What Is PCI DSS? A Quick Guide to the 12 PCI DSS Requirements

PCI DSS

Did you know that only one out of every five businesses in the Americas is fully compliant with the PCI DSS? According to Verizon’s 2019 Payment Security Study, only 36.7 percent of businesses worldwide are fully compliant. This is why knowing the answer to the question “what is PCI DSS?” and how to implement it to ensure enforcement is critical.

How can you be sure that your confidential data will be secure with the retailer when you provide payment card information to a website while doing online shopping? You, like most people, believe that the merchant has followed such security protocols to secure the financial details of its customers. And you’re absolutely right. PCI DSS requires retailers, suppliers, and organisations that accept, transfer, process, or store payment card data to follow global guidelines and standards.

If your company manages payment card details, you need to understand what PCI DSS is and how it affects your security framework. We’ll answer your questions about what PCI DSS stands for, who governs it, and “what are the key PCI DSS requirements?” in this post.

What Is PCI DSS?

The Payment Card Industry Data Security Standards (PCI DSS) is an acronym that stands for Payment Card Industry Data Security Standards. These 12 information security principles are intended to assist companies and organisations around the world in handling payment cardholder data in a safe manner.

These guidelines assist organisations in developing and implementing strategies, technology, and processes that deal with payment card data. Payment cards are described by the standards as:

“[…] any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.”

Who Must Be PCI DSS Compliant?

Are you unsure if the PCI DSS compliance criteria apply to your business? Well, you do if you deal with credit or debit card details in some way! Despite the fact that these provisions are not rules or legislation in the legal sense, they have an effect on all companies that are involved in the use of payment cards in any way. The following organisations are included in this list:

    • Financial companies, banks, and merchant banks are all examples of financial institutions.
    • Brick-and-mortar and ecommerce merchants,
    • Service providers
    • Point-of-sale vendors.

What Do These Standards Cover?

It’s important to understand not just who these criteria refer to, but also what they protect. PCI DSS applies to all device components that are located within or related to the cardholder data set.

It contains the following items:

    • Cardholder data or sensitive authentication data is handled by people, systems, and technology.
    • Servers, computing devices, and software are all network devices, both wired and wireless.
    • Virtualization components that accept, distribute, and store cardholder data, such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors, among others.

With all of this in mind, it’s time to delve through the details of the PCI DSS so you can fully comprehend its enforcement criteria.

What Are the Main Components of PCI DSS?

These data protection standards provide a set of security rules and guidelines for all companies that accept, process, and store payment card information from customers. The merchant’s company is deemed PCI DSS compliant until the appropriate guidelines are implemented. Many of the major payment card companies have made PCI DSS compliance a requirement for merchants. PCI DSS enforcement is primarily intended to:

    • Protect the end-user’s card data,
    • Mitigate the risk of various financial and identity frauds, and
    • Determine the merchant’s liabilities in an unfortunate event of a cyber-attack.

Creators and Administrators of PCI DSS

The five major card firms, Visa, MasterCard, American Express, American Express, and JCB, collaborated to create PCI DSS. In 2004, the first draught (known as PCI DSS version 1.0) was released. For the administration and production of the PCI DSS, these companies established the Payment Card Industry Security Standards Council (PCI SSC) in 2006.

Any private company will join the council and send recommendations for revising and developing the PCI DSS. PCI DSS 3.2.1, the most recent update, was released in 2018.

Legal Requirements and Enforcement of PCI DSS

Firms in the United States are not mandated by federal law to comply with the PCI DSS. They must, however, refer to the PCI DSS guidelines to assess the firm’s protection system and decide the firm’s liability in the event of cybercrime or data breach incidents. The PCI DSS has been adopted into state laws in three states: Nevada, Minnesota, and Washington.

However, if the retailers were not PCI DSS compliant at the time of the data breach, the card scheme has set fees and fines. The following are examples of possible punishments.
ispartnersllc.com created a graphic that breaks down PCI DSS non-compliance fines.
It’s important to remember, however, that the PCI Security Standards Council does not implement compliance. Instead, credit card firms are responsible for enforcing the rules (VISA, Mastercard, etc.).

PCI Compliance Levels

Do you have to adhere to all of the PCI DSS’s requirements? No way! The enforcement standards have been set based on the number of transactions a company conducts per year. As a result, whether you’re a small business or a startup, you’ll just need to obey the most specific set of guidelines stipulated by your card issuer’s enforcement standard.

Level 1 – Businesses that process more than 6 million transactions a year must adhere to all applicable regulations.

Level 2 – This group includes businesses with 1 to 6 million transactions a year.

Level 3 – Companies with annual sales of 20,000 to 1 million dollars.

Level 4 – Companies with less than 20,000 transactions a year, such as startups and small businesses, must adhere to the rules set forth at this level.

Audits and Assessments

It’s important to remember that PCI enforcement is a continuous, ongoing process with three key steps:

  • Processes, remediation, and monitoring of cardholder data and properties are all assessed.
  • Vulnerabilities must be fixed, and data must be deleted (if applicable).
  • Notifying the appropriate authorities of the necessary details and documentation (acquiring banks and card brands)

Any company that is subject to the PCI DSS must employ an external Qualified Security Assessor (QSA) to conduct a security audit and confirm that the company is PCI DSS compliant. There is also a self-assessment questionnaire (SAQ), which can only be completed by an Internal Security Assessor (ISA). An ISA is a company employee who has been certified by the PCI SSC to conduct a self-assessment for their company. Merchants must apply this SAQ to their banks once a year to show the status of their PCI DSS compliance.

PCI DSS Structure

In order to really address the question, “What is the PCI DSS?” The structure of the norms must be understood. To be deemed PCI DSS compliant, a company must meet six key control goals, 12 core specifications, and numerous other sub-requirements. Each requirement is broken down into three sections: declaration of requirements, testing procedures, and guidance.

All 12 PCI DSS specifications are mentioned below, along with the objective categories to which they belong and a brief overview of each requirement:

Control ObjectiveCore RequirementClarification
1. Build and Maintain a Secure Network1. Use firewallsFirewalls block all the incoming malicious requests and prevent unauthorized access to the data.
2. Change the vendor-supplied default passwords and other security settings.These passwords are weak, easily guessable, and sometimes publicly available, which weakens overall security.
2. Protect Cardholder Data3. Protect stored data using encryption, hashing, or masking.Strong mathematical algorithms such as RSA, ECC, etc., scramble the stored data and make it incomprehensible. No one can read, interpret, steal, or modify such data.
4. Encrypt transmission of cardholder dataA TLS/SSL certificate is required to secure the data in transit.
3. Maintain a Vulnerability Management Program5. Use anti-virus or anti-malware softwareThe anti-virus tool constantly monitors, detects, and removes viruses, internet worms, spyware, trojan horses, and other types of malware that can otherwise exploit the system.
6. Develop and maintain secure systems and applicationsSecurity patches and weak security infrastructure in the systems and applications make the overall security posture weaken. They must be sturdily built and frequently updated.
4. Implement Strong Access Control Measures7. Grant access cardholder data to only authorized personnel.Only the employee who has “need-to-know” should have access to the customers’ payment card details. Restricts unauthorized access to alleviate insider threats.
8. Assign a unique ID to each employeeIt is a crucial step to determine accountability and authorization.
9. Restrict access to the physical system that contains cardholders’ data.Secure the physical systems where payment card details are stored to mitigate the risk of unauthorized data removal or theft.
5. Regularly Monitor and Test Networks10. Track and monitor who is accessing the cardholder’s data and other resources.Deploying a change-monitoring system to track any authorized changes or suspicious employee activities to track whether they are accessing the confidential cardholder’s data without a “need to know.”
11. Regularly check systems, software, processes to find out and fix vulnerabilities.Vulnerability in the software and systems is used by cybercriminals to execute the cyber-crimes. Such security vulnerabilities must be constantly monitored and fixed on a regular basis.
6. Maintain an Information Security Policy12. Have a security policy in the organization for all the employeesDevelop the security policy and train the employees to make them understand the sensitivity of the data, various types of cyber risks, and best practices to mitigate those risks.

Wrapping Up

It is both your legal and moral duty as a business owner to protect your customers’ confidential data (under laws and regulations like the CCPA, FIPS, GDPR, etc.). The PCI DSS guidelines are a great resource for learning about the numerous security bugs that make cardholder data vulnerable, the implications of those flaws, and the measures you should take to minimize the risks.

When a data breach or cyber-attack occurs, following these instructions will protect you from facing severe legal consequences. It demonstrates that you have taken genuine steps to safeguard your customers’ information. Noncompliance with the PCI DSS, on the other hand, would not only result in hefty penalties but will also damage your relationships with payment card companies and banks. As a result, to develop a strong security posture, always follow the PCI DSS’s underlying guidelines.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.