Guide to PCI Compliance & PCI Certification

Organizations that store, process or transmit credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). This Guide provides comprehensive, yet easy-to-understand, information on how to achieve PCI compliance.

What is PCI?

The PCI (Payment Card Industry) is a sector within the financial industry that is responsible for all electronic payments. As purchases are completed through debit, credit, ATM, POS, prepaid and e-purse systems, sensitive financial data is constantly being transmitted to all parts of the world. As such, strict security measures must be in place in order to protect all users engaging in non-cash exchanges of payment.

To create these standards, the major financial corporations developed the PCI-SSC (Payment Card Industry Security Standards Council) which stands as an independent entity from the top financial brands. The council protects cardholders by setting strict security standards for merchants and for vendors of payment-processing solutions.

What is PCI DSS?

Credit and debit cards fuel global commerce. Unfortunately, they are also lucrative targets for fraudsters. To protect cardholder data, merchants and vendors must adhere to the Payment Card Industry Data Security Standard (PCI DSS), which establishes a baseline level of security for organizations that store, process, or transmit payment card data.

The PCI Data Security Standard has grown significantly in stature and coverage since its early beginnings. PCI DSS requirements are robust and comprehensive. Organizations that invest the time and effort to comply with them will be considerably more secure and protected from cybersecurity threats.

Need help with PCI Compliance?

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Who Must Comply with PCI DSS?

The term “standard” in the PCI Data Security Standard could lead people to believe that implementing PCI compliance requirements is a “good to have” rather than a “must have or else.” In reality, PCI DSS is as good as a regulation. Think about it – the credit card companies that issue credit and debit cards to regular folks (your customers) are the ones that will authorize you to process those payment cards. If you haven’t implemented the PCI DSS compliance requirements, the credit card companies wouldn’t let you process their payment cards. What’s more, you could be fined. So, unless you’re planning to run a “cash only” business, the PCI Data Security Standard is not optional. Follow These 4 Steps to Achieve PCI DSS Certification.

What are the Requirements for PCI Certification?

PCI compliance requirements are built around six “control objectives,” and each of these objectives has sub-requirements that organizations must follow. A total of 12 compliance sub-requirements fit into the six control objectives. Here’s a summary:

  • Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect Cardholder Data 3. Protect stored data. 4. Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software. 6. Develop and maintain secure systems and applications.
  • Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data.
  • Implement Strong Access Control Measures 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.
  • Maintain an Information Security Policy 12. Maintain a policy that addresses information security.

What Steps Lead to PCI Certification?

Here's a bit more explanation about the requirements to help you understand the security measures you will need to take to achieve PCI Certification:
  1. Protect your cardholder data with firewalls. Firewalls are designed to block inbound and outbound network traffic from untrusted networks.
  2. Change vendor-supplied default passwords and configurations. These defaults are freely published online and available for hackers to misuse.
  3. Protect cardholder data at rest using strong encryption, hashes, and/or other methods that are part of industry-accepted best practices.
  4. Protect cardholder data in transit using strong encryption, trusted keys, and trusted digital certificates.
  5. Use anti-virus and anti-malware software to protect all systems, and keep them fully updated at all times with the latest patches and signatures.
  6. Establish a process to identify vulnerabilities in systems and applications so that they can be remediated expeditiously.
  7. Restrict all access to cardholder data by employing the principles of least privilege and “need to know.”
  8. Assign a unique ID to each individual with access to systems and applications so that complete accountability of access is in place.
  9. Use electronic access keys, surveillance, and other security measures to restrict physical access to cardholder data and cardholder data systems.
  10. Establish a logging and monitoring mechanism to track access and user activities related to cardholder data and cardholder network resources.
  11. Perform annual penetration tests and comprehensive risk assessments on the cardholder data environment. Perform quarterly vulnerability scans.
  12. Draft, maintain, and disseminate a comprehensive data security policy and update it annually or whenever there is a significant change in the technological/operational environment.

How Does Transaction Volume Impact PCI DSS Compliance?

The PCI compliance requirements that apply to organizations depend on how many credit, debit, and pre-paid card transactions they process each year. The more transactions, the higher the level of required compliance and compliance validation. For example, an organization that processes more than 6 million transactions per year will be required to hire a specially trained assessor (PCI QSA) to conduct a PCI compliance audit every year. Organizations that process fewer transactions can skip the audit but must perform quarterly network scans to look for signs of trouble.
Here are the PCI compliance levels and requirements for organizations to gain PCI certification.
  • LEVEL 1 Transactions Per Year > 6 Million 1, PCI Qualified Security Assessor (PCI QSA) performs an annual PCI Certification audit 2. PCI QSA completes annual Report on Compliance (ROC) 3. The organization performs quarterly network scans via PCI Approved Scanning Vendor (PCI ASV) 4. PCI QSA completes the Attestation on Compliance (AOC) form
  • LEVEL 2 Transactions Per Year 1 Million < 6 Million 1. Complete Self-Assessment Questionnaire (SAQ) 2. Organization performs quarterly network scans via PCI Approved Scanning Vendor (PCI ASV) 3. Organization completes the Attestation of Compliance (AOC) form
  • LEVEL 3 Transactions Per Year 20,000 < 1 Million 1. Organizations complete Self-Assessment Questionnaire (SAQ) 2. Organization performs quarterly network scans via PCI Approved Scanning Vendor (PCI ASV) 3. Organization completes the Attestation of Compliance (AOC) form
  • LEVEL 4 Transactions Per Year < 20,000 1. Organization completes Self-Assessment Questionnaire (SAQ) 2. The organization performs quarterly network scans via PCI Approved Scanning Vendor (PCI ASV) 3. Organization completes the Attestation of Compliance (AOC) form

What are the Critical Components of PCI DSS Compliance?

Let’s dig deeper into these PCI compliance requirements so that you have a jargon-free understanding of them.

  1. Annual Audit If you’re at PCI compliance level 1, you need to have an independent, third-party audit performed by a PCI-certified Qualified Security Assessor (PCI QSA). This is a highly technical and specialized audit where the auditor performs configuration-level cybersecurity assessments of your technical infrastructure. All of the PCI DSS requirements must be in place for the PCI QSA to issue a PCI certification. The PCI Council website has a list of approved PCI QSA companies that can be searched by place of business, countries served, and other such criteria.
  2. Quarterly Network Scans Regardless of your PCI compliance level, you’ll need to have an independent, third-party network vulnerability scan performed by a PCI-certified Approved Scanning Vendor (PCI ASV). These vulnerability scans need to be performed once per quarter.
  3. Self-Assessment Questionnaire An organization at a PCI compliance level of 2 or below must complete a Self-Assessment Questionnaire (SAQ). As the name suggests, the SAQ is a self-assessment tool filled out by the merchant. There are different SAQs for different environments, and you must select the one that applies to your organization. The SAQ essentially consists of yes/no questions that correspond to each of the PCI compliance requirements. When you select “no” as an answer for any of the requirements, you may need to describe in detail remediation steps and associated timelines.
  4. Report on Compliance A Report on Compliance (ROC) is filled out by a PCI QSA after the completion of an organization’s annual PCI compliance audit. The ROC contains detailed audit findings and can run hundreds of pages. It is submitted to the merchant’s acquirer (a bank or financial institution that processes payments on behalf of a merchant). The acquirer, in turn, accepts the ROC and then sends it for verification to the payment brands.
  5. Attestation of Compliance The Attestation of Compliance (AOC) is a form that attests to the results of a PCI compliance assessment. The AOC is typically completed by a PCI QSA and can be used by merchants and service providers to show proof of compliance. The AOC form differs based on the type of SAQ that applies to your organization.
  6. Special Situations There can be exceptions to the PCI compliance levels. For instance, a merchant that has experienced a data breach that compromised payment card data is deemed to be at PCI compliance level 1. In such a situation, even a PCI compliance level 4 organization would have to comply with the requirements of PCI compliance level 1. If you believe that your organization may operate under a unique set of circumstances, it’s best to get in touch with a PCI QSA to identify your precise path to PCI certification.

How to Select a PCI QSA Company

The annual PCI compliance audit must be performed by a Payment Card Industry Qualified Security Assessor (PCI QSA) company. A PCI QSA is certified by the PCI Security Standards Council to audit merchants for PCI DSS compliance. The PCI Security Standards Council maintains a list of all the individuals and companies that have successfully completed training and certification as a PCI QSA. While the PCI compliance audit typically applies to PCI level 1 compliance entities, organizations that need to complete a self-assessment questionnaire (SAQ) can also greatly benefit from the expertise of a PCI QSA company. Here are some tips to select the right PCI QSA company for your organization:

Background Research

Research the PCI QSA company thoroughly – the number of years of experience, past and current clients, industry experience, technical certifications, client references, and so on. A PCI QSA’s experience in the same industry as yours is important since each industry has unique challenges, technical environments, and operational realities.

Approach

Understand beforehand how the PCI QSA company approaches the audit process. A collaborative approach works best. The PCI QSA should gain an in-depth understanding of your business - its strengths, and its eccentricities. That way, the PCI QSA can view the PCI compliance requirements in the context of your business and operational environment.

Scoping

The PCI Security Standards Council makes it a PCI QSA’s responsibility to confirm the scope of a PCI compliance audit. A good PCI QSA will look for opportunities to reduce the complexity of the compliance scope to save time, money, and resources.

Post-Audit Assistance

After an audit, you may be left with a full plate of remediation items to address within short timeframes. A good PCI QSA will provide clients with post-audit assistance and answer specific remediation questions that arise.

It’s Time to Fill Out Your SAQ. Which Type Applies?

A

Applicable to card-not-present merchants (mail/telephone-order or e-commerce) who have completely outsourced all cardholder data processing to a third-party vendor and do not store, process or transmit any cardholder data on their systems or premises. In this case, the third-party vendor needs to be PCI DSS compliant.

A-EP

Applicable to all e-commerce merchants who partially outsource all payment processing to a PCI DSS compliant

B

Applicable to merchants who do not store any electronic cardholder data and process payments either via standalone

B-IP

Applicable to merchants who process online payments using only standalone , PTS-approved payment terminals

C

Applicable to merchants with payment application systems connected to the Internet and no electronic cardholder data storage.

C-VT

Applicable to merchants who externally host a web payment application hosted by a PCI DSS validated third-party service provider. These types of merchants use a virtual payment terminal solution with no electronic cardholder data storage.

P2PE

Applicable to merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution. No electronic cardholder data storage.

D

Applicable to all merchants not included in descriptions for the above SAQ types. Applicable to all service providers defined by a payment brand as eligible to complete an SAQ.

What is a PCI Compliance Scan?

Regardless of your PCI compliance level, your organization must undergo a quarterly PCI compliance scan to identify cybersecurity threats in your systems and network. Insights from the scan can be used to enhance protection of the cardholder data environment (CDE) against malicious attacks.

PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant changes in the network. These scans involve a combination of automated and manual tools/techniques that assess how well-protected your organization’s networks are from cyberattacks.

The PCI DSS requires that quarterly PCI compliance scans be performed by an independent third party, also known as a PCI certified Approved Scanning Vendor (PCI ASV).

Benefits of a PCI Compliance Scan

  • Identifies the low-hanging fruit that hackers often exploit such as open ports, default credentials, weak passwords, outdated infrastructure, and security configuration errors.
  • Identifies vulnerabilities introduced into the cardholder data environment due to unauthorized changes or system modifications, such as a firewall rule change.
  • Identifies missing patches and updates in systems and software.
  • Simulates real-life hacker probes at a network level, both external and internal.
  • Provides quarterly report of actionable and quantifiable items to top management, showing whether an organization’s cybersecurity posture is progressing in a timely manner.

How to Choose a Good PCI ASV Company

Given the sensitive nature of the activities that a PCI compliance scan entails, organizations need to evaluate key aspects before entrusting their systems to an external vendor.

Identify whether the PCI ASV has in-depth cybersecurity experience and expertise. Are they also a PCI Qualified Security Assessor (PCI QSA)? Have they performed several PCI compliance audits? Do their certified experts have experience that spans across multiple industries and diverse environments?

Ask how the PCI ASV plans to keep your data and cardholder data environment secure during testing.

Review sample reports to identify if the PCI ASV understands how to make risk-based, prioritized recommendations. A good PCI compliance scan report will ideally include: an executive summary highlighting the organization’s overall security posture; a technical section detailing identified vulnerabilities; and comprehensive recommendations on how to remediate those vulnerabilities.

Verify that the PCI ASV uses industry best practices and testing methodologies based on internationally respected models. Ensure that the PCI ASV uses a combination of both automated and manual methods/tools for PCI compliance scans. This is important because automated tools may generate several false positives. The PCI ASV needs to manually weed these out to save time and effort.

Lastly, make sure that the PCI ASV offers retests to validate your remediation efforts.

 

PCI Glossary of Terms

Account Data - Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data.

Aquirer - Entity, typically a financial institution, that processes payment card transactions for merchants. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See also Payment Processor

AOC - Acronym for “attestation of compliance.” The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self- Assessment Questionnaire or Report on Compliance.

ASV - Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.

Cardholder Data -  At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also include the full PAN plus any of the following: cardholder name, expiration date and/or security code.

CDE - Acronym for “cardholder data environment.” The people, processes and technology that store,  process,  or transmit cardholder data or sensitive authentication data.

Compensating Controls  -  Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Go to the PCI website for additional guidance on the use of compensating controls.

Critical Systems and Technologies - A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance  of a business operation  or for a security function to be maintained. Examples of critical systems often include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. Considerations for determining which specific systems and technologies are critical will depend on an organization’s environment and risk-assessment strategy.

Data-Flow Diagram - A diagram showing how data flows through an application, system, or network.

DSS - Acronym for “Data Security Standard.”

Default Password - Pre-defined password to access a system, application, or device, usually set up by IT vendor. Default accounts and passwords are published and well known, and therefore easily guessed.

Encryption  -  Process  of   converting   information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.

Forensics - Also referred to as “computer forensics.” The application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.

Forensic Investigator - PCI Forensic Investigators (PFIs) are companies approved by the PCI Council to help determine when and how a card data breach occurred. They perform investigations within the financial industry using proven investigative methodologies and tools. They also work with law enforcement to support stakeholders with any resulting criminal investigations.

Hacker - A person or organization that attempts to circumvent security measures of computer systems to gain control and access. Usually this is done in an effort to steal card data.

Information Security - Protection of information to ensure confidentiality, integrity, and availability.

IP - Acronym for “internet protocol.” Network-layer protocol containing address information and some control information that enables packets to be routed and delivered from the source host to the destination host. IP is the primary network-layer protocol in the Internet protocol suite.

Least Privilege - Providing the minimum access and/or privileges necessary to perform the roles and responsibilities of the job function.

Merchant - For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

Merchant Bank - A bank or financial  institution  that processes credit and/or debit card payments on behalf of merchants. Also called an “acquirer,” “acquiring bank,” “card processor,” or “payment processor.” See also Payment Processor

Monitoring - Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events.

Network - Two or more computers connected together via physical or wireless means.

Network Segmentation - Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and, thus, reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement.

PAN - Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

Patch - Update to existing software to add functionality or to correct a defect.

Payment Cards - For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.

Payment Processor - Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. Entity engaged by a merchant/entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer.

PCI - Acronym for “Payment Card Industry.”

PCI DSS - Acronym for “Payment Card Industry Data Security Standard.”

PCI Compliant - Meeting all applicable requirements of the current PCI DSS, on a continuous basis via a business- as-usual approach. Compliance is assessed and validated at a single point  in time; however,  it is up to each merchant  to continuously follow the requirements in order to ensure robust security. Merchant banks and/or the payment brands may have requirements for formal annual validation of PCI DSS compliance.

PCI DSS Validated - Providing proof that all applicable PCI DSS requirements are met at a single point in time. Depending on specific merchant bank and/or payment brand requirements, validation can be achieved though the applicable PCI DSS Self-Assessment Questionnaire or by a Report on Compliance resulting from an on-site assessment.

Penetration Test - Penetration tests identify ways to exploit vulnerabilities in order to defeat the security features of system components. Penetration testing includes network and application testing, as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment (internal testing).

Policy - Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures

Procedure - Descriptive narrative for a policy. Procedure is the “how to” for a policy and describes how the policy is to be implemented.

PTS - Acronym for “PIN Transaction Security,” PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance at POI terminals. Please refer to www.pcisecuritystandards.org.

Public Network - Network established and operated by a third- party telecommunications provider for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/ or diverted while in transit. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies.

QSA - Acronym for “Qualified Security Assessor.” QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments.

Risk Assessment - Process that identifies valuable system resources and threats; quantifies  loss  exposures based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to deploy countermeasures to minimize total exposure.

ROC - Acronym for “Report on Compliance.” Report documenting detailed results from an entity’s PCI DSS assessment.

SAQ - Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

Scoping - Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.

Security Policy - Set of laws, rules,  and  practices that regulate how an organization manages, protects, and distributes sensitive information.

Service Provider - Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services, as well as hosting providers and other entities.

Threat - Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.

Untrusted Network - Network that is external to the networks belonging to an organization and that is outside of the organization’s ability to control or manage.

Virtual Payment Assistant - A virtual payment terminal is web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

Vulnerability - Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.

Intelligence and Insights

PCI QSA Companies

Selecting the Right PCI QSA Company

The right PCI QSA company should act as a trusted advisor, helping to identify vulnerabilities and suggesting improvements to secure data and comply with PCI DSS requirements …
New York Cybersecurity Regulation

Tough New Amendments to New York Cybersecurity Regulation Kick in Soon

Entities must take proactive steps to assess their compliance with the amended Cybersecurity Regulation and rapidly work to address any gaps …
federal trade commission

New FTC Rule Requires Vast New Range of Businesses to Report Data Breaches

Starting May 13th, a broad new set of businesses, ranging from car dealerships to mortgage lenders, will need to report certain data breaches to the FTC …