Whether you’re a startup, an e-commerce company, or a large corporation, as long as you handle credit card transactions, you need to be aware of and comply with the Payment Card Industry Data Security Standard (PCI DSS).
As online commerce and online payment technology continue to grow, they need to be accompanied by new rules and regulations to make sure that both the business and the customers are safe and secure.
In this context, the five largest credit card companies came together as the PCI Security Standard Council (PCI SSC) and developed the PCI DSS to protect cardholder information and reduce fraud. The PCI DSS was created to reduce the risk of debit and credit card data loss by defining a set of rules and best practices for preventing information from being stolen, detecting breaches and reacting to a data leak.
PCI DSS compliance can be a daunting task for new merchants, solutions implementers, or anyone pursuing certification for the first time. This article is intended to help you become familiar with the rules, best practices and processes to obtain PCI DSS certification. If your business is processing transactions for American Express, Visa, MasterCard, Discover, or JCB cards, you’ll need to be familiar with the PCI DSS. If you use a SaaS provider for transactions they'll likely be PCI DSS compliant and you won't be required to do as much work, but it's important to know what PCI compliance is.
What is PCI DSS compliance?
PCI DSS compliance is necessary to ensure that all merchants and anyone handling credit card data can securely accept, transmit, process, and store it during a transaction.
Any merchant that handles credit card information must comply with the PCI DSS, regardless of whether they’re handling credit card information through a physical terminal or online. The requirements range from establishing data security policies and governing employee behavior, to deleting credit card information from the processing system and payment terminals once the transaction is complete.
Does your company need to obtain PCI DSS compliance?
PCI DSS compliance applies to any organization — regardless of size, industry or number of transactions — that accepts, transmits, or stores cardholder data. However, the requirements for PCI DSS compliance vary depending on the volume of transactions carried out by a business.
More specifically, any organization accepting credit card information will fall into one of four levels based on their Visa transaction volume over twelve months. This volume is calculated using the aggregate number of Visa transactions (including credit, debit and prepaid) from a merchant Doing Business As (DBA) or any merchant that’s a subsidiary of a DBA.
The PCI DSS levels are defined as follows:
- Level 1: Applies to any merchant, regardless of the acceptance channel, that processes over six million transactions per year, or any merchant that Visa determines should be designated Level 1 to minimize risk to the Visa network.
- Level 2: Applies to any merchant processing anywhere from one to six million transactions per year.
- Level 3: Applies to any merchant processing anywhere from twenty thousand to one million e-commerce transactions per year.
- Level 4: Applies to any merchant processing fewer than twenty thousand e-commerce transactions per year, and to all other merchants processing up to one million Visa transactions per year.
It’s worth noting that e-commerce transactions have a lower transaction threshold than purely retail merchants due to the potential increase in risk that can occur when a merchant is processing e-commerce transactions.
In addition, any business that has suffered a data breach in the past may be escalated to a higher validation level.
How to obtain and maintain PCI DSS compliance
Obtaining PCI DSS compliance is a rigorous process that can be broken down into five steps:
Determine your PCI DSS level: Based on the levels defined above, merchants will need to self-evaluate and select a compliance level. For example, merchants that process over six million transactions per year will need to select Level 1, those between one and six million transactions per year are Level 2, and those between twenty thousand and one million transactions per year are Level 3. Anything less than that is Level 4.
Understand the penalties for failing to meet PCI DSS: Failing to meet the PCI DSS as a merchant means you’ll be liable to pay penalties to the PCI SSC. Penalties can include fines, increased credit card processing fees, sanctions from banks, and, in the worst case, a complete shutdown of the ability to process payments.
Complete a self-assessment questionnaire: The PCI SSC questionnaire will vary depending on how the specific business processes and handles credit card information; whatever the case, it will always contain a series of yes-or-no questions designed to assess how closely the business follows the PCI DSS requirements.
Build and maintain a secure network: The next step for any business is making sure the network and systems involved in handling credit card data are secure. For this step, most businesses will need to leverage an expert IT contractor who they can trust and ideally has experience in PCI DSS compliance.
As part of this step, it’s important to make sure the twelve requirements specified by the PCI DSS are met, which are covered in detail in the next section. Additionally, organizations will be required to engage an Approved Scanning Vendor (ASV); these organizations are qualified and recognized by the PCI SSC. They’ll perform an audit, typically referred to as penetration testing, to find security gaps, flaws, and any other vectors that attackers could use to compromise the systems holding credit card information.
Note: Security scans should be completed every quarter (ninety days) to remain compliant and up to date.
- Fill out the Attestation of Compliance: The last step to obtain PCI DSS compliance is to fill out the Attestation of Compliance (AoC). This document—that must be filed with the PCI SSC — shows that the merchant has met the PCI DSS requirements. It’s highly recommended that you have a qualified security assessor review the AoC before submitting it to the PCI SSC.
At this point, you’ve done all the work and generated all the paperwork required to be PCI DSS compliant.
PCI DSS requirements
The twelve PCI DSS requirements are a set of security controls that businesses are required to implement in order to protect credit card data and remain compliant with PCI DSS. They can be summarized as follows:
Install and maintain a firewall to protect the network from unauthorized access: A firewall is a network security system that protects the network from unauthorized access. These systems are the first line of defense against hackers and other intruders.
Avoid using vendor-supplied defaults for configuration settings and passwords: Anything from routers, modems, physical point-of-sale (POS) terminals, and other devices that are used to accept credit card information should not be left on the default settings and values, as this could compromise the security of the network. Similarly, any software systems that accept credit card information should also be configured to avoid using default settings and values for the same reason.
Protect stored cardholder data from unauthorized access: This requirement is to ensure that all credit card data is encrypted and not stored in plain text where it could be accessed by unauthorized users. Ideally, credit card information should not be stored at all and only used to process transactions.
Encrypt transmission of cardholder data over the network: When cardholder data is sent across a network, regardless of whether the network is private or public, it should be encrypted. This is to ensure that the data is not readable by unauthorized users.
Use and regularly update antivirus software: Installing and maintaining virus protection software is a critical step in ensuring that the network is protected from viruses and other malicious software. This applies to any systems that interact with or handle credit card information.
Develop and maintain secure systems and applications: Any software that might handle credit card information should be developed and maintained to ensure that it’s secure. For example, e-commerce applications that allow users to transact online should be audited and reviewed frequently.
Restrict access to cardholder data to authorized personnel: Cardholder data should be restricted to “need to know” scenarios. Any roles that do require access to this information should be well-documented and regularly audited.
Assign a unique ID to each person with computer access: A unique ID should be assigned to each employee that has access to cardholder data. This is to ensure that there’s a record of all instances of access to cardholder data. Meeting this requirement involves companies documenting and monitoring the flow of data within the organization.
Restrict physical access to cardholder data to authorized personnel: The physical medium where that data is stored (for example, cardholder data stored on a hard drive) needs to be secure. Another example is a data center, which must have physical security controls and be monitored for unauthorized access.
Track and monitor all access to cardholder data: All activity that occurs with cardholder data should be tracked and monitored, such as the number of times the data is accessed, the date and time of the access, the IP address of the computer that accessed the data, and the type of access.
Regularly review and update the security systems and processes: The previous ten requirements involve security controls, processes, and software products and cover both physical and digital security. These requirements should be reviewed and updated regularly to ensure that the security of the network is maintained.
Maintain policy documentation: Finally, it’s important to keep an up-to-date policy document that describes the security controls and processes that are in place. This document should be reviewed and updated regularly to ensure that the security of the network is maintained.
Although these requirements can seem complicated and challenging, by using tools like Teleport you can automate a lot of the compliance process. Teleport allows organizations to consolidate all aspects of infrastructure and network access (connectivity, authentication, authorization, and auditing), greatly simplifying requirements around tracking and monitoring, access restriction and securing applications and systems.
What are the benefits of PCI DSS compliance?
While complying with PCI DSS might seem daunting at first, compliance has a huge impact on the business and has long passed from being a nice-to-have advantage to a must-have requirement.
PCI DSS compliance has many benefits:
It increases security: PCI DSS compliance provides a level of security that is higher than the industry average and signals to your customers that they can trust you to protect their credit card information.
It improves your business reputation: Being compliant will improve your business reputation with payment processors and other financial institutions.
It contributes to global financial security: Being PCI DSS compliant means your business is contributing to the global system of credit card security.
It facilitates compliance with other important regulations: PCI DSS compliance is a step in the right direction for businesses that also have to comply with other regulations like HIPAA and GDPR.
Conclusion on being PCI compliant
Over the course of this article, you learned what the PCI DSS is, the importance and benefits of PCI DSS compliance, the steps to be taken to be compliant, and the twelve PCI DSS requirements.
One powerful solution that businesses can use to simplify the implementation of PCI DSS compliance is Teleport. Trusted by companies like Auth0, Teleport is a single platform that provides you with tools to connect, secure and audit your IT infrastructure. With its open source SSH gateway, Teleport enables IT companies to securely access and manage their IT infrastructure, making it easier for them to meet PCI DSS compliance requirements.
Teleport has helped multiple FinTech companies obtain compliance standards, such as SOC 2, PCI and FedRAMP.
You can try Teleport today to secure infrastructure further while allowing for higher productivity within your software teams.
Passkeys for Infrastructure
By Ben Arent
SFTP: a More Secure Successor to SCP
By Andrew LeFevre
SELinux, Dragons and Other Scary Things
By Jakub Nyckowski