises are classified as level 4. Although the enforcement criteria can be more straightforward, it is also more difficult for these businesses to fulfill the requirements if they do not have an internal IT infrastructure.

Self-Assessment Questionnaire

The Self-Assessment Questionnaire, SAQ for short, that a retailer must complete is determined by how they accept card payments. SAQ-A, for example, refers to merchants that accept card-not-present (eComm or MOTO) payments but do not store, process or transmit cardholder data on their premises systems. SAQ-B must be completed by merchants that use a standalone dial-out terminal and do not have electronic data storage. If you are unsure which type to use, contact your payment provider or the PCI SSC.

What to Do to Achieve Compliance?

Level 1:

  • Complete an annual Report on Compliance (ROC) with the assistance of a Qualified Security Assessor (QSA).
  • Conduct quarterly network scans with an Approved Scanning Vendor (ASV).
  • Fill out the Attestation of Compliance Form.

 

Level 2:

  • Complete an annual Self-Assessment Questionnaire (SAQ)
  • Conduct a quarterly network scan with an Approved Scanning Vendor (ASV).
  • Fill out the Attestation of Compliance Form.

 

Level 3:

  • Complete an annual Self-Assessment Questionnaire (SAQ)
  • Conduct a quarterly network scan with an Approved Scanning Vendor (ASV).
  • Fill out the Attestation of Compliance Form.

 

Level 4:

  • Complete an annual Self-Assessment Questionnaire (SAQ)
  • Conduct a quarterly network scan with an Approved Scanning Vendor (ASV).
  • Fill out the Attestation of Compliance Form.

Problems Related to the Compliance

First of all, merchants must meet all specifications to achieve compliance. The PCI-DSS standard consists of 246 specifications, all of which must be completed without exception to achieve compliance. In addition to complying with what is stated in each requirement, it is mandatory to maintain compliance over the 12-month term of the certification. If not, merchants may face penalties and even disqualification from receiving payment cards in the event of an audit. 

Secondly, there is organizational pressure during the certification process. It is not unusual to see businesses attempting to verify their PCI DSS compliance due to a contractual requirement or pressure from the companies that run payment cards. The appreciation of the need for validation usually comes from the company’s top management and necessitates certification as soon as possible. This vicious cycle will result in poor control execution and adherence to failed requirements. 

Lastly, the specification of the scope is the most critical step of the PCI DSS compliance validation process. At this process, the company determines which steps should be taken to fulfill the requirements. PCI DSS has various rating levels for businesses pursuing compliance based on the amount and type of data transactions conducted in their environments. Your company’s initial compliance evaluation is the first step toward an effective validation process. Setting a scope that is too narrow can put payment card data at risk while setting a scope that is too wide increases the overall cost of the project.

References