A Deep Dive into PCI Compliance

PCI DSS compliance is an industry-led and industry-regulated standard. The goal is to protect sensitive customer data when storing and processing credit card information. Every merchant, issuer, processor, or acquirer is responsible for demonstrating compliance. Any entity that uses wired or wireless networks to process, store, or transmit credit card data must present compliance credentials. This group includes merchants that use card readers, POS systems, shopping carts, online payment tools, and paper-based credit card solutions. The standards were written to provide a baseline that everyone must follow in order to offer data security and limit fraud. The PCI Data Security Standards Council oversees the compliance protocols, issues updates and information, and provides industry standard certifications. 

Following the PCI DSS demonstrates that the merchant cares about their customers’ sensitive information. It also helps an organization avoid expensive fees or penalties for non-compliance.

The PCI DSS mandate has a simple dual purpose — to protect against fraud and to secure sensitive data. The PCI DSS is updated regularly in an effort to stay ahead of sophisticated hackers and complicated, ever-changing technology.

There are six main categories for PCI security standards, with 12 requirements. Each area focuses on infrastructure as well as internal policy. Here are the requirements:

• Build and Maintain a Secure Network and Secure Systems:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

• Protect Cardholder Data:

3. Protect stored cardholder data.
4. Encrypt transmissions of cardholder data across open, public networks.

• Maintain a Vulnerability Management Program:

5. Protect all systems against malware and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.

• Implement Strong Access Control Measures:

7. Restrict access to cardholder data by maintaining a need-to-know policy.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.

• Regularly Monitor and Test Networks:

10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

• Maintain an Information Security Policy:

12. Maintain a policy that addresses information security for all personnel.

It is important to note that these six categories and 12 requirements are a baseline for compliance and serve as a starting point for organizations.

When planning for PCI compliance, it is important to know your risk level. There is a fairly straightforward method for assigning risk that determines levels based on the number of credit card transactions that an organization processes per year. There may be other factors to consider, but this is a good starting point. There are four compliance levels:

Understanding your level of risk is critical when planning for compliance, but other factors, such as state laws, credit card issuer rules, and a prior breach can change an organization’s level. It’s also important to remember that if one credit card issuer puts your company at Level 1, all reporting to all issuers must be at Level 1. In addition, a breach automatically moves an organization to level 1.

The PCI DSS is unique because it is not the result of federal law. However, there are some state laws that demand data security and require remediation in the event of a breach. Credit card issuers and banking institutions created the PCI DSS to facilitate the adoption of a set of standards across the industry. Any organization that accepts credit cards is subject to the PCI DSS. 

The standards are monitored by each credit card issuer, and they can levy fines for non-compliance. Unfortunately, many small businesses are unaware of the hefty penalties they can face if they experience a breach.

Each organization is different, but the path to compliance typically encompasses the following activities:

• Self-assessing, including attestation of compliance 
• Vulnerability scanning, including showing evidence of results
• Changing business processes as needed (i.e., fixing vulnerabilities)
• Engaging in annual auditing (large merchants)
• Performing penetration testing
• Participating in security training
• Compliance reporting

Your merchant bank can often answer questions about processes and requirements. You can find a Self-Assessment Questionnaire (SAQ) through the PCI SSC website. The assessment helps identify your level of compliance. It also identifies areas that require remediation. Once compliant, you need to do yearly reporting, consisting of a Report on Compliance (ROC) to validate compliance and maintain eligibility.

Audits are the primary tool to ensure PCI compliance. Internal or third-party auditing is a common practice used by many of the largest merchants accepting credit cards. 

In many cases, especially for the highest-risk organizations or any business that has experienced a breach, audits are mandated. Smaller businesses can proactively use audits to identify vulnerabilities and mitigate risk. Security assessors and internal auditors are deemed “qualified” only through the PCI Data Securities Council certifications.

A PCI audit is performed by a qualified security assessor (QSA). The purpose of the audit is simple: to make the system better and provide continuous improvement. Those who breach systems look to exploit vulnerabilities, and they get smarter at doing so every day. Therefore, certified by the standards set forth by the PCI SSC, a qualified auditor examines your system to identify vulnerabilities and make recommendations in order to further prevent data breach opportunities. They may also conduct penetration testing, which simulates an attack upon the firewalls, software, and systems to find weaknesses and recommend remedies. In addition, the auditor studies your internal processes, controls, and policies in order to provide a risk assessment.

There are many factors that impact the cost of PCI DSS compliance. The first is the hard cost associated with preventing security breaches, which includes infrastructure investments, auditors, testing, assessments, and training. These costs are dependent upon the size and type of the organization, security priorities, and staff availability.

Small companies can pay over five figures per year for compliance-related activities. Larger enterprise organizations have ongoing protocols that make their financial obligation to fraud prevention much greater. However, these investments are needed to prevent the high costs (and consequences) of a breach. A breach generates fines, compensation to those affected, legal costs, and judgments. Breaches also have other costs, such as the loss of reputation and diminished consumer confidence, which are difficult to adequately calculate.

There are numerous challenges associated with PCI compliance, including the financial outlay, personnel time, and training. It’s an expensive mandate, both in the case of prevention and in the case of a breach. In fact, the price of a breach can be exorbitant. 

Still, one of the most frustrating challenges, especially for small to medium-sized businesses, is the confusing nature of compliance. Reports, audits, proper infrastructure, technical details, and training are necessary at all risk levels. Compliance is about performing the required tasks and  supplying the proof. Moreover, it is not a one-and-done initiative, but rather an ongoing effort to keep up with technology changes, so the organization can avoid attacks. The bad news is that no company is invincible. Verizon’s 2017 Data Breach Report found over 42,000 reported data security incidents. Big names, such as Target, Home Depot, and Saks, have had millions of credit card numbers stolen.

In addition to training, an organization’s existing security policy should be augmented to include risk analysis reviews and all acceptable uses of technology and equipment. The policy should also prohibit the storage of PIN numbers or card validation codes.

There are some who grumble that the benefits of PCI DSS compliance are few. But, compliance (i.e., working toward PCI security) allows full participation in a global economy. Today, a merchant cannot process a credit card without proof of compliance. Compliance has become a level playing field in which full participation in securing customer information is a high priority. The ability to secure customer data also results in a trusting relationship.

There are a number of different auditors that help organizations achieve and demonstrate PCI DSS compliance. Audits are conducted by independent Qualified Security Assessor (QSA), an Internal Security Assessor (ISA), or, in some cases, both. Audit frequency often depends on the level of compliance or history of a data breach, but generally takes place once per year. 

Some of the main activities performed by an auditor include the following:

• Test vulnerabilities, including penetration testing, to find holes or weaknesses in data defense systems
• Provide recommendations for enhanced security or validate that adequate security currently exists
• Supply reports needed to demonstrate that the company is currently compliant 

Auditing is not a guarantee that a breach will never happen: It is up to the organization to provide continuous updates and conduct consistent compliance testing. 

The PCI SSC provides coursework and certifications that verify an auditor’s ability to follow the prevailing standards and deliver the verifications, testing, reports, and recommendations that prove compliance activities.

Despite the cost and effort to keep data secure, breaches continue to occur. This is because technology constantly changes, and the thieves adapt as needed. In addition, personnel may accidently (or by design) contribute to a loss of data integrity. One thing is certain: When a household brand is hit by data theft, it generates big news. Large retail giants like Sony are not immune. An attack on their PlayStation system compromised 77 million accounts. In 2014, Home Depot had 56 million credit card numbers stolen. 

Many organizations have discovered the high costs of vulnerabilities in their point of sale (POS) systems. Saks, Wal-Mart, and Lord & Taylor have suffered costly data losses from their POS systems.

But, security fraud is sometimes committed too easily. The 2017 Verizon Data Breach Report showed that 80 percent of all hacking-related breaches involved a stolen or weak password. That’s why one of the first PCI DSS requirements cautions against the use of vendor-supplied defaults or passwords. Fraud prevention requires good firewalls and infrastructure, but it also demands solid policies and smart implementation.

The PCI DSS is just a baseline, not a guarantee of safety from fraud or breaches. Many organizations, especially those who have experienced a breach, are incentivized to do more. 

The costs associated with a breach, as illustrated above, are two-fold: the financial cost of fines and litigation and the cost of lost confidence. Paying or absorbing losses to customers, reissuing payment cards, or providing months of credit report monitoring can cripple an organization’s bottom line. In addition, the intangible costs must also be measured, and they can be considerable. For instance, consequences can include loss of reputation and sales due to consumers’ lack of trust in your company. Reparations impact all areas of a business and may require the drastic and proactive action of re-marketing your brand. Many believe these costs justify going beyond the basic PCI DSS compliance requirements. 

Additional breach consequences include the following:

• Higher compliance costs
• Terminations of card acceptance
• C-level job losses
• Going out of business

Part of any assessment for developing or maintaining PCI compliance is evaluating PCI software solutions. The main goals of PCI software are to protect systems from malware, track and monitor access, conduct vulnerability scans, enable incident response, and provide vulnerability and risk reports. Software solutions can be purchased from a software vendor, home grown, or open source. They can also be installed and managed on the premises or hosted as software-as-a-service (SaaS). 

There are several types of tools that can aid in PCI compliance. These tools include the following:

• Credit card detection software
• File integrity monitoring tools
• Wireless assessment tools
• Intrusion detection systems
• Password storage systems
• CDE systems
• Network monitoring

Purchasing and implementing individual point solutions that solve for each need can become overwhelming. A single solution that encompasses several functions may be an easier answer. Consider the following functions when evaluating an all-inclusive solution:

• Asset discovery/inventory
• Vulnerability assessment
• Intrusion detection
• File integrity monitoring
• PCI DSS reporting
• Wireless assessment
• Password storage
• Network monitoring

With technical innovations — that make doing business on a global scale easier than ever — come more complex threats. The PCI DSS rules and guidelines address one of the biggest of these dangers: the loss of sensitive financial information. The losses, as we have seen with numerous big name merchants, can be costly to both the business and the consumer. Fortunately, there is a path forward. Following the PCI DSS compliance guidelines won’t completely protect you from smart hackers, but this crucial step provides a solid foundation for data protection.

• What constitutes a service provider? A service provider is a vendor that provides IT services or solutions to businesses or end users. 
• What constitutes a payment application? This refers to anything that stores, processes, or transmits card data. It includes e-commerce shopping carts and POS systems.
• What is a payment gateway? A payment gateway is the method used to accept credit card payments by linking payment processors with merchant account providers.  
• What is PA-DSS? The Payment Application Data Security Standard is maintained by the PCI Security Standards Council (SSC) and ensures that vendors who provide products, such as payment applications, maintain PCI DSS compliance. 
• Can the full credit card number be printed on the consumer’s copy of the receipt? PCI DSS requirement 3.3 does not prohibit printing the full card number on a receipt. However, only a person with a legitimate business need should be able to see the full card number. The recommendation is to print only the last four digits on a receipt.
• How often do I have to have a vulnerability scan? If you store card data electronically after authorization or if you qualify based on your Self-Assessment Questionnaire, a quarterly (every 90 days) scan is required.
• What if my business refuses to cooperate? PCI is not a law, but the major credit card brands may refuse to work with you. You may incur fines, costly audits, and reputation damage.
• If I’m running a business from my home, am I a serious target for hackers? Home businesses are the most vulnerable because you are not well protected.
• What should I do if I’m compromised? The PCI Security Standards Council offers a guide on responding to a data breach.
• Do states have laws requiring data breach notifications to the affected parties? Yes, private, governmental, and educational organizations are required to notify affected parties when a security breach occurs.
• Is PCI compliance mandatory for everyone? Any organization that accepts credit cards is subject to the industry regulations for PCI DSS. The standards are monitored by each credit card issuer, and they can levy fines for non-compliance.
• What about EMV cards? Don’t they make me PCI compliant by default? EMV cards, named after their developers (Europay, Mastercard, and Visa), have microprocessor chips that store and protect the cardholder’s data. EMV cards are not mandatory, but offer extra protection. They do not make you PCI compliant by default.

• Technology Innovation Program (TIP): The NIST Technology Innovation Program was established to accelerate and support technology innovation through research. In 2011, funds were not appropriated for TIP and the program was shut down.
• Wireless Intrusion Prevention System (WIPS): This is a device connected to a network that monitors for unauthorized access and automatically takes action to counter any intrusion.
• Card Holder Data (CHD): The primary account number (PAN), cardholder name, service code, and expiration date are all cardholder data.
• Card Verification Value (CVV): This is one of the many security elements that comprise credit and debit card information. Visa, Mastercard, and Discover CVVs are three digits, while American Express CVVs are four digits. 
• Synthetic Identity Theft: This term refers to the use of real and fabricated information from several people to create a new, blended identity.
• Compensating Control (Alternative Control): This is a security measure that is put in place to satisfy a requirement that may be too difficult to implement.
• Ingress Filtering: This is a method to ensure that incoming packets are from the networks they claim to be from. This method is used to counter spoofing and denial-of-service attacks.
• Strong Cryptography: This is a method used to protect data that relies on encryption and hashing.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.