PCI Compliance Guide
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of technical and operational requirements to protect cardholder data. The PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc. to establish the requirements for and enforcement of PCI compliance.
PCI compliance requires any business that handles any aspect of payment card information to adhere to the policies and procedures set forth by the PCI-SSC to optimize the security of credit, debit, and cash card transactions as well as to protect cardholders’ personal information.
What is PCI Compliance?
Payment card industry (PCI) compliance, also known as PCI compliance, refers to the requirements organizations must adhere to if they process, store, or transmit payment card information. The twelve requirements for PCI compliance provide a framework and guidelines for protecting cardholder information.
The three main areas involved in PCI compliance are:
- 1. How organizations handle the collection of payment card data
Specifically, steps that are taken to collect and transmit that sensitive information securely. - 2. How organizations store data
This includes encryption, ongoing monitoring, and vulnerability testing. - 3. Annual validations that required security controls are in place
This can include forms, questionnaires, vulnerability scanning, and third-party audits.
PCI Compliance Oversight
Merchant banks perform PCI compliance oversight. According to PCI rules, it is mandatory that every organization or service provider that stores, processes, or transmits cardholder data (credit, debit, or prepaid card) maintain and validate PCI compliance.
Validation is performed with the PCI Report on Compliance, also known as an Annual Report on Compliance (RoC, AoC). The requirements for this reporting vary according to the number of transactions processed.
For merchants and service providers that handle fewer than six million transactions annually, PCI-DSS offers the option of Self-Assessment Questionnaires (PCI SAQ) and an Attestation of Compliance.
PCI SAQ
The PCI SAQ is a self-validation questionnaire used to determine if PCI compliance requirements are met. There are multiple versions of PCI SAQs which are used according to different payment processing scenarios. Each PCI SAQ includes questions related to PCI compliance requirements and an Attestation of Compliance.
Which Organizations Must Comply with PCI-DSS?
PCI compliance is required as part of contractual obligations between organizations and the major payment card brands (American Express, Discover Financial Services, JCB International, MasterCard, and Visa) that make up the PCI SSC. In addition, some states incorporate PCI-DSS standards into their laws.
The following types of organizations must comply with PCI-DSS:
- Merchants
Any entity that accepts payment cards branded with the logo of one of the five members of the PCI SSC - Banks
issuing payment cards
Banks that issue payment cards branded with the logo of one of the five members of the PCI SSC - Merchant
banks and processors
Any bank or financial institution that processes credit and debit card payments on behalf of merchants - Developers
Any entity that develops software that affects the security of the cardholder data as it is being processed, transmitted, or stored - Third-party
service provider (TPSP)
Any organization that stores, processes, or transmits cardholder data on behalf of another entity
What are PCI Compliance Levels?
Each payment card brand defines PCI compliance levels according to its rules. The compliance levels are based on specific criteria, including the volume of payment card transactions performed per year.
Example of PCI compliance levels
- Level 1—process more than six million credit or debit card transactions annually across all channels or have been subject to an attack or a data breach that resulted in any compromise of cardholder data.
- Level 2—process between one and six million credit or debit card transactions annually across all channels.
- Level 3—process between 20,000 and one million e-commerce transactions annually.
- Level 4—process fewer than 20,000 e-commerce transactions.
PCI Compliance and Third-Party Processors
Third-party processors and agents must maintain PCI compliance. Organizations engage third-party processors to capture payment information, so it bypasses their systems. This relieves the burden of PCI compliance for the organizations’ systems, but it does not absolve them of their responsibility for validating the third-party processor’s PCI compliance.
When working with a third-party processor, consider these steps to confirm PCI compliance:
- Conduct a risk assessment and PCI compliance review before engaging a third-party processor.
- Establish procedures for all applicable security requirements, as well as measures to manage, monitor, and report on the implementation of those requirements.
- Write policies for PCI compliance maintenance.
- Put agreements in place to enforce PCI compliance by third-party processors.
- Distinguish between PCI compliance requirements that apply to the third-party processor and to the organization.
Penalties for Non-Compliance
If a breach can be connected to PCI non-compliance, the payment card brands may impose penalties on the organization’s acquiring bank. This fine is typically passed on to the organization.
Based on the discretion of the payment card company, acquiring banks can be fined between $5,000 to $500,000 per month. If breaches occur continuously, an organization can lose its right to process transactions with the brands’ cards.
Additional possible outcomes related to PCI non-compliance include:
- Closer monitoring of adherence to compliance requirements
- Forensic investigations
- Damage to brand reputation
- Disruption of operations
- Lawsuits
PCI Compliance Requirements
PCI compliance requirements include twelve guidelines that are set forth by the PCI SSC. The guidelines outline a series of steps that payment card processors must continually follow:
- 1. Assess security systems, business processes, and payment card handling procedures to identify potential threats or vulnerabilities.
- 2. Remediate security issues.
- 3. Avoid storing sensitive cardholder information.
12 PCI Compliance Requirements to Protect Cardholder Data
Secure networks
1. Install and maintain a firewall configuration.
2. Do not use default passwords provided with systems.
Secure cardholder data
3. Protect cardholder data that is stored.
4. Use encryption when transmitting cardholder data across public networks.
Manage vulnerabilities
5. Use and regularly update anti-virus software.
6. Develop and maintain secure applications and systems.
Control access
7. Restrict access to cardholder data to need-to-know.
8. Assign a unique username and password to everyone with access to system components.
9. Restrict physical access to cardholder data.
Monitor and test networks
10. Track and monitor all access to network resources that handle cardholder data.
11. Test security systems and processes regularly.
Have an information security policy
12. Maintain a policy that covers information security protocols.
PCI Compliance Benefits
Many PCI compliance benefits are security-related, as the data protection systems and processes put in place to maintain compliance safeguard far more than just cardholder information. Benefits related to PCI compliance include:
- Decreases risk of a security breach
- Increases customer confidence
- Provides security that addresses other regulations
- Helps to avoid fines
- Protects brand reputation
PCI Compliance and Data Breaches
PCI-DSS does not provide specific direction for how to handle a security breach. Each payment card brand has policies and procedures related to PCI compliance and data breaches.
However, PCI-DSS does reference incident response in sub-sections of Requirement 12 (“Maintain a policy that addresses information security for employees and contractors”):
- 12.10.2
Test incident response plan at least annually. - 12.10.3
Assign certain employees to be available 24/7 to deal with incidences. - 12.10.4
Properly and regularly train staff with incident response responsibilities. - 12.10.5
Set up alerts from intrusion-detection, intrusion-prevention, and file-integrity monitoring systems. - 12.10.6
Implement a process to update and manage the incident response plan per industry and organizational changes.
PCI Compliance Best Practices
Best practices for PCI compliance are generally guided by the twelve PCI-DSS requirements. Best practices to keep in mind include:
- Do not store cardholder information for longer than is required.
- Proactively implement security systems and processes to defend against a security breach.
- Prepare an incident response plan so processes are clear in the event of a security breach.
- Protect and monitor all systems and applications that handle cardholder data.
- Control access to any systems that handle cardholder data.
- Conduct annual and quarterly audits following guidance for appropriate PCI compliance level.
- Check the third-party processor’s PCI compliance continually.
PCI Compliance FAQs
What is PCI compliance?
PCI compliance adheres to the rules set forth by the Payment Card Industry Data Security Standard (PCI-DSS), which was established in 2006 by the major credit card brands—Visa, MasterCard, American Express, Discover, and JCB International. Comprised of twelve requirements, each with sub-requirements, PCI-DSS establishes protocols for protecting cardholder data from theft or unauthorized use.
What kinds of organizations are required to maintain PCI compliance?
Any organization of any size or an individual that processes, stores, or transmits payment card information must meet PCI compliance requirements. Service providers such as transaction processors, payment gateways, customer call centers, web hosting providers, and data centers must also comply.
Are merchants outside the U.S. required to maintain PCI compliance?
Yes, all merchants that process, store, or transmit payment card information must meet PCI compliance requirements—even those outside of the U.S.
Should an organization that uses a third-party service provider to process payments be concerned about PCI compliance?
Yes, organizations are responsible for ensuring all contracted parties comply with PCI-DSS.
Are there any benefits to PCI compliance?
By maintaining PCI compliance, organizations can enhance their overall security posture, provide better data protection, and reduce the risk of security breaches. PCI compliance can also improve operational efficiency because many security policies are defined, and procedures are well-documented.
Why is PCI compliance important?
PCI compliance is important for a number of reasons. Failure to comply with PCI requirements can lead to:
- Costly fines
- Penalties, including revocation of payment card payment services or suspension of accounts
- Exposure to data breaches
What is PCI validation?
Annual validation requiring documentation of PCI compliance is mandated by the Payment Card Industry Security Standards Council (PCI SSC). Validation requirements vary based upon annual payment card transactions. PCI validation is performed via a self-assessment or an independent, onsite audit, depending on the annual transactions.
Do all organizations have the same PCI compliance validation requirements?
All organizations and service providers, regardless of where they are based, their size, or the number of payment card transactions processed each year must submit a passing vulnerability scan performed by an Approved Scanning Vendor (ASV). Beyond that, there are different levels of requirements (Level 1-4) based on transaction volume.
How often is PCI compliance validation required?
PCI compliance must be validated and reported annually via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) issued by a third party.
What kind of vulnerability scanning is required to validate PCI compliance?
Internal and external vulnerability scanning must be performed quarterly to maintain PCI compliance. External vulnerability scans must be conducted by an Approved Scanning Vendor (ASV).
Is PCI compliance required by law?
PCI compliance is not federal law. Some states have incorporated PCI compliance into their laws.
What happens if an organization fails to maintain PCI compliance?
Failure to maintain PCI compliance can result in fines and penalties. It can also increase the risk of a security breach.
Does an organization need to maintain PCI compliance even if they only process a few transactions per year?
Yes. Even if only a single transaction is processed per year, PCI compliance is required.
What are the steps to achieve PCI compliance?
The steps to achieve PCI compliance include:
- Determine PCI validation type, based on transaction volume.
- Address all requirements.
- Validate PCI compliance annually.
- Complete and report quarterly results of internal and external vulnerability scans.
What is a PCI PFI?
A PCI Forensic Investigator (PFI) follows an established, standardized process for forensic investigation and reporting of payment card data breaches.
What is a PCI Self-Assessment Questionnaire (PCI SAQ)?
A PCI Self-Assessment Questionnaire (PCI SAQ) is an organization’s statement of PCI compliance. A SAQ demonstrates that necessary security systems and processes are in place to protect cardholder data.
Do all organizations use the same SAQ?
No. The type of SAQ used by an organization depends on the processing environment. SAQ options include:
- SAQ A
For e-commerce / mail / telephone-order (card-not-present) merchants that outsource all cardholder data processing and do not store, process, or transmit any cardholder data. - SAQ A-EP
For e-commerce-only merchants that outsource all cardholder data processing and do not store, process, or transmit any cardholder data. - SAQ B
For merchants that use imprint machines or standalone, dial-out terminals and do not store cardholder data. - SAQ B-IP
For merchants using only standalone PIN Transaction Security (PTS) payment terminals that connect to a payment processor, have no electronic cardholder data storage, and do not engage in e-commerce. - SAQ C-VT
For merchants that use a virtual terminal on one computer dedicated solely to payment card processing, have no electronic cardholder data storage, and do not engage in e-commerce. - SAQ C
For merchants with a payment system connected to the Internet that do not store cardholder data. - SAQ P2PE
For merchants that use point-to-point encryption (P2PE) devices that do not store cardholder data. - SAQ D
For merchants that store cardholder data electronically.
What is a PCI compliance certificate?
A certificate that is presented by some QSA and ASV providers that states that an organization has met PCI compliance requirements. This certificate is not required to demonstrate that an organization is compliant.
Is PCI compliance required if the organization does not use a computer to process payment card payments?
Yes. PCI compliance is required for any organization that stores, handles, or processes payment card information, whether it is done on a computer or paper.
Who enforces PCI compliance?
PCI compliance is enforced by the five payment card brands—Visa, MasterCard, American Express, JCB International, and Discover. Compliance guidelines, reporting and validation requirements, deadlines, and penalties for noncompliance vary by brand.
Non-Compliance with PCI Is Not an Option
Failure to comply with the PCI can mean losing the right to process payment cards that are branded by the five major payment companies. It can also result in hefty fines and onerous monitoring.
If an organization processes, stores, or transmits payment card information, PCI compliance is a must. The good news is that the security requirements for PCI compliance also improve overall security and enable compliance with other regulations.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 23rd July, 2021