PCI Compliance: Requirements And Benefits In 2023
Since 2005, cybercriminals have compromised more than 11 billion consumer records, with over 8,500 data breaches. In response to growing concerns, leading Payment Card Industry (PCI) bodies designed the Payment Card Industry Data Security Standard (PCI DSS). This standard aims to ensure that all parties that accept, process, store, or transmit credit card information maintain secure environments.
Ultimately, the PCI DSS hopes to manage the industry’s evolving standards and improve security throughout the payment transaction process. So, as your business heads into 2023, what should you be looking at to ensure you comply?
We have a few tips…
What is PCI compliance?
Making payments safer is a global effort. In 2006, leading industry stakeholders – including Visa, Mastercard, American Express, Discover, and JCB – endeavoured to create a community to protect cardholders and prevent security breaches. As an independent body, the PCI Security Standards Council (PCI SSC) introduced PCI compliance to drive the worldwide adoption of security standards. Complying with its technical and operational requirements means that you are committed to protecting cardholder data.
The PCI SSC defines ‘cardholder data’ as any personal or identifiable information associated with the owner of a credit or debit card. This includes the full primary account number (PAN) and other information, such as:
- Cardholder's name
- Expiration date
- Service code
Cardholder data also includes sensitive authentication data like the full magnetic stripe data, CAV2, SVC2, SVV2, SID, PINs, and PIN blocks.
Why should I care?
According to the PCI SSC, failure to comply with PCI guidelines may result in serious, long-term consequences. For example, your business could suffer from a tarnished reputation, payment failures, penalties, or even a lawsuit.
But as well as consequences for ignoring the guidelines, there are also benefits to complying with them:
- Increased customer confidence – your customers will trust you with sensitive payment card information, leading to greater client retention
- Improved reputation – security compliance can boost your relationships with payment brands
- Bolstered operations – such as more efficient IT infrastructure and strengthened corporate security strategies
- Enhanced global security solutions – preventing current and future security breaches and payment card data theft will help facilitate safer payments worldwide
How can I meet the PCI DSS requirements?
No matter how good your intentions are, it’s not always easy to comply with PCI DSS requirements. The first step is to understand your obligations, and there are 12 of them – each of which needs to be verified by a Qualified Security Assessor.
Consider this list as your PCI compliance checklist.
1. Install and maintain a firewall configuration
To ensure service providers and merchants maintain a secure network, PCI DSS requires the proper configuration of a firewall and any routers. Installation and maintenance of an adequate firewall restricts the incoming and outgoing network traffic according to your pre-configured security criteria to protect the cardholder data environment.
2. Avoid default passwords and security parameters
Many operating systems and devices provide default usernames, passwords, and other insecure configuration parameters. Easy to guess and often freely available to malicious parties, these are prohibited. PCI DSS requires companies to maintain an inventory of systems, configurations, and hardening procedures to follow whenever they introduce a new system to their IT infrastructure.
3. Protect stored cardholder data
As the most important PCI DSS requirement, businesses should prioritise cardholder data protection. This involves you knowing the kind of data you’re storing, as well as the location and retention period. You must also encrypt all cardholder data with industry-accepted algorithms (e.g. AES-256 and RSA 2048), truncated, tokenised, or hashed (e.g. SHA 256 and PBKDF2).
4. Encrypt cardholder data transmissions
Cybercriminals can more easily access cardholder data when it’s being transmitted to the payment gateway or processor over an open or public network (for example, over the internet, 802.11, Bluetooth, GSM, CDMA, or GPRS, etc.). Therefore, you must encrypt the cardholder data before transmission. To do so, businesses must use secure versions of transmission protocols, such as TLS or SSH, to reduce the risk of cardholder data theft.
5. Use up-to-date anti-virus software
Making the most of active anti-virus and anti-malware software is vital to maintain security standards and prevent known malware from infecting your systems. PCI DSS requires that businesses install the latest signatures and generate auditable logs on all systems that are accessed locally or remotely, including workstations, laptops, and mobile devices.
6. Develop secure systems
Defining and implementing a development process that includes security requirements in all the developmental phases is key. Moreover, businesses must regularly maintain and update all systems within the cardholder data environment (including operating systems, firewalls, routers, switches, application software, databases, and POS terminals) to limit potentially malicious exploitation.
7. Restrict cardholder data access
PCI DSS states that businesses must operate on a ‘need to know’ basis. With an access control system (e.g. Active Directory or LDAP) assessing each request, you can limit sensitive data exposure to authorised parties only. You must have a documented list of users with defined roles and privilege levels to enable access control.
8. Assign a unique ID to authorised users
Each documented user with access to cardholder data must have a unique identifier and password. These passwords must meet complexity requirements to ensure transparency and accountability whenever someone accesses the data. And if they’re doing so remotely, businesses must adopt two-factor authentication to maintain security.
9. Restrict physical access
Video cameras and electronic access controls should be set up to monitor anyone physically entering or leaving data centres – and they must distinguish between employees and authorised visitors. You must also keep access logs and recordings for a minimum of 90 days. Additionally, businesses should physically protect all removable and portable media containing cardholder data where possible, as well as destroy redundant assets.
10. Track and monitor access
Implementing correct audit policies, sending logs to a centralised log server, and periodically reviewing will help you detect anomalies and suspicious activities. PCI DSS also requires businesses to time-synchronise their audit trails and keep records for at least a year. Security Information and Event Monitoring (SIEM) tools can help here – logging system and network activities, monitoring logs, and alerting you to malicious activities.
11. Regularly test security systems and processes
To maintain security, you must always be one step ahead of the game. Regularly inspecting and testing your security systems and processes is therefore vital.
Quarterly checks should include:
- Wireless analyser scans to detect and identify unauthorised wireless access points
- PCI-approved scanning vendor scan for all external IPs and domains exposed in the cardholder data environment
- Internal vulnerability scan
Annual checks should include:
- Maintain a security information policy
- Application penetration test for all external IPs and domains
- Network penetration test for all external domains
12. Maintain a security information policy
And finally, industry participation and knowledge are at the heart of PCI DSS. You must perform formal risk assessments every year to identify critical assets, threats, and vulnerabilities throughout your cardholder data environment. In addition, you should conduct regular user-awareness training, perform employee background checks, and ensure proper risk management.
Make your software stack one less thing to think about
Despite the many difficulties you might face, the benefits of PCI compliance far outweigh any challenges. Crucially, though, non-compliance has severe consequences – not least the heavy penalties which can be catastrophic for any business. Get in touch with us today to achieve complete PCI compliance.
FREQUENTLY ASKED QUESTIONS
What is PCI-compliant AWS?
AWS PCI compliance is an Amazon Web Service that is compliant with the PCI guidelines.
I’m a small business owner. Do PCI guidelines still apply to me?
Yes. Any organisation that accepts, transmits, or stores any cardholder data, regardless of its size or the number of transactions, should be PCI compliant.
My business doesn’t store credit card data. Do I need to be PCI compliant?
If you accept debit or credit cards as a payment method, PCI compliance still applies – regardless of whether you store that data.
Am I PCI compliant if I have an SSL certificate?
Not necessarily. SSL certificates do not secure a web server from a malicious attack or intrusion, and thus do not ensure PCI compliance.
My business operates out of my home. Am I a serious target for hackers?
Yes, home users are arguably the most vulnerable to attacks. Hackers often exploit the always-on broadband connections and typical home-use programs such as chat, internet games, and P2P file-sharing applications.
What are the consequences of PCI non-compliance?
While PCI is not a law, there are penalties for non-compliance. At their discretion, payment brands might fine you anything from £5,000 to £100,000 per month for PCI compliance violations, depending on the number of transactions and the volume of traffic.
What’s more, companies must meet varying levels of PCI DSS compliance. For example, a non-compliant level 1 company might face the higher monthly figure. The bank can also either terminate your relationship or increase your transaction fees – your Merchant Account Agreement should outline this in greater detail.
We believe in helping every company adhere to PCI DSS, which is why our software stack is fully compliant. To find out more, get in touch with a member of the team today.
