Guide to PCI compliance

 

The PCI Security Standards Council’s mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.

 

To improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies all had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy, the PCI Data Security Standards (known as PCI DSS) to ensure a baseline level of protection for consumers and banks in the Internet era.

 

Participating Organization membership in the PCI Security Standards Council is open globally to those affiliated with the payment card industry, including merchants, banks, processors, hardware and software developers, and point-of-sale vendors.

Collaboration is at the heart of the Council’s mission to help secure payment data globally. As a global forum, we bring together payments industry stakeholders to develop and drive implementation of data security standards and resources for safe payments worldwide.

Join our growing community of Participation Organizations and play an active part in helping secure the future of payments.

 

If your business model requires you to handle card data, you may be required to meet each of the 300+ security controls in PCI DSS. There are over 1,800 pages of official documentation, published by the PCI Council, about PCI DSS, and over 300 pages just to understand which form(s) to use when validating compliance. This would take over 72 hours just to read.

To ease this burden, the following is a step by step guide to validating and maintaining PCI compliance.

PCI DSS compliance involves 3 main things:

1. Handling the ingress of credit card data from customers, namely, that sensitive card details are collected and transmitted securely
2. Storing data securely, which is outlined in the 12 security domains of the PCI standard, such as encryption, ongoing monitoring, and security testing of access to card data
3. Validating annually that the required security controls are in place, which can include forms, questionnaires, external vulnerability scanning services and 3rd party audits

Handling card data

Some business models do require the direct handling of sensitive credit card data when accepting payments, while others do not. Companies that do need to handle card data (e.g., accepting untokenized PANs on a payment page) may be required to meet each of the 300+ security controls in PCI DSS. Even if card data only traverses its servers for a short moment, the company would need to purchase, implement, and maintain security software and hardware.

If a company does not need to handle sensitive credit card data, it shouldn’t. Third party solutions securely accept and store the data, whisking away considerable complexity, cost and risk. Since card data never touches its servers, the company would only need to confirm 22 security controls, most of which are straightforward, such as using strong passwords.

Storing data securely

If an organization handles or stores credit card data, it needs to define the scope of its cardholder data environment (CDE). PCI DSS defines CDE as the people, processes and technologies that store, process, or transmit credit card data—or any system connected to it. Since all 300+ security requirements in PCI DSS apply to CDE, it’s important to properly segment the payment environment from the rest of the business so as to limit the scope of PCI validation. If an organization is unable to contain the CDE scope with granular segmentation, the PCI security controls would then apply to every system, laptop, and device on its corporate network. Yikes!

Annual validation

Regardless of how card data is accepted, organizations are required to complete a PCI validation form annually. The way PCI compliance is validated depends on a number of factors, which are outlined below. Here are 3 scenarios in which an organization could be asked to show that it is PCI compliant:

• Payment processors may request it as part of their required reporting to the payment card brands
• Business partners may request it as a prerequisite to entering into business agreements
• For platform businesses (those whose technology facilitates online transactions among multiple distinct sets of users), customers may request it to show their customers that they are handling data securely

The latest set of security standards, PCI DSS version 3.2.1, includes 12 main requirements with over 300 sub-requirements that mirror security best practices.

BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS

1. 1. Install and maintain a firewall configuration to protect cardholder data
   2. Do not use vendor-supplied defaults for system passwords and other security parameters

PROTECT CARDHOLDER DATA

1. 1. Protect stored cardholder data
   2. Encrypt transmission of cardholder data across open or public networks

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

1. 1. Protect all systems against malware and regularly update anti-virus software
   2. Develop and maintain secure systems and applications

IMPLEMENT STRONG ACCESS CONTROL MEASURES

1. 1. Restrict access to cardholder data by business need to know
   2. Identify and authenticate access to system components
   3. Restrict physical access to cardholder data

REGULARLY MONITOR AND TEST NETWORKS

1. 1. Track and monitor all access to network resources and cardholder data
   2. Regularly test security systems and processes

MAINTAIN AN INFORMATION SECURITY POLICY

1. Maintain a policy that addresses information security for all personnel

 

A good starting point for a “PCI team” would include representation from the following:

• Security: The Chief Security Officer (CSO), Chief Information Security Officer (CISO), and their teams ensure the organization is always properly investing in the necessary data security and privacy resources and policies.
• Technology / Payments: The Chief Technology Officer (CTO), VP of Payments, and their teams make sure that core tools, integrations, and infrastructure remain compliant as the organization’s systems evolve.
• Finance: The Chief Financial Officer (CFO) and their team ensures that all payment data flows are accounted for when it comes to payment systems and partners.
• Legal: This team can help navigate the many legal nuances of PCI DSS compliance.