Learn about PCI compliance and how to meet data security standards

Illustration of PCI compliance

If you’re a business leader, you know just how important compliance is. In any industry, monitoring the laws regulating your business is key to mitigating risk and maintaining the health, productivity, and longevity of the company.

However, there are special standards related to credit cards, and these standards are important to understand and implement effectively. Fortunately, the requirements are clear — and there are plenty of resources to help make compliance simple.

In this blog, we’ll cover these important topics of PCI DSS compliance:

What is PCI compliance?

PCI compliance is the Payment Card Industry (PCI) Data Security Standard (DSS). It is a security standard that outlines requirements for businesses wishing to collect, process, and store credit card information.

The PCI Security Standards Council, a joint venture between the five major payment card brands — American Express, Discover, JCB, Mastercard, and Visa — administers PCI DSS. Since 2006, the PCI Security Standards Council has worked to fulfill its mission of “enhancing global payment account data security.”

PCI DSS applies to service providers and merchants. A service provider is a business that processes, stores, or transmits cardholder data on behalf of another business. A merchant is a business that accepts credit card payments for goods or services sold online.

If your business processes debit or credit card transactions for any reason, it’s critical to understand and comply with PCI data security standards. Compliance ensures sensitive information stays secure and payment processing workflows run smoothly, protecting your business from potential fines or limited scope of operation.

12 requirements of PCI DSS compliance

PCI DSS compliance is an important part of keeping payment processes running across every industry and line of business, in every sector. Though not legally mandatory, compliance allows your company to continue processing payments in good standing with major credit card brands.

Standards are updated regularly, and the frequency of PCI DSS audits varies depending on the number of transactions a business completes each year. Understanding the 12 requirements of PCI DSS for your business can help your company maintain healthy business continuity.

Each of these PCI DSS requirements is aimed at “hardening” an information security system — making a potential breach more difficult. Scaffolding safety measures in layers, a strategy called “defense in depth,” contributes to the strength and impenetrability of a system’s security architecture. For nearly all of these requirements, it’s essential to ensure that security policies and procedures are documented, in use, and known to all parties involved.

1. Maintain firewalls

PCI compliance starts with implementing a firewall to protect cardholder data. A firewall is a vital part of security architecture, establishing a protective defense between an internal network and incoming traffic from external sources. It monitors incoming and outgoing traffic according to a set of security rules and is designed to prevent suspicious, invasive, or malicious traffic like malware and hackers from gaining access to internal systems.

Firewalls are the foundation for PCI security, as they are the first line of defense against data loss or compromise. But not just any firewall will meet compliance standards — flawed and incorrectly configured firewalls can create significant security vulnerabilities. More than 20 PCI DSS sub-requirements outlining firewall specifics address misconfiguration issues and provide guidance about the installation, maintenance, and updating of secure firewalls.

PCI compliance is a security standard that outlines requirements for business wishing to collect, process, and store credit card information.

2. Secure passwords

PCI compliance for password security

Passwords that are too simple, default, or otherwise insecure can create serious vulnerabilities in an otherwise secure system. Passwords must be hardened to do their job as robust gatekeepers. Layering security measures helps keep password data safe.

Password security measures include a variety of techniques such as:

Password complexity parameters for PCI compliance include stipulations around the length, type, variety, variability, and uniqueness of character combinations. Additionally, PCI data security standards dictate how often a password should be changed by a user, how many password attempts can be made within a given time allotment, and how passwords and passphrases should be encrypted during storage and transmission.

3. Protect cardholder data

Implementing safeguards around cardholder data during storage helps prevent credit card fraud and information compromise. As with other PCI standards, protecting stored data should be considered a minimum level of security. Methods of stored data protection include encryption, truncation, tokenization, one-way hashing, and masking.

Secure management of cryptographic keys also is vital to good data protection. Strong encryption is useless if encryption keys are easily obtained, so it’s critical to have skilled and trustworthy custodians in charge of keys.

Finally, bear in mind that a primary account number (PAN) must be unreadable during storage. This includes portable storage and backup media such as flash, USB, and external hard drives, and even audit logs.

4. Encrypt transmission of cardholder data

Safeguarding data during transmission is key to protecting cardholder data. When sensitive information is transmitted over open networks, it becomes more vulnerable to attack or compromise.

Secure transmission protocols include using:

5. Maintain antivirus software

PCI compliance to maintain antivirus software

Antivirus software helps keep out all kinds of malware — including viruses, worms, and ransomware — and can detect and flag suspicious behavior. PCI data security standards for antivirus software involve installation of any components that fall under PCI DSS, as well as specification and update regularity.

Here are some requirements for antivirus software:

6. Keep software updated and secure

Developing and maintaining security patches and secure configurations reduces vulnerabilities that can be exposed with out-of-date software. Updates on vulnerabilities are often found on manufacturers’ websites, mailing lists, or online in RSS feeds.

Because threats and vulnerabilities evolve continuously, they must be monitored actively. Threats should be classified in terms of risk level so that high-risk issues can be addressed first. Critical security patches from the manufacturer must be installed within a month of their release, and low-risk patches can be installed within two to three months.

Both internal and external software development should be created according to PCI DSS standards. It should be based on industry best practices, and information security needs to be a top priority throughout design, development, and testing.

Other requirements include:

7. Restrict access to cardholder data

PCI compliance for cardholder data

Access to sensitive information should be restricted on a need-to-know basis and given only to those authorized personnel with a business need.

Restrictions include:

8. Assign unique IDs to access holders

Only authorized users need access to sensitive information, and each of these users should have a unique identification number in order to track, monitor, and record their access activities.

Implementing unique IDs according to PCI DSS includes:

9. Restrict physical access to cardholder data

PCI compliance for physical systems

Access to physical systems and devices that hold cardholder data can give a person power to alter, delete, or otherwise corrupt data. Therefore, physical access should be restricted to those with a specific business need.

Implement facility access controls, including badge readers, access locks, door controls, and video surveillance systems. Procedures to easily identify authorized staff should be used, such as careful distribution and monitoring of ID badges to staff and visitors. Physical access to sensitive areas should be carefully controlled and monitored, and all physical environments need to be secured.

It’s crucial to handle media in a strictly controlled way. It needs to be classified according to sensitivity and sent, relocated, and stored securely. If not carefully tracked and monitored, media can go missing — so it’s important to maintain a current inventory. Follow best practices and legal parameters when disposing of or destroying media that’s no longer needed. Protect devices that contain cardholder data from tampering and regularly inspect them.

10. Monitor access logs

PCI data security standards stipulate that access to cardholder data needs to be carefully tracked, monitored, and recorded. All activity and events should have a clear and complete audit trail and be synchronized across systems. Maintain the integrity of audit logs by ensuring they can’t be altered and put alerts in place that notify when there’s been an attempt.

Review logs regularly to keep an eye on any suspicious or irregular activity. Abnormalities should be tracked and procedures put into place to keep reviews regular. An audit trail should be kept for at least a year, with three months of recent data ready to analyze if the need arises.

Finally, an additional stipulation applies to service providers: To ensure critical failures are noticed in a timely manner, a process needs to be implemented to enable early detection and communication of any malfunctions. Policies around this standard need to be established and shared, as always.

11. Establish routine security tests

There are four tests that must be performed periodically to maintain PCI compliance.

Routine security test steps for PCI compliance

12. Maintain an information security policy

The final PCI DSS standard pertains to policy. Policies need to be established, implemented, kept current, and shared with all relevant personnel. The process needs to be part of the overall information security policy, with risk assessments being conducted at least yearly.

A sound information security policy should include:

Benefits of PCI compliance

PCI compliance is required for companies that process credit card payments, but there are many benefits beyond its baseline goal of safeguarding cardholder data.

One big, bottom-line advantage to meeting PCI data security standards is reduced fines and backlash in case data is compromised or breached, as well as the avoided cost of monthly penalties. There are also intangible benefits. You can increase customer trust and brand reputation through industry compliance, while improving your standing — and developing stronger relationships — with payment partners. Finally, meeting PCI data security standards can help your organization take major steps toward achieving other compliance standards and better IT security overall.

PCI DSS best practices

PCI compliance might seem daunting, but there are a few tips you can follow to get started:

Make PCI compliance easy

At first, complying with PCI DSS may seem like an overwhelming endeavor. But it doesn’t have to be. If you’re a merchant, Adobe Commerce can help you comply with PCI DSS. It offers integrated payment gateways that make it easy for you to transmit credit card data via direct post API methods or hosted payment forms from the payment gateway and integrated with your checkout page.

Adobe Commerce is certified as a Level 1 Solution provider, so you can use the Magento PCI Attestation of Compliance to support your own PCI certification process.

For more information on how Adobe Commerce can simplify PCI compliance, take a free product tour or watch the Adobe Commerce overview video today.