PCI compliance — its standards and best practices
Payment card industry (PCI) compliance involves meeting a set of security standards for businesses that accept, process, store, or transmit credit card information. Through PCI compliance, businesses of all sizes can prevent fraud and limit data breaches while protecting the sensitive payment data of their customers.
The Payment Card Industry Data Security Standard (PCI DSS) is designed to keep debit and credit numbers secure. The PCI Security Standards Council, a joint venture between the five major payment card brands — American Express, Discover, JCB, MasterCard, and Visa — administers PCI DSS. Since 2006, the PCI Security Standards Council has worked to fulfill its mission of “enhancing global payment account data security.”
PCI DSS applies to service providers and merchants. A service provider is a business that processes, stores, or transmits cardholder data on behalf of another business. A merchant is a business that accepts credit card payments for goods or services sold online.
If you’re a business that processes debit or credit card transactions for any reason, it’s important you understand and comply with PCI DSS.
PCI compliance standards
PCI DSS comes with 12 specific requirements arranged into six objectives. Here’s a brief overview of what they are.
Objective 1: Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Your business must utilize a firewall configuration to protect cardholder data and create a secure network. A firewall controls your network traffic and blocks any transmissions that don’t meet your particular security criteria.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Your business cannot use the password your software vendor created when you purchased your software. Instead, create your own unique, secure system passwords.
Objective 2: Protect cardholder data
Requirement 3: Protect stored cardholder data.
If you store cardholder data, you are susceptible to a potential data security breach. Work with a PCI DSS-compliant hosting provider to deliver several layers of data protection via virtual and physical methods. Virtual methods may include passwords and authentication, while physical methods cover restricted access and storage cabinet locks.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Encryption should be applied before data is transmitted from point A to point B. Your business needs to implement strong encryption protocols, and networks must be configured properly so users don't have the ability to access cardholder data.
Objective 3: Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software.
Antivirus software is essential to protect your business from the latest malware. If you’re hosting your data on outsourced servers, ensure your managed service provider maintains a secure environment as well.
Requirement 6: Develop and maintain secure systems and applications.
As long as you opt for a PCI DSS-compliant hosting provider, you can count on them to monitor and update their systems to address any vulnerabilities.
Objective 4: Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need to know.
Don’t give every employee in your company access to cardholder data. Instead, limit the number of individuals who have access, which significantly reduces your risk of a security breach.
Requirement 8: Assign a unique ID to each person with computer access.
A unique digital ID allows you to track everyone at your company who accesses your network. You should also require users to change their password every 30 days, automatically log them off after a certain time remaining idle, and follow other security best practices.
Requirement 9: Restrict physical access to cardholder data
The servers containing your cardholder data should be stored in a secure environment, whether on site or off site, accessible only by a limited number of authorized individuals.
Objective 5: Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data. Tracking user activity makes it easier to identify the cause of a security breach or any other problem that may arise.
Requirement 11: Regularly test security systems and processes.
By testing your systems, processes, and software on a regular basis, you’ll be able to discover vulnerabilities as they emerge and help your data hosting provider keep your customers’ data safe.
Objective 6: Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security.
With a strong PCI DSS-compliant security policy, your employees will know exactly what is expected of them. Your policy should clearly outline acceptable technology uses, routine processes for risk analysis, and operational security procedures.
The importance of PCI compliance
As a business which accepts debit and credit card transactions, you cannot overlook the importance of PCI compliance. Failure to do so can lead to a variety of serious consequences:
- Monthly penalties
If you don’t comply with PCI DSS, you may be liable for a monetary penalty imposed by credit card providers. This penalty can range anywhere from $5,000 to $100,000 per month.
- Data breaches
While PCI DSS compliance doesn’t guarantee you’ll never face a data breach, it does reduce the fines you may owe in the event it happens. You’ll need to pay between $50 to $90 for every cardholder whose information has been endangered. You may also have to end your relationship with your bank or payment processor.
- Damaged reputation
If your business suffers a data breach, your reputation will likely be on the line. Once the public finds out your customers’ debit and credit card information are at risk, it will be difficult to regain their trust.
- Revenue loss
Monthly penalties and a damaged reputation can all take a toll on your bottom line. These consequences may lead to a significant reduction in revenue.
How to achieve PCI compliance
Merchants that accept debit and credit card payments online are required to meet one of four levels of compliance as part of a PCI DSS assessment. The number of transactions you process each year and your transaction processing history will determine which level you must follow.
These compliance levels can include up to four core requirements:
- Self-assessment questionnaires (SAQs)
The purpose of an SAQ is to prove you’re taking the proper security measures to keep your customers’ cardholder data secure. There are nine different SAQs merchants you can choose from, and the way you process credit cards and handle cardholder data will determine which one you need to fill out.
- Vulnerability scans
Regular vulnerability scans are intended to help you identify potential security flaws. You’ll need to perform internal and external scans on a quarterly basis to ensure your data environment accommodates current security standards. While internal scans should be done from several locations within your network, external scans — designed for outside of your network — must include every external IP address.
- Attestation of Compliance
The Attestation of Compliance is a form that indicates you’ve performed validation correctly and confirms your security protocols are compliant.
- Report on Compliance
The Report on Compliance must be completed by an outside Qualified Security Assessor (QSA) or an internal security resource which holds an up-to-date Internal Security Assessor (ISA) accreditation. It validates the PCI compliance status of your business.
Four merchant levels of compliance
Best practices for PCI compliance
If you’d like to ensure PCI compliance, follow these tips:
- Offer employee training
It’s difficult to meet PCI compliance standards if your employees are unaware of what the standards are and why they’re important. Keep them informed through mandatory monthly or quarterly training meetings.
- Reduce your scope
PCI compliance will become much more manageable if you reduce your scope of the people, processes, and technologies that store, process, or transmit cardholder data. Isolate the devices handling cardholder data from those that do not.
- Create a secure network
A secure network that protects cardholder data is a business necessity. In addition to installing a strong firewall, avoid the use of default passwords and security parameters. Require your employees to change passwords on a regular basis as well.
- Be patient
Unfortunately, it’s impossible to be 100% compliant overnight. Focus on one objective at a time so you can achieve incremental progress toward your goal of complete PCI compliance.
Make PCI compliance easy
At first, complying with PCI DSS may seem like an overwhelming endeavor. The good news is it doesn’t have to be. If you’re a merchant, Adobe Commerce can help you comply with PCI DSS. It offers integrated payment gateways that make it easy for you to transmit credit card data via direct post API methods or hosted payment forms from the payment getaway and integrated with your checkout page.
Since Adobe Commerce is certified as a Level 1 Solution provider, you can use the Magento PCI Attestation of Compliance to support your own PCI certification process.
For more information on how Adobe Commerce can simplify PCI compliance, request a free demo today.