IT Security
Do I Need To Be PCI Compliant?
It’s complicated, but if your business (be it a sole trader, small business, national or global entity) is processing, storing, and transmitting credit card information, I recommend you continue reading.
But first, I am going to make a promise to you.
I promise this post will not contain any nerdy technical terms, detail the standard’s requirements, or any debates about the interpretation of said requirements. This post is for business owners seeking to understand if they need to be “PCI compliant” and, if so, what to do next.
And before I continue, I need to mention that this post is for merchants only. If you believe your business is a “service provider” (for example, your customers are other merchants that you store, process, or transmit cardholder data for), then see my post covering PCI DSS service providers.
So, What is PCI DSS?
So, let’s ensure that we are on the same page with the term “PCI”.
The Payment Card Industry Security Standards Council (PCI SSC) is tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), which is commonly referred to as “PCI”. There is, in fact, more than just the PCI DSS standard that the PCI SSC is required to manage, but at a guess, you would not be reading this post if you were looking for information on those standards.
PCI DSS Standard
The PCI DSS standard is comprised of 12 high-level requirements. Each requirement addresses a component of securing credit card data.
For example, Requirement 1 addresses the need to have a firewall installed within certain parts of your computer network; Requirement 2 looks at ensuring any vendor defaults for accounts or configurations are changed; and Requirement 12 deals with policy and standards, among other things. Each of the 12 requirements is then broken down into sub-requirements that address specific compliance items.
At the time of writing this post, there are over 240+ requirements for PCI DSS 3.2! Don’t be worried yet. Depending on your business, not all requirements may apply to you.
The table below lists the 12 high-level requirements.
| Requirement | Description |
|---|---|
| Requirement 1 | Install and maintain a firewall configuration to protect cardholder data |
| Requirement 2 | Do not use vendor-supplied defaults for system passwords and other security parameters |
| Requirement 3 | Protect stored cardholder data |
| Requirement 4 | Encrypt transmission of cardholder data across open, public networks |
| Requirement 5 | Use and regularly update anti-virus software on all systems commonly affected by malware |
| Requirement 6 | Develop and maintain secure systems and applications |
| Requirement 7 | Restrict access to cardholder data by business need-to-know |
| Requirement 8 | Assign a unique ID to each person with computer access |
| Requirement 9 | Restrict physical access to cardholder data |
| Requirement 10 | Track and monitor all access to network resources and cardholder data |
| Requirement 11 | Regularly test security systems and processes |
| Requirement 12 | Maintain a policy that addresses information security |
To reach PCI DSS compliance, you must meet each requirement’s objectives that apply to your scope of work, which I will cover later in this post.
PCI DSS is an annual reporting process. Even though you only have to report on your compliance annually, you’re expected to stay compliant throughout the year.
Why Do I have to be “PCI DSS Compliant”?
In short, PCI DSS is here to help reduce the chances of stolen credit card data, including your credit cards!
PCI DSS is essential and much needed in helping businesses improve their IT security. Almost every day, a significant breach of personal information, including credit card data, is reported in the news.
I would not be surprised if many of you have had your personal information, including bank details and credit card data, stolen due to a business’s IT security failure.
When your business becomes PCI DSS compliant, you are helping reduce the chances of your customers’ data being stolen – that’s good for business, right?
Also, it’s important to note that if you do suffer a breach that results in credit card data being stolen, you could face several consequences, such as:
- Your acquiring bank may pass on any fines it receives from the credit card brands and other interested parties and
- Your acquiring bank may stop processing credit card transactions from you, and
- Your acquiring bank may demand that you undertake a costly forensic examination to determine how the breach occurred.
Often the cost imposed on your business if you suffer a breach without being PCI DSS compliant is far more than the cost of becoming PCI compliant in the first place.
Being PCI DSS compliant will not make your business 100% secure, but it will help reduce your risk of a breach.
Who or What is Enforcing PCI DSS Compliance?
The PCI SSC has no power to enforce a business to become PCI DSS compliant – that’s not their mandate.
However, if you accept credit cards as payment, be it accepting a physical credit card at your shop, or over the phone, via email, via snail-mail, or online such as your eCommerce site or any other channel, your bank that processes the credit card transaction on your behalf (called an “acquiring bank”) will often include a contractual requirement for you to be PCI DSS compliant.
If you refuse to become compliant, the acquiring bank will often show you the door.
Why does the acquiring bank care so much about my PCI DSS compliance?
Great question! The acquiring bank carries the risk of being fined by the credit card brands that formed the PCI SSC if your business suffers a breach of credit card data. So, your acquiring bank will expect you to become PCI DSS compliant more often than not.
How do I know what PCI DSS requirements I need to meet?
As a QSA, I advise contacting your acquiring bank and asking them. As mentioned above, your acquiring bank is fined by the payment card brands if your business suffers a breach resulting in stolen credit card data, so they accept the risk.
I could cover the difference between a Report on Compliance “RoC” and the different Self-Assessment Questionnaires “SAQ,” but I do not want to lead you up the wrong path.
One thing I will say is unless your business is considered a “Level 1” (which means your business processes more than 6 million card transactions per annum, or you’re a global merchant, or if under Mastercard, a merchant that has suffered a hack/attack that resulted in account data compromise). Your acquiring bank will likely ask you to complete one or more Self-Assessment Questionnaires.
Again, contact your acquiring bank and ask them.
10 Tips for Improving Your Chances at PCI DSS Compliance
Below are a few tips to help your business to PCI DSS compliance. These tips are general IT security tips, so regardless of where you are with your PCI DSS compliance, the tips below will help improve your IT security regardless.
NOTE! These tips do not guarantee PCI DSS compliance on their own!
Respect credit card data
Have a long hard think about why you need to store credit card data after using it for a transaction. The key recommendation of PCI SSC is if you don’t need to keep credit card data, then don’t! After a transaction, not storing credit card data will reduce your PCI DSS compliance requirements by quite a bit.
If you store credit card data electronically, make 100% sure that only people who need access to that data do. The systems storing credit card data are well protected from unauthorised access.
There are strict requirements around storing credit card data, including encryption-at-rest. If this sounds too hard, consider having your payment gateway provider store the credit card data and your business use a payment token instead.
If credit card details are written down on paper and need to be stored for some time, ensure that the storage container can be locked and the key to unlocking the container is only accessible to authorized users. Do not leave credit card details unprotected, such as lying around on post-it notes.
Plus, if any of your systems transmit credit card data, for example, from your eCommerce site to your payment gateway, ensure the transmission is encrypted for the eCommerce site, which usually means using only HTTPS protocol. Ensure that the “TLS 1.2” protocol is used, not “SSL” or “TLS 1.0” or “TLS “1.1”.
Use this free and beneficial tool https://www.ssllabs.com to understand what protocols are currently used by your systems.
Record all systems and users that process, store or transmit credit card data.
Once all systems and users have been recorded, see where you can reduce how many users and systems need to “touch” the credit card data. The fewer systems and users that “touch” credit card data, the better for you to reach PCI DSS compliance
Patching
Implement a patching schedule for your IT systems to ensure the latest patches are installed promptly.
For critical patches, ensure the patch is applied less than one month from the patch’s release.
If you have any end-of-life operating systems, such as Windows XP or Windows 2003 Server, focus on upgrading or replacing the operating systems ASAP.
No patches are available to the general public, which means these systems are at a much higher risk of being attacked.
Admin access
Only grant local admin access to operating systems to users who need it.
Antivirus
Ensure all computers have an anti-virus tool installed and a local firewall.
Ensure that the anti-virus signatures are kept up-to-date and that the anti-virus software and firewall cannot be turned off or configured without authorization.
Strong Passwords
Ensure all users have strong passwords and don’t share their computer accounts with others.
Stop any computer accounts used by more than one user (customarily called “shared account”). Every user should have a computer account that allows you to better track user actions within your environment.
Change all vendor-supplied default accounts/passwords and any configurations that could make the device vulnerable to attack.
Search in google for “default password for ” and add the device’s name. You will be surprised at the number of Internet-facing devices with the default username and password active!
Firewall
Look at placing a firewall at the perimeter of your business environment to control traffic flow in and out of your business.
Only allow the traffic you consider a business need to flow in and out of your business. You may also need additional firewall(s) between the “perimeter” firewall and where card data is transmitted, processed, and stored – you may need help from a network IT professional.
Records
Record all service providers with access to your IT systems, including what permissions they have, what user accounts they use to access your environment, and why they have access to it.
It would be best to have awareness and control over all service providers who have access to your IT systems. The number of IT security breaches caused by service providers is staggering.
IT Security basics
Implement a basic IT security education program for your users to be conducted when a person starts and annually.
The program should cover IT security basics such as creating strong passwords, identifying phishing/social engineering, how to protect credit card data, thinking before clicking on an email attachment, watching out for tail-gating, etc.
IT Security policy
Write an IT Security policy that your users can refer to when required. The policy should cover IT security within your business, from patching schedule, approved software, security configurations for computers such as anti-virus/local firewall, remote access, Internet usage, enforcement, etc.
So let’s recap.
PCI DSS is a standard comprising 12 high-level requirements addressing credit card data security.
Each of the 12 requirements is then broken down into sub-requirements addressing a particular security objective.
Suppose you’re a merchant that accepts as payment credit card data. In that case, be it physically taking cards at your shop, over the phone, via email, via snail-mail, via eCommerce, or any other channel; more than likely, your acquiring bank will expect you to be PCI DSS compliant.
Depending on how you accept credit cards and your level of credit card transactions, not all 240+ requirements will apply to your business to reach PCI DSS compliance.
To become “PCI DSS” compliant, you must meet the “testing procedures” for each requirement that applies to you. For example, if the condition is to have a firewall installed within your network used for your business, then to meet that requirement, you need to install a firewall in the way required by PCI DSS.
Reporting on PCI DSS compliance is an annual process. But compliance should be part of how you run your business daily.
Contact your acquiring bank and ask them what they require you to provide to demonstrate your compliance. They’ll likely be able to tell you what forms to submit and whether you can fill it in yourself or need to get a QSA to help.
If you accept credit cards, do not ignore PCI DSS! Suppose you do, and your business suffers a breach resulting in stolen credit card data. In that case, there is a high likelihood that your acquiring bank will knock on your door, and it won’t be an enjoyable experience!
PCI DSS Resources
PCI DSS Website -> https://www.pcisecuritystandards.org/
PCI DSS Official Document Library-> https://www.pcisecuritystandards.org/document_library
Author Details
Marc is a PCI QSA at Confide and has been working with the company since May 2016. Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry.
