PCI DSS and the 12 Requirements for Compliance Explained

Electronic payments are all over the world today, owing to the convenience of time and effort it gives to the users. From small vendors to big corporates, are all offering card payments as an alternative payment method to augment their selling opportunities. Nevertheless, a user’s card information is sensitive and to process this information is attached with risk and accountability. Securing this personal data from thefts and frauds is the duty of merchants as per PCI DSS. (Payments Card Industry Data Security Standards). PCI DSS intends to reduce the risk of card fraud and increase the security controls for cardholder data.

What is PCI DSS?

Information relating to Credit cards is extremely vulnerable, as data thefts have turned predominant now. Credit card theft is the second most common type of theft and the amount of fraud by new credit card accounts saw a 48% increase from 2019.

The PCI DSS is a compliance standard set for data security requirements concerning the handling, storing, or transmission of cardholders’ data. Leading card brands Visa, MasterCard, American Express, Discover and JCB collaborated to form PCI SSC which is an independent council that maintains and updates PCI standards.

To whom does it apply?

PCI DSS applies globally to all big and small merchants, also the service providers who store, process, or transmit cardholder information. PCI necessitates card holder data, sensitive authentication data to be made compliant by the companies and maintained as merchantsuse such data. If a payment card carries the logo of any of the above-said PCI’s founding card brands, it must be protected as per PCI DSS.   

Achieving PCI DSS compliance

PCI DSS is your roadmap to card data security compliance by fulfilling the 12 requirements listed in the standard. Following are the 12 Requirements under PCI DSS for card data securitization.

  • Step 1) Install and maintain a firewall configuration to protect cardholder data– Firewalls are the first line of defense against hackers, so have the firewall and routers configured properly. This firewall must set the rules to what kind of traffics can be allowed inside your corporate network
  • Step 2) Do not use vendor-supplied defaults for system passwords and other security parameters - Remove Vendor supplied default settings for all software, network devices, and servers. Using default settings, usernames and passwords are simple to guess putting access to the device at risk. Upgrade your settings for all devices and maintain documentation for these high-security configurations
  • Step 3) Protect stored cardholder data- Use ‘encryption key management process’ to encrypt card data and protect the encryption keys also. It requires creating a Card Holder (CHD) Flow to document how the cardholder data flows in the organization. PCI demands the use of discovery tools to locate and secure unencrypted PAN and other vulnerable data.  
  • Step 4) Encrypt cardholder data transmitted across open, public networks – This step focuses on securing the data in transmission. As the hacker’s eye on the data on the transit, PCI requires encryption of data before transmission.
  • Step 5) Protect all systems against malware and regularly update anti-virus software or programs – Install anti-virus on all hardware and software devices. Make sure that the anti-virus does continuous monitoring and generates logs on regular basis.
  • Step 6) Develop secure systems and applications - Conduct a thorough risk assessment to implement processes for deployment of technology. It is important to update and patch internet browsers, applications, databases, firewalls, POS terminals, and OS in the card flow path within a month of its release.
  • Step 7) Restrict cardholder data on a need-to-know basis - This step requires having a role-based access control (RBAC). It allows access to card holder’s data only to individuals who need it for business purposes, through keycards and passcodes.
  • Step 8) Identify and authenticate access to system components – This PCI DSS step requires, every individual user to have a separate and unique password and username. Group and shared passwords must never be used. This step helps to trace back the activity in the event of an internal data breach.
  • Step 9) Restrict physical access to cardholder data – PCI DSS directs to have electronic monitoring of entry-exit of file storage and data center locations. These video recordings must be preserved for 90 days and there needs to be a process to identify between employees and visitors.
  • Step 10) Track and monitor all access to network resources and cardholder data - This step mandates monitoring and protection of all network systems with a clear history of activities. These activity logs must be centrally monitored daily, time-synchronized, and maintained for 1 year at least.
  • Step 11) Regularly test security systems and processes - Due to the constant eyeing of cybercriminals, PCI requires merchants to have a continuous process and system testing. Create plans for vulnerability scanning and penetration testing as specified by PCI DSS.
  • Step 12) Documenting and maintaining risk assessments - This step involves creating, maintaining, and implementing a security policy for the company covering its employees, management, and third parties. The policies must be reviewed annually as well.

Consequences of Non-compliance

Theft or breach of card data badly affects the entire payments ecosystem. Here are a few consequences one may have to face for non-compliance with PCI standards.

Penalties - PCI DSS non-compliance can result in penalties from the card companies. Fines depend upon the volume of payments handled by the merchant in question. Penalties may vary from $ 50 per cardholder and peak up to a total of $100,000 per month. The bigger companies that operate with volume frequently get auditedfor PCI Compliance and they may decide to levy penalties in case of non-compliance.

Revenue loss and damagedreputation -Due to data breach, there can be loss of trust among customers which can lead to loss of credibility and personal fallouts. The business that is lost is the largest consequence of data breach. It is extremely hard to recover from data breaches because the losses get greater than the data itself in such scenarios and impacts organizations for years.

Legal action – Even though PCI DSS is not a legal requirement, in an event of data breach, the affecting parties can take legal action. In 2007, $40.9 M was compensated by TJX for exposing 100 million card holders’ information. 

How to Make PCI Compliance Easy and Cost-Effective?

Here we are trying to burst the mythos that PCI compliance can be stressful, expensive, and time-consuming. These are a few things that make sure that your budgets are not hit hard for ensuring compliance.

  1. Install patches and updates regularly to avoid technology and additional staffing costs on the security team.
  2. Train the development team on secure coding best practices. This will reduce much vulnerability from the start and reduce remediation costs.
  3. Keep up with the changing PCI standards. In case you fall short of complying with the latest standards, reassessments are required. Reassessments involve audits which are further time-consuming and expensive.
  4. Send your key personnel on Compliance training courses so that they can understand the most relevant risks that apply to your organization. This further reduces reassessment and audit costs.

QRC as a leading PCI Qualified Security Assessor Company

Being a PCI QSA, QRC helps businesses to highlight gaps in their compliance posture whether it is a SAQs Assessment or the complete PCI DSS certification, supporting end-to-end in compliance journey with complete confidence.

As a certified PCI Qualified Security Assessor Company, QRC can certify your organization and process for PCI DSS compliance. We also offer other PCI security standards like PCI 3DS, PCI SSF etc. QRC provides these services to give organizations across the globe an edge of being a completely security compliant business organization. Our security assessment services cover all aspects of the technology infrastructure (Web, API, Network, Cloud Assets, Servers), that has helped our clients to streamline data security processes and practicesover the years.

31st August, 2021 | Compliance | Posted by Abhishek T, SPD, QRC

Get Free Consultation