PCI DSS compliance: Everything you need to know

PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of technical and operational requirements intended to protect account data, combat fraud, and reduce the chances of a data breach. Launched in 2006, PCI DSS was developed by the PCI Security Standards Council (PCI SSC), an independent body made up of Mastercard, Visa, American Express, JCB, and Discover.

PCI-DSS has six core principals:

• Build and maintain a secure network

• Protect cardholder data

• Maintain a vulnerability management programme

• Implement strong access control measures

• Regularly monitor and test networks

• Maintain an information security policy

The PCI DSS requirements applicable to you will depend on your compliance level (explained below) and your integration type. But, broadly speaking, there are 12 PCI compliance requirements:

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software or programmes

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

Every business accepting credit card payments has to comply with PCI DSS. Even though PCI DSS is not part of any law, the standard is applied around the world. And there are some pretty significant penalties and costs for organisations that don’t comply with the requirements. On top of that, there’s a chance card networks will significantly lower or eliminate PCI fines if you can prove you’ve taken all the necessary steps to be PCI DSS compliant.

PCI compliance levels

Your PCI scope will depend on your compliance level to which you are assigned based on your annual card transaction volume. There are four levels:

Level 1: This is the highest security level and you're here either because: You process more than 6 million Visa or Mastercard transactions or more than 2.5 million American Express; you've experienced a data breach; a card network has seen fit to categorise you as Level 1.

Level 2: You process between 1–6 million transactions each year.

Level 3: You process between 20,000–1 million online transactions or less than one million in total each year.

Level 4: You process less than 20,000 online transactions or less than one million in total each year.

To become PCI compliant, you will have to implement the requirements that are applicable to your compliance level. And fill in a form or two. The most common form is the ‘Self-Assessment Questionnaire A’ or ‘SAQ A’.

The SAQ A is intended as a tool to help you assess which requirements you need to implement. The fundamentals of the assessment consist of three security best practices:

• Don’t use preset usernames and passwords, and don’t use any factory settings.

• Use strong passwords and unique user IDs. At least 7 character passwords (numeric, alphabetic and special characters).

• Stay up to date with new software patches as soon as they’re released.

In addition to the basics above, here’s a breakdown of the steps you need to take to ensure you’re PCI compliant.

1. Map the flow of cardholder data:Create an accurate data flow diagram to map the movement of cardholder data. This includes any applications, systems and people who work with credit card data, including Service Providers. This is usually done with the assistance of IT staff.

2. Scope your environment:The scope is the identification of people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data (CHD). More information can be found here.

3. Make an assessment:Assess your current level of PCI compliance according to an SAQ A. The person completing the assessment should have sufficient knowledge to be able to assess the environment.

4. Make any necessary changes:You may realise your business falls short of at least one criterion. If this is the case, take time to make any necessary security improvements to your business.

5. Fill out the Self-Assessment Questionnaire (SAQ) A:This form should be completed and signed by a professional qualified to sign off on security related matters. This might be your Chief Security Officer or Chief Technology Officer.

6. Submit documents to your Payments Service Provider (PSP):Once you’ve completed your forms, you can submit them to your PSP (such as Adyen).

7. Setup regular monitoring: Make sure you monitor compliance on an ongoing basis throughout the year, as PCI DSS is not a single event, but a continuous, ongoing process.

Note: Sometimes your payment page may be overlooked

If an attacker gains unauthorised access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker. The risks associated with this integration can be significantly reduced by implementing the requirements as outlined in the SAQ A.

The latest version of PCI DSS was introduced in March 2022. The 12 core PCI DSS requirements remain fundamentally the same. But 4.0 also includes an expansion of requirements in developing security and technology areas such as mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased dependence on third parties.

To guide the creation of version 4.0, the PCI Security Standards Council agreed four objectives:

• To ensure the standard continues to meet the security needs of the payments industry.

• To add flexibility and support of additional methodologies to achieve security.

• To encourage businesses to view security as a continuous process.

• To enhance validation methods and procedures to be more robust.

PCI DSS 4.0 is designed to ensure account data is properly protected and that businesses are clear on their responsibilities in making that happen. It will also ensure the standard is aligned with the latest changes in the security landscape, expanding requirements into a few new areas, and providing clearer guidance for businesses to follow.

As always, we’re ahead of every update to compliance standards around the world, and work closely with all parties involved to ensure a more secure payments space for everyone.

About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.