Hackers and other malicious attackers are getting more sophisticated by the day. Businesses that collect, store, and process credit card information are prime targets for malicious attacks to steal money. With the lack of clear direction from financial regulators, the card payment industry has taken it upon itself to ensure sensitive customer data is protected.
What is PCI DSS Certification Anyway?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security requirements that all companies that process, store, and transmit payment card information must adhere to. This standard helps enhance payment card data security.
The standard was developed by the PCI Security Standards Council (PCI SSC), a conglomeration of major credit card companies including American Express, JCB International, Visa, Mastercard, and Discover Financial Services. Aside from protecting payment card information, the PCI DSS sought to create a common set of security standards for merchants and service providers.
You may occasionally hear people talk about PCI DSS certification. In reality, the PSI Council does not issue certificates. In this case, the term certification is used to mean “proof of compliance” in the broader sense. There are three types of proof of compliance. These are Attestation of Compliance, a Self-Assessment Questionnaire, and a Report on Compliance, which we will cover in the next section.
There are third-party entities, usually web security companies, which claim to certify PCI-compliant businesses. Examples of such vendors include VeriSign, ScanAlert, and TRUSTe. Typically, you will see “Hacker Safe” badges associated with this certification. Still, the PCI council doesn’t issue any certificates directly.
For this reason, you may want to focus more on compliance than certification.
How PCI DSS Compliance Works
To begin with, the PCI DSS has 12 requirements to ensure businesses can secure cardholder information. These broad requirements apply to every company that accepts or processes payment cards. PCI DSS requirements cover the entire payment card ecosystem, including:
- Network Security
- Cardholder Data Security
- Vulnerability Management
- Access Control
- Network Monitoring and Testing
- Information Security
Furthermore, PCI DSS compliance is broken down into four levels. Your level determines how you comply with the regulations.
Level 1 Merchants
Level one merchants process more than six million card transactions annually. This includes all card payment channels, including ecommerce, card present, and card not present transactions.
Merchants in this level have to:
- File a Report on Compliance (ROC) through a Qualified Security Assessor (QSA) and
- Submit an Attestation of Compliance (AOC) form
Level 2 Merchants
Level two encompasses merchants processing between one and six million transactions annually across all card payment channels. Merchants in this level comply by:
- Completing a Self-Assessment Questionnaire and
- Submitting an Attestation of Compliance Form
Level 3 Merchants
Merchants in this group process between 20,000 and one million card payments across all payment channels. To comply at this level, a merchant must:
- Complete a Self-Assessment Questionnaire and
- Submit an Attestation of Compliance Form
Level 4 Merchants
This final classification applies to merchants who process less than 20,000 card transactions annually via ecommerce. Additionally, merchants processing up to one million card transactions annually across all payment channels fall into this category. To comply with PCI DSS requirements at this level, one must:
- Complete a Self-Assessment Questionnaire
We mentioned in the previous section that there are three main ways to comply with PCI DSS standards. They are:
Report on Compliance (ROC)
Based on the requirements in the PCI DSS, either a Qualified Security Assessor or an Internal Security Assessor can prepare a ROC. The assessor performs an on-site audit of the merchant to check whether the company complies with the regulations.
Typically, only merchants in level one have to file a ROC. However, merchants in tiers two through four who experience data breaches may be required to file a ROC every year. In this case, the merchant may be bumped up to level one after the data breach.
The assessor submits the form to the merchant’s acquiring bank. The acquiring bank approves the document before sending it on to Visa for compliance verification.
Self-Assessment Questionnaire (SAQ)
Self-Assessment Questionnaires are reserved for lower-level merchants. Merchants in levels two, three, and four don’t need external audits to confirm PCI DSS compliance. Instead, the merchants self-evaluate their compliance.
The SAQ is a series of yes or no questions that cover all of the PCI DSS requirements. If you answer no to any of the questions, you might have to indicate what measures you plan to take to ensure compliance. You may also be required to state the date on which you will be compliant.
The SAQ may differ depending on how you accept payment cards. For example, merchants that only use standalone payment terminals use a different self-assessment form compared to ecommerce merchants who outsource payment processing to third parties.
You can always contact your payment card brand or acquiring bank if you are unsure which questionnaire applies to you.
Attestation of Compliance (AOC)
The Attestation of Compliance (AOC) is the closest thing to PCI DSS certification. An AOC is a document that confirms the merchant’s compliance status with the PCI DSS. Additionally, this document confirms that the merchant is eligible to perform the self-assessment and has completed the relevant self-assessment.
Level one merchants need to have their AOC filled out by a Qualified Security Assessor. For lower-level merchants, the person conducting the self-assessment audit fills out this document. All merchants except level one have to submit an Attestation of Compliance along with their ROC or SAQ. You get the AOC along with the corresponding Self-Assessment Questionnaire.
Below are two examples of how PCI DSS compliance looks like in the real world.
Example #1: “Hacker Safe” Geek.com’s 2008 Data Breach
ScanAlert Inc. is one of the pioneers of data security certification, specifically the Hacker Safe Certification. This certification was widely sought by large corporations, including Sony, Johnson & Johnson, and Warner Bros.
The badge was so successful that most websites bearing this badge saw an average 14% increase in conversion rates. ScanAlert’s top competitor, McAfee, acquired the company in 2007.
It came as a shock when Geek.com, a major technology retailer, put out a notice of a mass compromise of customer data in 2008. Geek.com was certified Hacker Safe at the time. As it turns out, ScanAlert used automated systems to perform its daily scans. There was no manual oversight or intervention in the scanning process, creating a loophole for hackers with advanced methodologies.
Following this data breach, a security research organization claimed to be capable of breaching 90% of Hacker Safe certified websites. In fact, the organization claimed that it could easily access these website’s customer financial data.
The lesson here is clear. Certification isn’t necessarily proof of PCI DSS compliance. The main focus should be on creating a robust data security framework beyond the basics of PCI DSS compliance.
Example #2: Heartland Payment Systems 2015 Data Breach
It’s not just large organizations that get hacked. Even intermediaries are vulnerable to data breaches, which is why PCI DSS regulations cast such a wide net.
Heartland Payment System, a third-party payment processor supporting over 175,000 merchants, was hacked via an SQL injection. Hackers made off with up to 100 million credit and debit card information. Mastercard and Visa immediately notified the company of the breach.
Heartland was subjected to heavy fines and penalties, including suspension from processing payments of major credit card providers for two years. The company also had to pay out approximately $145 million in fines and other penalties.
Although Heartland was able to recover from the incident, your business may not be so lucky. The fines and penalties imposed by the PCI Council are enough to bring a small to medium-sized business to its knees. The loss of reputation can also be permanent should the company survive.
How to Get Started With PCI DSS Compliance
The PCI Council doesn’t have a legal mandate to enforce compliance, causing many businesses to put it off. The council can and does impose hefty fines and penalties in the event of a data breach. Fines range anywhere from $5,000 to $100,000, while penalties may include increased transaction fees or a ban from processing major credit cards.
It’s a good idea to get ahead of the curve and comply with the industry regulations. Here’s what you can do to get started on the journey.
Conduct an Internal Audit
The first step to PCI DSS compliance is to know what kind of data you collect and where it is stored. It is impossible to protect data when you don’t know it exists or where it is stored. Specifically, find out what payment information you collect, where it is stored, who has access to it, and how it is transmitted.
You will likely need the help of the IT department to get this done. There are also data discovery and data classification tools that can help you automate the process. These tools can automatically detect where payment card data is stored, how employees interact with it, and whether it is adequately protected.
This is also an excellent time to evaluate if you need to store payment information. You may find that this information isn’t critical to your business processes, so there is no need to keep it.
At the very least, come up with a specific period to store the data. In most cases, this data isn’t required after a certain period. There is no need to expend resources storing and protecting redundant data. This step is also part of PCI DSS requirements. According to requirement 3 of the PCI DSS, you should store card information in specific, known locations with limited access.
Know Your Requirements
Once you’re aware of the data you collect, it is easy to figure out the requirements that apply to your business. We covered compliance levels in a previous section. Next, download the SAQ guide book. There are nine different versions, but you only need to use the one that applies to your business.
The guidebook is also a valuable resource for determining your current compliance. Go through the checklist one by one to find out where you fall short.
There are 12 PCI DSS requirements, which are:
- Install and maintain a firewall
- Change vendor-supplied default passwords and other security settings
- Protect cardholder data
- Encrypt cardholder data transfer across open, public networks
- Use regularly updated anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign each person with computer access a unique ID
- Restrict physical access to cardholder data
- Monitor and track all access to cardholder data and network resources
- Test security systems and processes regularly
- Maintain an information security policy for all personnel
Make the Necessary Changes
You might notice you fall short on one or two compliance requirements. Simply make the necessary changes to comply. Sometimes you may fall short in multiple areas. Start with the most prominent security loopholes and work your way down.
This approach will require you to develop a framework for categorizing risk. The framework will help you prioritize the most significant risk factors. For example, you may want to encrypt card data before installing a firewall.
Another option is to identify the consequences of each loophole in your data security. This approach will give you immediate feedback on where to start compliance.
Train Your Employees
According to a survey by the Ponemon Institute, 27% of data breaches occur due to human error. Data security tools are only as good as your weakest link. Sensitizing employees on the importance of data security can make a big difference in your PCI DSS compliance.
Pay particular attention to employees working with sensitive information on a day-to-day basis. Some employees may be bypassing security measures. While practical, these measures can be cumbersome and slow down the workflow. Industry-specific employee training can help staff understand the risks and consequences of PCI DSS non-compliance.
Consider Using PCI DSS Compliance Software
PCI DSS compliance software can help to automate the compliance process. Robust software comes with a slew of tools and features, including log management, vulnerability assessment, asset discovery, and file integrity monitoring. The software also empowers IT teams to address multiple PCI DSS requirements, including:
- Developing a comprehensive incidence report plan
- Protecting systems against ransomware, spear-phishing attacks, and botnets
- Developing and maintaining secure systems and applications
- Running quarterly vulnerability scans
- Monitoring and tracking access to network cardholder data and resources
Examples of popular and successful PCI DSS compliance software include SolarWinds Security Event Manager, ManageEngine ADAudit Plus, and Splunk Enterprise.