PCI DSS Compliance: requirements explained

If you are an e-commerce merchant, you've probably heard the term "PCI DSS compliance" more than once. The chances are, though, you are still confused about what does it stand for and how to achieve it.

So what is Payment Card Industry Data Security Standard (PCI DSS) compliance? In the simplest terms, it is a set of 12 security standards designed to ensure that all the card payments on your website are being processed safely.

The Payment Card Industry Data Security Standard was founded in 2006 by the major credit card brands, namely Visa, Mastercard, American Express, JCB, and Discover with a focus on decreasing internet payment card fraud.

Even though the PCI DSS are not enforced directly by the government,  each credit card brand maintains its own data security compliance procedures. The card companies can penalize businesses that are not in compliance with PCI DSS. The penalties depend on many factors, including the merchant's volume of transaction, number of clients, and level of PCI DSS. Penalties can range from $5,000 to $100,000 monthly and can be charged until the merchant addresses every compliance issue.

Why is PCI important?

But how can PCI-DSS Compliances benefit your e-commerce business? First of all, compliance with PCI DSS means that you safeguard sensitive data and protect your customers from cyber-theft or fraudulent use.

Having compliance regulations in place also means saving tons of money in the long run. According to the Infosecurity Magazine, the average cost of losses businesses sustain as a result of a data breach is between $77,000 and $875,000!

That number does not include the loss of a customer's trust: they would not return to a business if their confidential information was stolen. And vice versa, your potential clients are more likely to spend money on your website if they feel confident you're keeping their sensitive data safe.

No matter the industry you are in,  the size of your enterprise, or the number of transactions per year, your business needs to comply with the PCI DSS. All the merchants fall into one of four PCI DSS compliance levels. The levels of compliance are used to determine the amount of security validation required to pass the PCI DSS assessment.

Based on the amount of transactions your business processes per year, the PCI Compliance Levels are:

Level 1 merchants must undergo an internal audit conducted by an authorized Qualified Security Assessor (QSA) once a year.

Level 2, 3, and 4 merchants typically have to submit an Annual Self-Assessment Questionnaire (SAQ) as one of the compliance requirements.

Every merchant that handles credit and debit card payments has to meet the PCI DSS 12 requirements to become PCI compliant.

These requirements were developed by the PCI Security Standards Council back in 2006, and this organization still maintains and updates them.

Here are the 12 requirements for PCI DSS compliance. We explained to them all in the checklist down below:

Section 1: Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data.

In the most basic terms,  a web application firewall (WAF) is a virtual barrier between your computer and the Internet. These network security systems protect your website from unwanted web traffic, DDoS attacks,  brute force attacks, and SQL injections. Because WAF uses advanced caching mechanisms, it also improves the overall speed and performance of your website.

2.  Configure passwords and settings.

Most hardware and software (like firewalls and routers) come with standard vendor-supplied passwords, usernames, and settings. This information is widely available on the internet. To prevent unauthorized users (aka online criminals) from hacking your website, make sure to change this information.

Section 2: Protect Cardholder Data.

3. Protect stored cardholder data.

Cardholder confidential information should be disposed of as soon as it's no longer needed. And when the card's data is stored, it has to be thoroughly protected. Some of the protection methods include encryption, tokenization, truncation, masking, and hashing.

4. Encrypt transmission of cardholder data across open, public networks.

Public WIFI networks are easy targets for hackers. Online criminals can easily extract sensitive data as it travels through those networks. It’s not permitted to email or instant message encrypted sensitive cardholder data through unsecured networks. To move this information within your organization, make sure to safeguard it first through strong cryptography and security protocols like TLS, SSH, IPSEC, etc.

Section 3 – Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs.

Malware like viruses, Trojans, spyware, adware, or worms can easily enter your networks through emails, websites visited or even storage hardware. For this reason,  you must continuously update your antivirus software and scan all data entering your systems.

6. Develop and maintain secure systems and applications.

A business should continuously evaluate its vulnerabilities, and, if discovered,  document and resolve them. One of the easiest ways to comply with this requirement is to update applications that process and transmit sensitive cardholder data constantly.

Section 4 – Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

Sensitive cardholder information should only be accessible by authorized individuals processing payments. To comply with this requirement, every organization has to have policies in place, defining who has access to that data.

8. Identify and authenticate access to system components

Every person who has access to the company’s systems need a unique login ID. This way, it will be easier to trace those responsible for breach of data in case of an emergency.

9. Restrict physical access to cardholder data

In order to ensure that data is only accessed by authorized persons, physical access to the servers must also be protected and monitored. Limit the number of people who have access to the servers on which data is stored. The fewer people have access to the servers, the less likely there will be a violation of the PCI DSS.

Section 5 – Regularly Monitor and Test Networks

10.  Track and monitor all access to network resources and cardholder data.

According to this requirement, every organization should regularly produce and monitor audit logs, so that any breach of data is immediately evident.

11. Regularly test security systems and procedures

How often do you test your security systems? If you want to become PCI compliant, vulnerability testing must be performed at least quarterly.

Section 6 – Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

A comprehensive information protection policy is a basis for PCI DSS compliance of any organization. Everyone in the business, regardless of their role, needs to be aware of this policy and understand their role in it. 

At first, glance, addressing all these 12 PCI DSS requirements might seem like a very time-consuming process. But in reality, the entire process of becoming PCI DSS compliant is very straight-forward. It only takes one day to two weeks to get compliant.

However, if you are not sure about your ability to adhere to the parameters of PCI DSS, it’s a good idea to partner with some professionals who have expertise in PCI.

No matter how big or small your business is taking care of your cybersecurity is a must. Don't risk your brand's reputation and long-term sales, become PCI DSS compliant!