What Is PCI Compliance?

PCI Compliance History:

What is PCI Compliance? The Payment Card Industry Data Security Standard (or PCI DSS) is a standard of controls created by the Payment Card Industry Council which is an agreed-upon set of requirements or specifications for entities directly or indirectly handling credit cards. The standard provides a technical and operational baseline for the appropriate acceptance or handling of cardholder data within a business environment. Stakeholders who are responsible to adhere to this standard are merchants, processors, acquirers, issuers, and service providers.

Merchants

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing but also is a service provider if it hosts merchants as customers.

Processors

Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. A processor is an entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand.

Acquirers

Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution”. An Acquirer is an entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.

Issuers

An entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Also referred to as “issuing bank” or “issuing financial institution.”

Service Providers

A business entity that is not a payment brand, is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).

Where Do I Fall?

PCI DSS must be completed for all entities handling credit card information. The level to which you are audited depends typically on the transaction volume, relative risk, and history of a breach. The levels of PCI Compliance are defined as level 1 through level 4, with level 1 being the highest level of audit where an external certified Qualified Security Assessor (QSA) must audit production systems and procedures to be in compliance with the standard. For level 2 through level 4 self-assessment questionnaires can be completed where a professional auditor is not leveraged and a self-attestation to appropriate implementation of the standards is in place. Ultimately the acquirer, stakeholders, or credit card brand(s) will determine what level of audit your business must undertake (VISA, MasterCard, JCB, American Express, Discover). Companies that complete an SAQ will have different SAQ(s)-(A-D) in which to choose from.  These variety of SAQs are for different requirements that businesses are classified or how they conduct business, the most encompassing of which is the SAQ-D. The remainder of SAQ(s) are for specific business use cases such as using a virtual terminal, having no cardholder data storage, or use of imprint machines. If you are unsure of what SAQ to complete, contact your processor or a QSA firm for additional guidance.

What does this do for me?

Achieving and maintaining PCI DSS compliance has many profound effects on a business and will allow the business to remain operational in the ecosystem of credit card transactions. The requirements lay out the groundwork of a minimum standard to which to adhere and to maintain the capacity to interact with card holder networks. Some acquirers and/or service providers may not wish to do business with an entity that is not PCI compliant, as the risks of compromising data or processing fraudulent transactions increases without certification. The risk to the third-party vendors connecting and receiving information from your network is much lower with PCI, which may give better processing rates.  

Customers may know they are doing business with a PCI-compliant vendor which will assure them within their risk management strategy that the business is committed to a specific baseline standard that is acceptable for the acceptance of cardholder data or security functions therein. Adherence will assist in preventing data breaches or other costly bills associated with lack of compliance. The standard provides a baseline across the world where large and often segmented systems, policies, and processes are configured to the same security rigors. The security standard may be a springboard for additional data security frameworks such as NIST 800-53 or HIPAA.

What is the standard?

The standard is comprised of 6 groups of controls encompassing 12 requirement families surrounding the security of cardholder data. The standards encompass multiple aspects of the environment and business practices:

Additional information about the standards can be found on the PCI Security Council websites including testing criteria, report templates, and additional FAQs regarding PCI compliance. Know that each of these requirement families has many sub-requirements for the fulfillment of the standard. There are also recurring requirements which include but are not limited to Penetration Testing, Approved Scanning Vendors, Internal Scanning Requirements, and Firewall Review. These elements must be performed throughout the year of compliance to be proven at the time of audit. An audit is a single snapshot in time and reflects only what the system is at the time of audit. There should be no forward-facing statements, implementation plans, or Corrective Action Plans (CAPs) associated with the reports or SAQ.

What Can I do Now?

It’s not always easy to stay up-to-date with PCI compliance.  At MegaplanIT,  we understand the challenges and risks associated with card security. Sometimes, even knowing how to set your protection controls isn’t enough. That’s where our experience comes in – we have a team of certified security professionals and have the knowledge you need to ensure that your business stays compliant with their payment card data security standard (PCI DSS).

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!