PCI DSS (the Payment Card Industry Data Security Standard) is the leading industry standard for securely handling payment card data. It is a necessity for businesses that accept credit, debit or other card payments, as well as for any organisation that supplies services, software or hardware that facilitates payments.
Achieving PCI compliance can be a long and arduous process, especially if your business lacks the dedicated security expertise to understand and implement its requirements. Here we will take a look at what’s involved and outline important steps to help achieve it.
Why do you need to achieve PCI compliance?
While PCI DSS is not technically a legal requirement it is a commercial necessity, as if your business accepts card payments but is not compliant, or working towards compliance, there can be very serious repercussions.
For example, if you are non-compliant and suffer a data breach leading to fraudulent activity on the accounts of your customers, you could be fined, or worse, your bank could choose to terminate your business’ bank account. With the GDPR and other regulations becoming stricter around businesses’ responsibilities surrounding data protection, it is more important than ever to take compliance seriously.
How to become PCI compliant
To achieve PCI compliance, a business must undertake an annual security audit. To pass the audit, organisations must demonstrate adherence with a set of requirements, covering areas including data retention, encryption, physical security, authentication and access management. The minimum requirements can vary from business to business. As a general rule, organisations fall into one of four levels, based on the annual volume of card data transacted.
- Merchant Level One – any merchant processing over 6,000,000 Visa transactions per year, as well as any merchant that has suffered a data breach that resulted in data loss
- Merchant Level Two – any merchant that has been 1,000,000 and 6,000,000 Visa or MasterCard transactions annually
- Merchant Level Three – merchants processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions annually
- Merchant Level Four – any merchant processing fewer than 1,000,000 Visa or MasterCard transactions, or merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually
To understand how the PCI DSS applies to your business, you should contact your bank or the applicable payment brand to help identify the minimum standards expected.
PCI DSS requirements
The PIC DSS encompasses 6 objectives which are split across a set of 12 requirements. Provisions include:
- Building and maintaining a secure network
The use of firewalls and antivirus software to protect systems and data from unauthorised access is one of the principle requirements of PCI DSS. These systems should be regularly updated and tested to ensure that they are configured correctly to ensure that they are suitably hardened against evolving cyber threats.
- Maintaining an information security policy
Creating an information security policy is necessary to help implement and enforce security good security practice and processes across your business, raise awareness of security issues, and outline responsibilities.
- Strong access control measures
To ensure that critical data can only be accessed by authorised personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.
- Regular vulnerability assessments
Vulnerability scanning helps to identify, classify and remediate common exposures such as weak user credentials and unpatched or out-of-date operating systems, applications and software. To comply with PCI requirements, vulnerability scans should be performed quarterly and after any significant network changes.
- Penetration testing
Performed by a professional ethical hacker, penetration testing is a more advanced form of cyber security assessment that helps to identify hidden vulnerabilities that could be exploited by malicious attackers. PCI requirements state that organisations should undertake internal and external tests at least annually, or after any significant change to network infrastructure.
- Log management and monitoring
The requirement to track and monitor access to network resources and cardholder data means that your business may need to invest in proactive network and endpoint monitoring tools such as SIEM software.
Don’t be afraid to seek out support and advice
The road to PCI DSS compliance can be full of pitfalls. Some organisations mistakenly believe that technology alone represents a potential fast-track to compliance while others incorrectly view adherence as a one-off exercise rather than a continuous programme of improvement. These issues typically arise from a failure to fully understand the requirements of the standard.
To avoid any unnecessary confusion, anguish and expense, it may be worth seeking out advice from a specialist data security company, who can provide you with the support you need to achieve and maintain full compliance.