Guides and reports
PCI DSS compliance: Everything you need to know
Helen Huyton, Merchant Data Security Analyst at Adyen dives into the not-so-scary world of PCI DSS compliance.
Disclaimer: This article should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions.
As the population increases, so does the amount of data that’s processed every day. In the last few years alone, over 90% of the data in the world was generated. And it’s only going to increase.
According to PCI SSC, the average total cost of a data breach is $3.8 million, which is a compelling reason to avoid one if you possibly can. And, while it can be hard to stay on top of compliance requirements, poor handling of payment card details can have serious implications.
In this article, we’ll explore what we’ve learned over the years in helping businesses stay on the right side of PCI DSS. And we’ll outline the steps you can take to build a sustainable, secure business.
What is PCI DSS compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by the PCI Security Standards Council (PCI SSC), an independent body made up of Mastercard, Visa, American Express, JCB, and Discover.
PCI-DSS has six core principals:
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management programme
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
PCI compliance requirements
The PCI DSS requirements applicable to you will depend on your compliance level (explained below) and your integration type. But, broadly speaking, there are 12 PCI compliance requirements:
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programmes
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
To whom does PCI compliance apply?
Every business accepting credit card payments has to comply with PCI DSS. Even though PCI DSS is not part of any law, the standard is applied around the world. And there are some pretty significant penalties and costs for organisations that don’t comply with the requirements. On top of that, there’s a chance card networks will significantly lower or eliminate PCI fines if you can prove you’ve taken all the necessary steps to be PCI DSS compliant.
PCI compliance levels
Your PCI scope will depend on your compliance level to which you are assigned based on your annual card transaction volume. There are four levels:
Level 1: This is the highest security level and you're here either because: You process more than 6 million Visa or Mastercard transactions or more than 2.5 million American Express; you've experienced a data breach; a card network has seen fit to categorise you as Level 1.
Level 2: You process between 1–6 million transactions each year.
Level 3: You process between 20,000–1 million online transactions or less than one million in total each year.
Level 4: You process less than 20,000 online transactions or less than one million in total each year.
How to be PCI compliant
To become PCI compliant, you will have to implement the requirements that are applicable to your compliance level. And fill in a form or two. The most common form is the ‘Self-Assessment Questionnaire A’ or ‘SAQ A’.
The SAQ A is intended as a tool to help you assess which requirements you need to implement. The fundamentals of the assessment consist of three security best practices:
Don’t use preset usernames and passwords, and don’t use any factory settings.
Use strong passwords and unique user IDs. At least 7 character passwords (numeric, alphabetic and special characters).
Stay up to date with new software patches as soon as they’re released.
7 steps to becoming PCI DSS compliant
In addition to the basics above, here’s a breakdown of the steps you need to take to ensure you’re PCI compliant.
1. Map the flow of cardholder data:Create an accurate data flow diagram to map the movement of cardholder data. This includes any applications, systems and people who work with credit card data, including Service Providers. This is usually done with the assistance of IT staff.
2. Scope your environment:The scope is the identification of people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data (CHD). More information can be found here.
3. Make an assessment:Assess your current level of PCI compliance according to an SAQ A. The person completing the assessment should have sufficient knowledge to be able to assess the environment.
4. Make any necessary changes:You may realise your business falls short of at least one criterion. If this is the case, take time to make any necessary security improvements to your business.
5. Fill out the Self-Assessment Questionnaire (SAQ) A:This form should be completed and signed by a professional qualified to sign off on security related matters. This might be your Chief Security Officer or Chief Technology Officer.
6. Submit documents to your Payments Service Provider (PSP):Once you’ve completed your forms, you can submit them to your PSP (such as Adyen).
7. Setup regular monitoring: Make sure you monitor compliance on an ongoing basis throughout the year, as PCI DSS is not a single event, but a continuous, ongoing process.
Note: Sometimes your payment page may be overlooked
If an attacker gains unauthorised access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker. The risks associated with this integration can be significantly reduced by implementing the requirements as outlined in the SAQ A.
PCI DSS 4.0
The latest version of PCI DSS was introduced in March 2022. The 12 core PCI DSS requirements remain fundamentally the same. But 4.0 also includes an expansion of requirements in developing security and technology areas such as mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.
To guide the creation of version 4.0, the PCI Security Standards Council agreed four objectives:
To ensure the standard continues to meet the security needs of the payments industry.
To add flexibility and support of additional methodologies to achieve security.
To encourage businesses to view security as a continuous process.
To enhance validation methods and procedures to be more robust.
PCI DSS 4.0 is designed to ensure account data is properly protected and that businesses are clear on their responsibilities in making that happen. It will also ensure the standard is aligned with the latest changes in the security landscape, expanding requirements into a few new areas, and providing clearer guidance for businesses to follow.
As always, we’re ahead of every update to compliance standards around the world, and work closely with all parties involved to ensure a more secure payments space for everyone.
About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.
Fresh insights, straight to your inbox
Subscribe to email alerts
By submitting your information you confirm that you have read Adyen's Privacy Policy and agree to the use of your data in all Adyen communications.