Payment Card Industry Data Security Standard (PCI DSS)

What is PCI Compliance: Requirements and Penalties

PCI compliance is a set of standards and guidelines for companies to manage and secure credit card related personal data. PCI DSS is a set of policies and procedures created in 2004 by Visa, MasterCard, Discover and American Express to ensure the security of credit, debit and cash card transactions in an effort to protect credit card data from theft.

Experts say credit card fraud costs businesses billions of dollars each year in the United States. It should be obvious that cybercriminals are currently winning the war on credit cards. Protecting customer data and payment information needs to be a priority for consumers, businesses, and banks so we can stop wasting billions of dollars on credit card fraud. Understanding and leveling-up your PCI compliance capability is a major part of winning the war.

Why is PCI Compliance Important for Businesses to Follow?

PCI DSS compliance should be one of the most important ongoing projects in any business that stores and saves customer’s private credit card data. According to the 2018 Verizon Payment Security Report, only 52.5% of all organizations are 100% PCI compliant, and just 39.7% of companies in the Americas. We can do better!

Verizon’s research shows a correlation between companies that experienced a data breach and missing PCI DSS controls. In short: breached companies didn’t follow all of the requirements, which shocks no one.

More importantly, following the PCI DSS helps you keep compliant with data security and privacy laws, such as the General Data Protection Regulation (GDPR) or the Gramm-Leach-Bliley Act (GLBA). PCI DSS represents good data security practices for any organization to follow.

How Do You Become PCI Compliant?

PCI DSS is the roadmap you need to follow to become PCI compliant. PCI DSS is a 12-step plan to protect customer data.

12 PCI DSS Requirements

GoalsRequirements
Build and Maintain a Secure Network and SystemsRequirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder DataRequirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management ProgramRequirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security for all personnel

How Much Does It Cost To Get PCI Compliant?

The answer to this question is complicated.

The cost to be PCI compliance is a pittance compared to the cost of a data breach.

PCI compliance is simply good data security practice and isn’t much different than the NIST or SANS security controls. Think of the cost of PCI compliance more like the “cost of good data security practices” and then make your calculations accordingly.

How Do I Validate My PCI Compliance?

Each credit card company has their own compliance validation levels that they need to adhere to. Either you can perform your own PCI Compliance Self-Assessment Questionnaire (SAQ), or you can contract with a certified PCI Quality Security Assessor (QSA).

PCI Compliance Qualified Security Assessors (QSA)

PCI QSAs are certified and trained to perform PCI security assessments. Different QSAs will be more familiar with one business or another, so if you do go this route make sure to find one that understands your business needs.

PCI Compliance Self-Assessment Questionnaire (SAQ)

The other option is to complete the SAQ, which is a series of yes or no questions to determine your level of compliance with the PCI DSS. Each organization performs the SAQ and submits their quarterly reports to their required organizations.

How Do I Maintain My PCI Compliance?

In order to maintain PCI compliance, you must also engage with PCI compliant credit card processors and banks. The data you protect only matters if that data remains protected across the entire transaction life cycle.

First, you need to employ good data security practices inside your organization and have regular internal audits and quality monitoring of your PCI compliant data. Here are some specific controls you can implement that will help protect your PCI data.

  • Discover and Classify Sensitive Data
    • Locate and secure all sensitive data
    • Classify data based on business policy
  • Map Data and Permissions
    • Identify users, groups, folder and file permissions
    • Determine who has access to what data
  • Manage Access Control
    • Identify and deactivate stale users
    • Manage user and group memberships
    • Remove Global Access Groups
    • Implement a least privilege model
  • Monitor Data, File Activity, and User Behavior
    • Audit and report on file and event activity
    • Monitor for insider threats, malware, misconfigurations and security breaches
    • Detect security vulnerabilities and remediate

Penalties for PCI Compliance Violations

According to the primary PCI Compliance Blog, fines are not published or reported, and usually end up passed to the merchants. Banks pass the fines along as increased transaction fees or termination of business relationships.

Fines vary from $5,000 to $100,000 per month until the merchants achieve compliance. That kind of fine is manageable for a big bank, but it could easily put a small business into bankruptcy.

But, these fines issued by the PCI are small in comparison to credit monitoring fees, laws suits, and actions by state and federal governments that can result when you’re not truly PCI DSS compliant. For example, Target said the total cost of their massive breach of credit card data was over $200 million, which included an $18.5 million legal settlement with 47 state attorneys general.

Frequently Asked Questions

What is the PCI compliance process?

Developed and managed by the PCI Security Council, the PCI compliance process involves a set of technical and operational standards for businesses to follow in order to secure and protect credit card data.

Is PCI compliance required by law?

PCI DSS compliance is a standard and not required by federal law in the U.S. However, some current and future state laws are effectively forcing components of the PCI Data Security Standard into law.

What is PCI compliance and do I need it?

To be in accordance with the PCI compliance Security Standard Council, any merchant planning to transmit, store, or process credit card data is required to be PCI compliant.

How do I get PCI compliance?

PCI compliance is a continual process that involves adhering to the 12 PCI DSS requirements. Generally, obtaining PCI DSS compliance for an organization involves the following four things:

  • Reviewing the PCI DSS requirements for compliance in detail. There are 6 broader goals, 12 requirements, and roughly 251 sub-requirements to review.
  • Identifying your organization’s compliance requirements. Depending on your business category, as defined by the PCI Council in terms of transactions per year, you will have a unique set of requirements for your organization to follow.
  • Reviewing your current processes and creating a plan to operationalize the requirements you need in order to obtain PCI compliance.
  • Filling out a Self-Assessment Questionnaire (SAQ) or obtaining the assistance of a certified QSA for your final PCI compliance assessment.

    Source: What is PCI Compliance: Requirements and Penalties | Varonis