A Guide to PCI Compliance

A security breach is one of the worst things that can happen to your business. The loss of trust from your customers as an organisation which can securely hold their sensitive information alone can be enough to cost you thousands of pounds in revenue, and might even affect its ongoing viability.

With this in mind, if you accept card payments by any means, PCI (Payment Card Industry) compliance is critical to the ongoing functioning of your company. But what is it, and how can you ensure it for your business so that you don’t get caught in any unpleasant traps left by bad actors?

What is PCI Compliance?

PCI compliance applies to any company storing, processing, or transmitting credit or debit card data. These standards facilitate the comprehensive global adoption of consistent data security measures designed to protect online and offline credit and debit card transactions from data theft and fraud.

PCI Compliance Meaning and Requirements

The PCI DSS has set twelve requirements which are made up of six ‘objectives’ for businesses to reach to achieve compliance. Each card network, such as Visa and Mastercard, creates its own set of specific requirements, guided by the security standards set by the PCI SSC. It is important to remember that achieving PCI compliance isn’t a one-time matter. You have to achieve it every year.

Is PCI Compliance Mandatory for All Businesses?

PCI compliance is a security standard rather than a law, but it’s mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that handle their payment processing. The exact compliance requirements change according to the size of your business, and place a heavier burden on those companies which process a greater number of payments.

What Are the Basic Requirements for PCI Compliance?

PCI compliance ordinarily relates to PCI DSS, a set of 12 security standards that businesses must use when accepting credit card payments and transmitting, processing and storing the related data. It involves requirements such as encryption of cardholder data, managing firewalls, updating antivirus software and assigning unique IDs to each person with computer access.

PCI DSS Compliance

The main difference between PCI and PCI DSS lies in their definitions and purposes. PCI is the collective term for credit card companies, while PCI DSS is the actual security standard that businesses must adhere to when handling cardholder data.

PCI SSC Compliance

Web companies must follow the requirements of the PCI DSS (The PCI Data Security Standard). This programme is managed by the Payment Card Industry Security Standards Council (PCI SSC).

PCI Compliance Checklist

The six goals and twelve requirements for PCI DSS compliance are as follows:

Build and Maintain a Secure Network and Systems

• Install and maintain network security controls

• Apply secure configuration to all system components

Protect Account Data

• Protect stored account data.

• Protect cardholder data with strong cryptography during transmission over open public networks.

Maintain a Vulnerability Management Program

• Protect all systems and networks from malicious software

• Develop and maintain secure systems and software

Implement Strong Access Control Measures

• Restrict access to system components and cardholder data by business need-to-know

• Identify users and authenticate access to system components

• Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Log and monitor all access to system components and cardholder data

• Test security of systems and networks regularly

Maintain an Information Security Policy

• Support information security with organisational policies and programmes.

Levels of PCI Compliance Certification

There are four levels of PCI compliance, ranked according to how many card payments you take each year:

PCI DSS Merchant Level 1

Merchants that perform more than 6 million card transactions annually.

PCI DSS Merchant Level 2

Merchants that process between 1 and 6 million cards annually.

PCI DSS Merchant Level 3

Merchants that process between 20,000 and 1 million cards annually.

PCI DSS Merchant Level 4

Merchants that perform less than 20,000 card transactions annually.

For levels 2, 3 and 4, a Self Assessment Questionnaire (SAQ) is completed by your business. At Level 1, this SAQ is replaced by an Annual Report on Compliance performed by a Qualified Security Assessor. This can be performed by a Level 1 onsite assessor or an internal auditor if an officer of the company is willing to sign the assessment. Having an external auditor can help ensure that you are complying with all requirements.

How to Achieve PCI Compliance Certification

While PCI compliance can be achieved by self-reporting by smaller businesses, the gold standard for the industry is to achieve PCI DSS certification, and this is a slightly more involved process. PCI DSS certification gives a thorough and unbiased audit as proof of compliance. While the criteria for both assessments are mostly the same, the certification process gives concrete proof that the company being audited is taking all measures to protect payment information.

The following broad guidelines should help you to achieve compliance:

Use a Firewall

You’ll need to install a reliable firewall to protect your network and run regular testing to ensure efficiency.

Do not use Default Passwords

To be PCI compliant, you must ensure all devices and user accounts use passwords that are unique, and that include lowercase and capital letters, numbers and symbols, to make them more secure.

Use Both Digital and Physical Measures to Protect Cardholder Data

The PCI standard requires you to put in place electronic and physical barriers to prevent unauthorised access to passwords. These may include authentication protocols, strong password policies, locked servers and locked cabinets for sensitive physical data. A related measure is restricting access to cardholder data and encrypting the transmission of cardholder information.

Create and Enforce a Security Policy

A security policy should be drafted, supported by management, and made known across the organisation, as well as to third-party vendors and customers. You should include a summary of how you protect customer data, explaining password and access requirements.

Establish an Incident Response Process

Have a clear process for detecting, remediating, mitigating and recovering from security incidents.

Keep Track of Changes

Identify and review changes made to processes or technologies affecting cardholder data. Establish change controls, identifying the impact on compliance for every change.

Keep Software Patched and Install Security Updates

Many of the world’s biggest security breaches resulted from an exploit of a known software vulnerability. Keeping software up to date, scanning systems for vulnerabilities and remediating them, is a critical defensive measure.

How Often Do I Need to Undergo PCI Compliance Assessments?

When you first start taking payments, you’ll have 90 days before you need to meet the requirements of the PCI DSS. After that, you’ll need to keep meeting the requirements and show you’re doing so at least once a year.

Can a Business Be Fined for Non-compliance With PCI Standards?

Although PCI standards aren’t a matter of law, the consequences of failing to adhere to them can be severe. The standards don't simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (around £4,000) and $100,000 (£78,500) a month until they achieve compliance.

Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether. Additionally, banks can implement stricter compliance requirements for organisations that commit repeated or egregious mistakes.

How Long Does It Take to Get PCI Compliance Certification?

The PCI compliance process can last anywhere from one day to two weeks depending on the complexity of your systems, the size of your company, and how long you take to complete the self-assessment.

What is the Role of a Qualified Security Assessor (QSA) in PCI Compliance?

The term Qualified Security Assessor, or QSA, can be used to identify an individual qualified to perform payment card industry compliance auditing and consulting, or a company itself. If your company needs to undergo a PCI DSS audit, it will be performed by a PCI Qualified Security Assessor.

From the outset, the requirements for PCI DSS compliance can look close to overwhelming, but perhaps the most important thing to remember about it is that it’s a matter of the culture of your business rather than a box-ticking exercise. There’s no escaping these regulations. They’re required, if you’re to continue to take advantage of the opportunities afforded by the rapid expansion in global credit and debit card use, and adhering to them strictly will only result in a growth in trust from the most important people to your business of all: your customers.