PCI Compliance for Credit Card Processing
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework intended to protect cardholder data (CHD). It was created by major card brands who were concerned about the number of data breaches occurring, particularly as they related to the loss of credit card data. Because of this, major card brands now require compliance with PCI DSS for every organization that handles credit card data.
The PCI DSS applies to any entity that stores, processes, or transmits payment card account data. This typically includes merchants, acquiring banks, card issuers, payment processors, and service providers.
It’s not just about the cardholder data in a given organization’s environment, though. You could be a merchant that has a point-of-sale system that’s applied by your acquiring bank, and you’re still subject to PCI DSS because you’re involved in the processing of credit card information. It applies to all acquiring banks, card issuers, payment processors, and service providers that store, process, or transmit credit card data.
Why is PCI Compliance Important for Credit Card Processing?
Following PCI DSS requirements is essential because of the sensitive nature of cardholder data. Cardholder data is a card’s primary account number (PAN) by itself, or the PAN paired with its respective cardholder name, expiration date, and/or service code. This data is protected by rigorous PCI DSS requirements designed specifically to protect users credit card data.
In order to effectively protect cardholder data, the PCI DSS is composed of more than 300 controls, each of which includes testing procedures and corresponding guidance on how to implement them. Controls are the items used to measure an organization’s compliance, such as establishing a required length or complexity for passwords. This not only protects user data, but protects businesses against security breaches, hefty noncompliance fines, and potential legal issues.
What are the Credit Card Industry Security Standards?
As we’ve mentioned, PCI DSS 4.0 is a set of controls governing the secure handling of payment card account data. It was created to provide a base level of security for cardholder data to combat payment card fraud. If you work for an organization that does not have a robust or mature data security program, the PCI DSS can function as a template or roadmap for working toward compliance. If your organization has a better-established program, the PCI DSS requirements will likely overlap with or apply to your other regulatory compliance obligations.
Practically speaking, the PCI DSS is essentially a list of information security best practices. Six categories and 12 requirements (and their numerous sub-requirements) comprise the PCI DSS:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by businesses need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Ready to learn more about PCI Compliance?
How to Become PCI Compliant
When first approaching the compliance process, it can be helpful to take a step back and look at the overarching categories to understand what each set of requirements is trying to accomplish. Understanding and then working toward these 6 overarching catagories (instead of focusing on the 12 detailed requirements) can be a great first step towards PCI compliance.
Let’s dive deeper into the six categories from the PCI SSC that provide an overview of the security controls required for PCI compliance:
Build and Maintain a Secure Network and Systems
This goal from the PCI SSC outlines requirements for network security. Specifically, it requires organizations to install and maintain firewalls and routers and not to use vendor-supplied defaults. All of the controls in this category are about securing your network and implementing proper network security mechanisms.
Protect Cardholder Data
This is a data security category. It’s concerned with the protection of the data elements themselves, regardless of their form. That could be data in storage, in transit, in processing, or even in physical form, such as paper records like invoices or receipts. All of that data would be in scope, making tokenization and encryption appropriate measures for obfuscation.
Maintain a Vulnerability Management Program
This category is concerned with application security, so it details how an organization should protect its systems against malware, viruses, coding exploitations, and other items that affect application security.
Implement Strong Access Control Measures
The first two requirements here address identity and access control measures. Identity refers to how to authenticate a user, and access control determines the user’s permission or access level to certain resources within your environment, specifically to cardholder data. The third aspect covers controls for physical access, such as requiring locks, cameras, etc., to prevent unauthorized physical access to a server room or data center.
Regularly Monitor Test Networks
This requirement is not so much concerned with implementing new security mechanisms as it is with maintaining your existing ones and ensuring they are sufficient. You need to be able to monitor your own network and detect security incidents if and when they occur. You also need to test your security systems and coding to ensure they are secure and functional, update and patch applications, and keep up with threat management for malware and viruses.
Maintain an Information Security Policy
This is essentially a policy that sets the tone for your entire organization’s information security strategy. It needs to address all of your employees and reflect your attitude toward PCI compliance and overall data security. This includes training programs and continuing education to ensure proper practices.
Consequences of PCI Non-Compliance
There are many consequences for PCI non-compliance, some of which are guaranteed and others which are likely. If you’re found out of compliance during your annual audit, fines based on the severity and length of the infraction are all but guaranteed. Additionally, since PCI requirements ensure you meet the baseline requirements for cardholder security, being out of compliance creates significant security risks.
Common consequences of PCI Compliance include:
- Fines and penalties, from $5,000 to $100,000 a month based on the severity of the issue
- Data breach compensation costs
- Legal costs
- Damage to company reputation and customer loss
How IXOPAY Can Help You Achieve PCI Compliance
Want to achieve PCI compliance the easy way? Let the PCI experts at IXOPAY help! Companies that outsource their cardholder data security to a third party tokenization platform, like IXOPAY, drastically reduce the cost, effort, and risk of credit card compliance.
Ready to learn more about outsourcing your PCI Compliance with IXOPAY?