What Is PCI Compliance?
PCI Compliance History:
What is PCI Compliance? The Payment Card Industry Data Security Standard (or PCI DSS) is a standard of controls created by the Payment Card Industry Council which is an agreed-upon set of requirements or specifications for entities directly or indirectly handling credit cards. The standard provides a technical and operational baseline for the appropriate acceptance or handling of cardholder data within a business environment. Stakeholders who are responsible to adhere to this standard are merchants, processors, acquirers, issuers, and service providers.
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing but also is a service provider if it hosts merchants as customers.
Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. A processor is an entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand.
Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution”. An Acquirer is an entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.
An entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Also referred to as “issuing bank” or “issuing financial institution.”
A business entity that is not a payment brand, is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Where Do I Fall?
PCI DSS must be completed for all entities handling credit card information. The level to which you are audited depends typically on the transaction volume, relative risk, and history of a breach. The levels of PCI Compliance are defined as level 1 through level 4, with level 1 being the highest level of audit where an external certified Qualified Security Assessor (QSA) must audit production systems and procedures to be in compliance with the standard. For level 2 through level 4 self-assessment questionnaires can be completed where a professional auditor is not leveraged and a self-attestation to appropriate implementation of the standards is in place. Ultimately the acquirer, stakeholders, or credit card brand(s) will determine what level of audit your business must undertake (VISA, MasterCard, JCB, American Express, Discover). Companies that complete an SAQ will have different SAQ(s)-(A-D) in which to choose from. These variety of SAQs are for different requirements that businesses are classified or how they conduct business, the most encompassing of which is the SAQ-D. The remainder of SAQ(s) are for specific business use cases such as using a virtual terminal, having no cardholder data storage, or use of imprint machines. If you are unsure of what SAQ to complete, contact your processor or a QSA firm for additional guidance.
What does this do for me?
Achieving and maintaining PCI DSS compliance has many profound effects on a business and will allow the business to remain operational in the ecosystem of credit card transactions. The requirements lay out the groundwork of a minimum standard to which to adhere and to maintain the capacity to interact with card holder networks. Some acquirers and/or service providers may not wish to do business with an entity that is not PCI compliant, as the risks of compromising data or processing fraudulent transactions increases without certification. The risk to the third-party vendors connecting and receiving information from your network is much lower with PCI, which may give better processing rates.
Customers may know they are doing business with a PCI-compliant vendor which will assure them within their risk management strategy that the business is committed to a specific baseline standard that is acceptable for the acceptance of cardholder data or security functions therein. Adherence will assist in preventing data breaches or other costly bills associated with lack of compliance. The standard provides a baseline across the world where large and often segmented systems, policies, and processes are configured to the same security rigors. The security standard may be a springboard for additional data security frameworks such as NIST 800-53 or HIPAA.
What is the standard?
The standard is comprised of 6 groups of controls encompassing 12 requirement families surrounding the security of cardholder data. The standards encompass multiple aspects of the environment and business practices:
Build and Maintain a Secure Network and Systems
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
Additional information about the standards can be found on the PCI Security Council websites including testing criteria, report templates, and additional FAQs regarding PCI compliance. Know that each of these requirement families has many sub-requirements for the fulfillment of the standard. There are also recurring requirements which include but are not limited to Penetration Testing, Approved Scanning Vendors, Internal Scanning Requirements, and Firewall Review. These elements must be performed throughout the year of compliance to be proven at the time of audit. An audit is a single snapshot in time and reflects only what the system is at the time of audit. There should be no forward-facing statements, implementation plans, or Corrective Action Plans (CAPs) associated with the reports or SAQ.
What Can I do Now?
It’s not always easy to stay up-to-date with PCI compliance. At MegaplanIT, we understand the challenges and risks associated with card security. Sometimes, even knowing how to set your protection controls isn’t enough. That’s where our experience comes in – we have a team of certified security professionals and have the knowledge you need to ensure that your business stays compliant with their payment card data security standard (PCI DSS).
Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Industry Leading Certified Experts
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.
Ransomware Assessment Preparedness
Cybersecurity Roadmap For 2022
Developing And Maintaining An Effective Compliance Program
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack?
A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business