If your business accepts credit card payments or stores that data, you may be scratching your head and wondering: “What is PCI DSS?”
Remember years ago, back when mullets and shoulder pads were cool? Cashiers would take your magic plastic and use an old clunky manual card machine. The Knuckle-Buster made a loud CLUNK-CLINK when it rammed an imprint of your card on the carbon paper. Someone used to lock all those receipts in a filing cabinet or safe, and that was the extent of protecting credit card information. The nature of the internet and the complexities of today’s cloud-based world have introduced new vulnerabilities.
Credit and debit card numbers are some of the most valuable digits around. The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework designed to help organizations protect that information.
So FYI, even if you only process a single credit card payment a year, this PCI DSS overview is for you!
What Is PCI DSS?
The Payment Card Industry Security Standards Council (PCI SSC) is an independent body created by the major payment cards (Visa, MasterCard, American Express, Discover, and JCB.). These big brands make the rules.
PCI DSS is an actionable framework for developing a robust security process that helps prevent, detect, and react to security incidents. Anyone who stores, processes, or transmits cardholder data must be compliant to reduce the risk of a breach and lessen their impact.
The framework contains over 300 security controls and over 1800 pages of official documentation. 16% of the paperwork is devoted to forms and info about validating compliance!
Understandably, how PCI DSS applies to your business is complicated. The cards you work with and the number of transactions completed over 12 months decide which of the PCI DSS controls apply to you, and there are levels for both merchants and service providers.
What is a Merchant?
PCI DSS defines a merchant as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC as payment for goods and or services. They process card transactions via any number of channels and range from boutiques, box stores, and energy providers to online shops and charities.
There are four levels your organization falls into as a merchant.
What is a Service Provider?
Service providers are defined as any organization that stores, processes, or transmits cardholder data on behalf of another. This also includes companies that could impact the security of that cardholder data like call centers, hosting providers, and network support.
Unlike merchants, service providers only have two levels – Level 1 and Level 2. Level 1 service providers require an onsite assessment by a Qualified Security Assessor (QSA), while Level 2 service providers require an annual self-assessment with SAQ -D.
And to make things slightly more confusing, businesses can identify as both merchants and service providers. If the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers, you’re both. For example, your internet service provider is a merchant because it accepts payment cards for monthly billing, But it’s also a service provider as it hosts other merchants as customers.
PCI DSS Compliance Checklist
Regardless of which level you fall into, there are six goals and 12 requirements to comply with PCI DSS.
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
The Self Assessment Questionnaire (SAQ) applicable to your organization determine the requirements that apply to your organization. There are eight SAQ’s, but there’s a little more on that below.
Who Administers a PCI DSS Audit?
The Payment Card Industry Security Standards Council mandates that all merchants comply with the PCI standard. Annual validation, or proof, is required by some merchant processors and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.
Council-trained and validated assessors conduct the independent onsite audits. They appraise the effectiveness of how vendors have implemented PCI DSS controls and processes. These include Qualified Security Assessors, Approved Scanning Vendors, PCI Forensic Investigators, and more.
What are some PCI DSS Audit Requirements?
When your payment systems are secure, customers can trust you with their cardholder data information. As previously mentioned, how PCI DSS applies to your specific business is unique, but we’ve gathered a small list of common elements.
Self Assessment Questionnaire (SAQ)
An SAQ is a series of yes-or-no questions for each PCI DSS requirement. This self-validation tool helps you assess the security of cardholder data stored, transmitted, or processed by your company. There are eight versions of the SAQ that may apply to your unique organization.
Report On Compliance (ROC)
This is a detailed report documenting results from your SAQ but completed by a Qualified Security Assessor (QSA) after an audit and subsequently submitted to the merchant acquiring bank. If it meets their requirements, it’s passed on to the payment brand for verification. Level 1 merchants or service providers use this.
Attestation of Compliance (AOC)
A form merchants and service providers use to attest to the results of a PCI DSS assessment. It’s submitted to the acquiring bank or payment brand, along with the SAQ or ROC, plus any other requested documentation.
How Long Does PCI DSS Take?
The PCI DSS Assessment can take six to 12 weeks. Still, timelines vary depending on the project’s size, the number of systems, and how many security measures and policies are already in place.
PCI DSS Implementation fluctuates from company to company. But PCI DSS applies only to the infrastructure that contains Credit Card data. So a good way of lowering the cost and time it takes to implement is by limiting the storage and management of credit card data as much as possible to a small number of servers.
Your PCI compliance certificate is valid for one year, and you need to remain continually compliant.
It’s important to know that it’s an annual project if you’re required to complete the PCI DSS self-assessment questionnaire. And requirements change regularly. The PCI Council releases minor updates throughout the year and updates PCI DSS rules every three years.
On top of that, as you grow your business and accept more transactions, how the standard applies to you will evolve. Think of it like Boy Scouts. The activities, rules, and badge requirements change as you move your way from Scout, Tenderfoot, and so on, all the way to Eagle Scout.
What is PCI DSS Going to Cost?
There are several costs associated with PCI DSS compliance.
Organizations that qualify for the SAQ will have lower costs than those needing an onsite audit performed by a QSA. Still, an exact dollar amount is difficult to estimate when so many factors need consideration.
So whether you do it yourself, use a consultant or find automation software to guide you, costs vary greatly. When you shop around, you’ll notice low-end prices that seem too good to be true and others that are through the roof.
But there are two costs you need to consider that we can estimate more definitively—fines and damages to your reputation.
The big credit card brands, at their discretion, fine the bank $5,000 to $100,000 per month for PCI compliance violations. Banks typically pass the fine along to the merchant or service provider. So your financial institution may terminate your relationship or increase your transaction fees.
80% percent of breached organizations in 2020 stated in an IBM Study that customer personally identifiable information (PII), like credit card info, was compromised during a breach. And the average cost per lost or stolen record containing customer PII cost businesses $150.
The costs for non-compliance will add up quickly.
What is PCI DSS Compliance with Tugboat Logic?
It’s costly and clearly complicated to maintain a fully PCI DSS compliant system. But the benefits gained by ensuring compliance are priceless. And we’re here to help.
Tugboat Logic helps you fill in the blanks with our PCI DSS framework, including policies, controls, and guidance. Your scoping survey and assessment connect everything you need and builds out your evidence tasks. The automated software allows users to monitor their PCI DSS compliance as part of business-as-usual activities. And we have PCI DSS experts on staff, easily accessible to you.
After working to build your organization and build trust with your customers, don’t gamble with their sensitive information. Because compromised data negatively impacts consumers, merchants, and financial institutions.
What Is PCI DSS Overlap?
PCI DSS framework benefits extend beyond just protecting the credit card information. Almost 50% of the controls overlap with others like SOC 2 and ISO 27001. Remember how with Tugboat Logic, everything is connected and built out from the scoping survey? If you pursue other attestations, you won’t have to do tasks twice. Your evidence is ready to be applied to another framework. So as you mature, your compliance can too, and the workload won’t slow you down.
How Do I Come On Board?
If you’re looking for more information and practical advice on how to get PCI DSS compliant, we’re here to help! Feel free to get in touch with us. We can show you around our Security Assurance platform or set you up with a free trial.