Learn about PCI compliance and how to meet data security standards
If you’re a business leader, you know just how important compliance is. In any industry, monitoring the laws regulating your business is key to mitigating risk and maintaining the health, productivity, and longevity of the company.
However, there are special standards related to credit cards, and these standards are important to understand and implement effectively. Fortunately, the requirements are clear — and there are plenty of resources to help make compliance simple.
In this blog, we’ll cover these important topics of PCI DSS compliance:
What is PCI compliance?
PCI compliance is the Payment Card Industry (PCI) Data Security Standard (DSS). It is a security standard that outlines requirements for businesses wishing to collect, process, and store credit card information.
The PCI Security Standards Council, a joint venture between the five major payment card brands — American Express, Discover, JCB, Mastercard, and Visa — administers PCI DSS. Since 2006, the PCI Security Standards Council has worked to fulfill its mission of “enhancing global payment account data security.”
PCI DSS applies to service providers and merchants. A service provider is a business that processes, stores, or transmits cardholder data on behalf of another business. A merchant is a business that accepts credit card payments for goods or services sold online.
If your business processes debit or credit card transactions for any reason, it’s critical to understand and comply with PCI data security standards. Compliance ensures sensitive information stays secure and payment processing workflows run smoothly, protecting your business from potential fines or limited scope of operation.
12 requirements of PCI DSS compliance
PCI DSS compliance is an important part of keeping payment processes running across every industry and line of business, in every sector. Though not legally mandatory, compliance allows your company to continue processing payments in good standing with major credit card brands.
Standards are updated regularly, and the frequency of PCI DSS audits varies depending on the number of transactions a business completes each year. Understanding the 12 requirements of PCI DSS for your business can help your company maintain healthy business continuity.
Each of these PCI DSS requirements is aimed at “hardening” an information security system — making a potential breach more difficult. Scaffolding safety measures in layers, a strategy called “defense in depth,” contributes to the strength and impenetrability of a system’s security architecture. For nearly all of these requirements, it’s essential to ensure that security policies and procedures are documented, in use, and known to all parties involved.
1. Maintain firewalls
PCI compliance starts with implementing a firewall to protect cardholder data. A firewall is a vital part of security architecture, establishing a protective defense between an internal network and incoming traffic from external sources. It monitors incoming and outgoing traffic according to a set of security rules and is designed to prevent suspicious, invasive, or malicious traffic like malware and hackers from gaining access to internal systems.
Firewalls are the foundation for PCI security, as they are the first line of defense against data loss or compromise. But not just any firewall will meet compliance standards — flawed and incorrectly configured firewalls can create significant security vulnerabilities. More than 20 PCI DSS sub-requirements outlining firewall specifics address misconfiguration issues and provide guidance about the installation, maintenance, and updating of secure firewalls.
2. Secure passwords
Passwords that are too simple, default, or otherwise insecure can create serious vulnerabilities in an otherwise secure system. Passwords must be hardened to do their job as robust gatekeepers. Layering security measures helps keep password data safe.
Password security measures include a variety of techniques such as:
- Implementing password creation best practices
- Setting up multifactor authentication
- Using automated biopasswords or scrambled keyboard approaches
Password complexity parameters for PCI compliance include stipulations around the length, type, variety, variability, and uniqueness of character combinations. Additionally, PCI data security standards dictate how often a password should be changed by a user, how many password attempts can be made within a given time allotment, and how passwords and passphrases should be encrypted during storage and transmission.
3. Protect cardholder data
Implementing safeguards around cardholder data during storage helps prevent credit card fraud and information compromise. As with other PCI standards, protecting stored data should be considered a minimum level of security. Methods of stored data protection include encryption, truncation, tokenization, one-way hashing, and masking.
Secure management of cryptographic keys also is vital to good data protection. Strong encryption is useless if encryption keys are easily obtained, so it’s critical to have skilled and trustworthy custodians in charge of keys.
Finally, bear in mind that a primary account number (PAN) must be unreadable during storage. This includes portable storage and backup media such as flash, USB, and external hard drives, and even audit logs.
4. Encrypt transmission of cardholder data
Safeguarding data during transmission is key to protecting cardholder data. When sensitive information is transmitted over open networks, it becomes more vulnerable to attack or compromise.
Secure transmission protocols include using:
- Trusted keys and certificates
- Secure transmission protocols such as TLS, SSH, or VPN
- Asymmetric algorithms in encryption
- Tokenization, masking, and penetration testing when transmitting and displaying PANs
5. Maintain antivirus software
Antivirus software helps keep out all kinds of malware — including viruses, worms, and ransomware — and can detect and flag suspicious behavior. PCI data security standards for antivirus software involve installation of any components that fall under PCI DSS, as well as specification and update regularity.
Here are some requirements for antivirus software:
- It must detect, defend against, and remove malware of all types.
- It should be protected by the most recent security updates.
- Its configurations must not be accessed by unauthorized persons or altered.
- Its scans of systems should be regular.
- Malware activity should be monitored through audit logs.
6. Keep software updated and secure
Developing and maintaining security patches and secure configurations reduces vulnerabilities that can be exposed with out-of-date software. Updates on vulnerabilities are often found on manufacturers’ websites, mailing lists, or online in RSS feeds.
Because threats and vulnerabilities evolve continuously, they must be monitored actively. Threats should be classified in terms of risk level so that high-risk issues can be addressed first. Critical security patches from the manufacturer must be installed within a month of their release, and low-risk patches can be installed within two to three months.
Both internal and external software development should be created according to PCI DSS standards. It should be based on industry best practices, and information security needs to be a top priority throughout design, development, and testing.
Other requirements include:
- Following software change control processes and procedures
- Addressing common coding vulnerabilities during software development
- Constantly addressing new internet-facing threats and vulnerabilities
7. Restrict access to cardholder data
Access to sensitive information should be restricted on a need-to-know basis and given only to those authorized personnel with a business need.
- Limiting access to data and systems to the minimum required to fulfill job requirements
- Creating and maintaining control systems that default to deny all users access unless specifically authorized
8. Assign unique IDs to access holders
Only authorized users need access to sensitive information, and each of these users should have a unique identification number in order to track, monitor, and record their access activities.
Implementing unique IDs according to PCI DSS includes:
- Creating policies and procedures for managing user IDs
- Implementing authentication measures
- Encrypting all authentication information
- Implementing multifactor authentication where appropriate
- Documenting and communicating policies and procedures around authentication
- Not using group authentication IDs or passwords
- Controlling and assigning authentication mechanisms
- Restricting access to databases containing cardholder data
9. Restrict physical access to cardholder data
Access to physical systems and devices that hold cardholder data can give a person power to alter, delete, or otherwise corrupt data. Therefore, physical access should be restricted to those with a specific business need.
Implement facility access controls, including badge readers, access locks, door controls, and video surveillance systems. Procedures to easily identify authorized staff should be used, such as careful distribution and monitoring of ID badges to staff and visitors. Physical access to sensitive areas should be carefully controlled and monitored, and all physical environments need to be secured.
It’s crucial to handle media in a strictly controlled way. It needs to be classified according to sensitivity and sent, relocated, and stored securely. If not carefully tracked and monitored, media can go missing — so it’s important to maintain a current inventory. Follow best practices and legal parameters when disposing of or destroying media that’s no longer needed. Protect devices that contain cardholder data from tampering and regularly inspect them.
10. Monitor access logs
PCI data security standards stipulate that access to cardholder data needs to be carefully tracked, monitored, and recorded. All activity and events should have a clear and complete audit trail and be synchronized across systems. Maintain the integrity of audit logs by ensuring they can’t be altered and put alerts in place that notify when there’s been an attempt.
Review logs regularly to keep an eye on any suspicious or irregular activity. Abnormalities should be tracked and procedures put into place to keep reviews regular. An audit trail should be kept for at least a year, with three months of recent data ready to analyze if the need arises.
Finally, an additional stipulation applies to service providers: To ensure critical failures are noticed in a timely manner, a process needs to be implemented to enable early detection and communication of any malfunctions. Policies around this standard need to be established and shared, as always.
11. Establish routine security tests
There are four tests that must be performed periodically to maintain PCI compliance.
12. Maintain an information security policy
The final PCI DSS standard pertains to policy. Policies need to be established, implemented, kept current, and shared with all relevant personnel. The process needs to be part of the overall information security policy, with risk assessments being conducted at least yearly.
A sound information security policy should include:
- Policies for use of critical technologies
- Clear delineation and assignment of roles and responsibilities
- Formal implementation of an awareness program to communicate all policies, procedures, duties, and accountability
- Background checks for any personnel who will access cardholder data
- Policies and procedures for management of affiliated service providers
- Written confirmation of understanding of requirements and obligations, if the organization is itself a service provider
- An incident response plan
- Quarterly reviews if the organization is a service provider
Benefits of PCI compliance
PCI compliance is required for companies that process credit card payments, but there are many benefits beyond its baseline goal of safeguarding cardholder data.
One big, bottom-line advantage to meeting PCI data security standards is reduced fines and backlash in case data is compromised or breached, as well as the avoided cost of monthly penalties. There are also intangible benefits. You can increase customer trust and brand reputation through industry compliance, while improving your standing — and developing stronger relationships — with payment partners. Finally, meeting PCI data security standards can help your organization take major steps toward achieving other compliance standards and better IT security overall.
PCI DSS best practices
PCI compliance might seem daunting, but there are a few tips you can follow to get started:
Offer employee training. It’s difficult to meet PCI compliance standards if your employees are unaware of what the standards are and why they’re important. Keep them informed through mandatory monthly or quarterly training meetings.
Reduce your scope. PCI compliance becomes much more manageable if you reduce the scope of people, processes, and technologies that store, process, or transmit cardholder data. Isolate the devices handling cardholder data from those that do not.
Create a secure network. A network that protects cardholder data is a business necessity. Besides installing a strong firewall, avoid the use of default passwords and security parameters, and require employees to change passwords on a regular basis.
Be patient. Unfortunately, it’s impossible to be 100% compliant overnight. Focus on one objective at a time so you can achieve incremental progress toward your goal of complete PCI compliance.
Make PCI compliance easy
At first, complying with PCI DSS may seem like an overwhelming endeavor. But it doesn’t have to be. If you’re a merchant, Adobe Commerce can help you comply with PCI DSS. It offers integrated payment gateways that make it easy for you to transmit credit card data via direct post API methods or hosted payment forms from the payment gateway and integrated with your checkout page.
Adobe Commerce is certified as a Level 1 Solution provider, so you can use the Magento PCI Attestation of Compliance to support your own PCI certification process.