Payment Card Industry Data Security Standard (PCI-DSS) is a list of compliance standards containing policies around protecting consumer payment and financial data. Organizations must follow PCI-DSS compliance when they store payment information from consumers or risk paying hefty fines for violations. The standards council offers a security framework for organizations to follow to ensure that they meet standards.
What Is PCI-DSS Certification?
To know if an organization is truly compliant with PCI-DSS regulations they should become PCI-DSS certified—certification involves following several best practices. Credit card companies mandate standards and meet regularly to review best practices and change requirements as the cybersecurity landscape evolves. PCI-DSS lays out a framework for organizations to follow so that they can ensure that they’re certified. A few practices necessary for PCI-DSS certification are:
Not all merchants have the same volume of sales and network resources, therefore PCI-DSS categorizes compliance regulations based on merchant levels. Merchant levels are determined based on volume of Visa credit card transactions. PCI-DSS compliance affects any sized merchant, but the merchant level will determine security validation necessary for compliance.
Merchant levels are:
- Level 1: Any merchant processing over six million Visa transactions per year. These businesses are usually very large global enterprises, and Visa might categorize a merchant at its discretion to reduce risk. A Visa auditor will assess compliance once per year, and Level 1 merchants must submit a PCI scan using an approved scanning vendor.
- Level 2: Any merchant processing one million to six million Visa transactions per year. Level 2 merchants must submit a self-assessment questionnaire (SAQ) to ensure they meet Level 2 requirements and perform quarterly PCI scans.
- Level 3: Any merchant processing 20,000 to one million Visa ecommerce transactions per year. Level 3 merchants must submit a self-assessment questionnaire (SAQ) to ensure they meet Level 3 requirements and perform quarterly PCI scans.
- Level 4: Any merchant processing less than 20,000 Visa ecommerce transactions per year, or merchants processing up to one million standard Visa transactions per year. Level 4 merchants must submit a self-assessment questionnaire (SAQ) to ensure they meet Level 4 requirements and perform quarterly PCI scans.
Although most compliance regulations require numerous infrastructure changes and security tools, PCI-DSS has very few but critical requirements. Any mistakes or oversights in requirements could result in hefty fines, so it’s imperative that organizations review PCI-DSS guidelines and apply the proper controls to their environment.
Credit card companies mandate 12 requirements that organizations must follow to stay PCI-DSS compliant. Standards aim to protect user cardholder data, therefore requirements revolve around the many ways threats breach network defenses and allow attackers to steal critical information. Any changes to current requirements are announced and published by the Security Council, so organizations must review them yearly to ensure that they continually meet compliance requirements.
The 12 PCI-DSS requirements are:
- Install firewalls and configure them to block malicious traffic. Most organizations already have a firewall installed between the outside internet and the internal environment, but others are needed in larger environments where public Wi-Fi is offered, and departments must be segmented. For example, organizations would use a firewall to separate financial departments and their data from the sales department to protect cardholder data.
- Avoid using vendor defaults for system passwords. Every network resource ships with the manufacturer’s default password so that administrators can configure hardware to work specifically with the corporation’s infrastructure. These passwords are openly distributed to the public, which means that attackers can access network resources without obtaining credentials. After connecting a component to the network, the first step for an administrator is to change the default password to their own. Preferably hard to guess but easy to remember passwords.
- Protect stored consumer financial data. This requirement might seem obvious, but not every organization stores credit card information and not all organizations do what is necessary to ensure basic security. For example, card data stored in a database must be encrypted and no one within the organization should have unfettered access to it. Any access requests must be monitored, and an audit trail created for incident response in case of a breach.
- Financial data transferred across public networks must be encrypted. Data passing over the internet must be encrypted to avoid eavesdropping. Users submit their credit card information on an ecommerce site, and this information must be encrypted. Merchants send credit card data to a processor, and it must be encrypted as it passes to merchant services. Some organizations take security to another level and encrypt traffic within the corporate network.
- Install and maintain antivirus software. All servers and workstations across the organization must have antivirus software installed. To take it a step further, any mobile device that is storing or processing credit card data should also have antivirus software installed. Endpoint security is a newer challenge for organizations since the growing popularity of smartphones, but it should be a priority for organizations taking payments over mobile devices.
- Add systems with data protection in place. Systems constantly change and administrators will add new ones as the corporation grows. Any system installed within corporate infrastructure should be integrated with security in mind. New infrastructure should be installed with security integrated, and any configurations should be set up with security of credit card data in mind.
- Use least privilege standards for data access. Users should only have access to credit card data if it’s necessary to perform their job functions. Insider threats risk exposure of credit card data, so only employees who need access to perform a job function should have access. In some cases, a portion of the credit card number can be masked from view to increase security. For example, customer service people can see the last four digits of a credit card number but not the full number, but the billing department can see the full number to help customers change their card number on file.
- Log access requests with the user ID retrieving credit card data. Whether it’s a compromised account or a malicious insider, logging every access request with the user ID will leave an audit trail. Investigators and law enforcement use audit trails to identify a malicious actor, and they help incident response teams identify the extent of damage and consumers affected by a data breach.
- Limit physical access to credit card data. Servers storing credit card information should have appropriate physical security measures in place. For organizations storing credit card data in the cloud, the cloud provider should provide policies that follow PCI-DSS standards. Physical security should also log access requests to infrastructure to create an audit trail.
- Log and monitor access requests to network resources storing credit card data. Monitoring data access is a component in several compliance regulations. Logs and monitoring go hand-in-hand in data security and protection. Logs track access request events, and monitoring tools use these events to identify anomalies that trigger notifications sent to administrators. Analysts use monitoring to quickly respond to ongoing incidents to contain them and limit damage from a breach.
- Test security systems and procedures often. Security systems occasionally fail, or they don’t work as expected, so it’s important for administrators to regularly test security controls across the entire environment. Some organizations do security events where they offer employees prizes for finding vulnerable resources. In addition to yearly testing, administrators should review PCI-DSS compliance documentation for any changes.
- Document security policies and distribute them to employees. Staff can’t follow security policies if they are unaware of what policies they must follow. PCI-DSS requires employers to document security policies so that employees can reference what needs to be done and identify proper ways to handle customer data.
Benefits of PCI-DSS
A lot of work goes into staying compliant but following PCI-DSS standards has many benefits. Many of the benefits of staying PCI-DSS compliant positively impact your revenue, so it helps to follow guidelines and protect cardholder data using security requirements laid out in PCI-DSS standards.
- Increased client trust. Clients want to know that their data is safe and being PCI-DSS compliant communicates that your organization understands what must be done to secure credit card information.
- Prevent data breaches. Cybersecurity should be a priority for any organization that stores sensitive data such as credit card information. Every PCI-DSS standard helps organizations stop cyber attacks that could result in a revenue-impacting event.
- Stay compliant with global standards. Council for PCI-DSS comprises global credit card companies with insights on the latest cybersecurity trends. Some vendors and merchant service providers might require you to stay PCI-DSS compliant to do business with them.
- Helps with proper security controls. Without a dedicated security team, it’s difficult to navigate through the many cybersecurity options available. PCI-DSS frameworks steer you in the right direction. Applying PCI-DSS standards gives administrators guidance on what security controls are necessary to properly protect credit card data.
- Provides guidelines for other compliance standards. Most organizations have several compliance standards that they must follow. Applying PCI-DSS standards to security controls will set up the corporation to stay compliant with other standards. For example, PCI-DSS frameworks will help with HIPAA and GDPR compliance.
PCI-DSS non-compliance has severe consequences. After a data breach, an organization could pay millions in violation fees and litigation costs from class action lawsuits. Top five consequences are:
- Monthly fines: Non-compliant environments put consumer credit card data at risk, so PCI-DSS imposes hefty monthly fees for violations. Penalties depend on the merchant level, but fines range from $5000 to $100,000 per month.
- System compromise and data breaches: Poor security creates vulnerabilities that lead to data breaches. Data breaches cost millions of dollars in incident response, investigations, loss of customer trust, and litigation.
- Litigation: Severe data breaches cause financial stress on consumers, and class action lawsuits give them reparations. Organizations must pay for legal counsel and any settlements after a data breach.
- Brand reputation damage: If an organization is known for poor security, customers will go to a competitor. Brand reputation damage affects customer loyalty and trust.
- Revenue loss: As customers choose competitors due to brand damage, the organization loses revenue including costs for litigation.
Best Practices for PCI-DSS Compliance
Most of PCI-DSS best practices follow requirements, but organizations can put additional policies in place to improve security. A few additional practices that organizations should consider:
- Keep software up to date: Developers release updates that patch security flaws in their software, so always keep applications up-to-date to avoid leaving infrastructure vulnerable.
- Tokenize credit card data: Tokenization is similar to encryption. It replaces sensitive data with non-sensitive data while keeping some elements of original data to continue business operations.
- Give every user and resource a unique ID: Administrators give users unique identification names, but any component that accesses data should also have a unique ID to track requests.
- Protect passwords: Instruct all users to safely store their passwords. Password vaults are recommended to avoid poor storage practices.
- Penetration test software and network configurations: A whitehat hacker will use methods common in hacking circles to test your software for vulnerabilities so that the organization can pinpoint current issues and remediate them.
How Proofpoint Can Help
Proofpoint has several services and products that help organizations stay PCI-DSS compliant. With these tools, you can easily comply with information and data protection rules across a range of industries, such as PCI, HIPAA and GDPR. You can also protect your complex business-critical documents, such as intellectual property, legal documents and M&A agreements. Our information protection tools and resources apply security solutions to consumer data to protect it from threats.
Compliance management is important for business continuity, but compliance doesn’t always mean that your organization is completely secure. Organizations are usually required to follow several regulations, and Proofpoint can help you find the sweet spot between compliance and security.
The Sweet Spot between ‘Compliant’ and ‘Secure’
Proofpoint recently joined a group of security leaders at the World Cybersecurity Congress in London, UK. The main topic of conversation? Regulation.
What Is Data Protection?
Data protection is meant to safeguard information from compromise and loss. Learn what data protection is, why it matters, what to consider, and more.
Adapting Information Protection to a Changing World
451 Research's Eric Hanselman and Proofpoint's Brian Reed discuss information protection in our changing environment. Watch the discussion now.
Why Information Protection and Compliance Go Hand in Hand
Collaboration apps are increasingly popular, but compliance solutions continue operating in silos. Learn why Information protection and compliance go together.
Top Three User-Focused Information Protection Use Cases in the Cloud Era
In this e-book we take a closer look at the people-centric nature of data loss incidents. It explores three types of users—negligent, malicious and compromised—and how to manage the risks they pose.