What is PCI compliance? A guide for businesses

Businesses that want to remain competitive, must accept credit cards. However, credit card fraud, identity theft, and the theft of data are increasing at alarming rates.

As such, it's critical that companies protect their customers' payment card data. Lax security lets criminals steal and use consumers' personal financial information from payment transactions and processing systems.

Vulnerabilities can show up anywhere in the credit card processing environment, including online shopping applications, point-of-sale devices, and even when cardholder data is transmitted to service providers. Vulnerabilities can also appear in the systems of service providers and acquirers—in other words, the financial institutions that merchants use to process their debit or credit card payments.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) can help companies protect cardholder payment account data. However, although PCI compliance improved in 2020, "the cybersecurity threats businesses are now facing are more cunning and evasive than they were even two years ago," according to the 2022 Verizon Payment Security Report.

What is PCI compliance?

The Payment Card Industry Data Security Standard is an information security framework that aims to help merchants and service providers protect debit and credit card transactions from data breaches.

All businesses that accept, transmit, or store cardholders' private payment card information must adhere to the 12 operational and technical PCI compliance requirements. This is to maintain secure environments as well as protect their customers’ cardholder data—and their reputations as reliable companies.

However, PCI DSS compliance is not a law or regulation; instead, it is an industry mandate. Still, companies that don't comply with PCI standards can be fined for negligence and violating agreements.

A timeline of PCI DSS

In 2004, in response to skyrocketing credit card fraud, Visa, Discover, Mastercard, American Express, and JCB launched PCI DSS 1.0. Then, in 2006, the card brands added other organizations to their security initiative, including merchants, financial institutions, point-of-sale vendors, software developers, and processor companies, and formed the PCI Security Standards Council (PCI SSC). The PCI SSC requires that businesses become PCI DSS compliant as well as demonstrate their ongoing commitment to securing credit card data.

Version PCI DSS 1.1 was released in 2006, and further revisions have been issued since then. The latest evolution of the standard, PCI DSS 4.0, was released on March 31, 2022. However, the previous version, PCI DSS v3.2.1, will still be active until March 31, 2024, giving companies two years to understand and implement PCI DSS 4.0. At that time, PCI DSS 4.0 will supersede v3.2.1. But businesses will have until March 31, 2025 to verify compliance with PCI DSS 4.0.

There are four ongoing steps to protect payment account data with PCI DSS 4.0:

Assess: Businesses must identify all locations where they keep payment account data. That means they must conduct an inventory of all their business processes and IT assets that are associated with payment processing, analyze them for flaws that could expose payment account data, update or implement necessary controls, and undergo a formal PCI DSS assessment.

Remediate: Companies must identify and address any gaps in their security controls, fix any vulnerabilities that they find, securely remove any unnecessary payment data storage, and implement secure business processes.

Report: Organizations must document the details of their assessments and remediations and submit compliance reports to the compliance-accepting entity, usually the payment brands or acquiring bank.

Monitor and maintain: Firms must confirm that the security controls they put in place to secure the payment account data continue to function appropriately and effectively throughout the year. Companies must implement these processes as part of their overall security strategies to help guarantee ongoing protection.

The 12 PCI compliance requirements

The 12 PCI compliance requirements established by PCI SSC are operational as well as technical; however, the main focus of these requirements is always to protect cardholder data. These are the 12 requirements set forth by the PCI SSC for PCI DSS 4.0 (they differ slightly from the rules for PCI DSS v3.2.1).

1. Install and maintain network security controls

Network security controls, such as firewalls, are "network policy enforcement points that control network traffic between two or more logical or physical network segments (or subnets) based on predefined policies or rules." Historically, this has been done using physical firewalls. Now, however, cloud access controls, virtual devices, virtualization/container systems, and other software-defined networking technology can act as network security controls.

2. Apply secure configurations to all system components

Often, bad actors inside and outside an organization use default passwords and other vendor default settings to gain unauthorized access to the company's systems. By applying secure configurations to system components, a business reduces the ways that an attacker can compromise its systems. Additionally, a company can help shrink the potential attack surface by removing unnecessary software, accounts, and functions, changing default passwords, and removing or disabling any services they don't need.

3. Protect stored account datax

Organizations shouldn't store payment account data unless it's essential to the business. Companies also shouldn't store sensitive authentication data after transactions have been authorized. If organizations store customers' primary account numbers (PANs), they must ensure those numbers can't be read. Companies that store sensitive authentication data before authorization is completed must also protect that data.

4. Protect cardholder data with strong cryptography during transmission over open, public networks

Companies must encrypt PANs when they're being transmitted over networks that malicious individuals can easily access. These networks include open, public, and untrusted networks. Threat actors continue to target wireless networks that aren't configured correctly. They also target flaws in authentication protocols and legacy encryption to gain privileged access to every system that stores, handles, or transmits cardholder data. To secure PAN transmissions, companies can encrypt the session over which the data is transmitted, encrypt the data before it's transmitted, or both.

Learn more: what is P2PE (point-to-point encryption)?

5. Protect all systems and networks from malicious software

Malicious software—or malware—is software that's installed on a computer without an organization's knowledge or consent to compromise that company's systems, data, and/or applications. Malware includes Trojans, worms, viruses, ransomware, spyware, malicious code, rootkits, keyloggers, and scripts. Malware authors deliver their malware to a network through a variety of methods, including collaboration tools and phishing attacks.

6. Develop and maintain secure systems and software

Attackers can exploit security vulnerabilities in applications and systems to access payment data. However, organizations can eliminate many of these flaws by installing security patches provided by vendors. These patches quickly repair specific pieces of programming code. To prevent cybercriminals from exploiting vulnerabilities, organizations must ensure they've installed the most up-to-date patches on their critical systems and apps.

Companies must also patch systems that aren't as critical in an appropriate period of time, which is based on performing a formal risk analysis. "Applications must be developed according to secure development and coding practices, and changes to systems in the cardholder data environment must follow change control procedures," according to the PCI Security Standards Council.

7. Restrict access to cardholder data by business need-to-know

Threat actors may gain access to systems and critical data because organizations' control rules and definitions are not effective. To make certain that only authorized individuals can access critical data, companies must implement systems and processes that ensure users have legitimate reasons to access sensitive information. And they must only give them access to the information they need to do their jobs, regardless of their levels of security clearance or other approvals.

8. Identify users and authenticate access to system components

Businesses must assign a unique identifier to each person who has access to sensitive data and systems so they can be sure that only known and authorized individuals are working with the data. This also allows companies to trace the actions taken on that data back to specific users. "These requirements apply to all accounts, including point-of-sale accounts, those with administrative capabilities, and all accounts used to view or access payment account data or systems with those data," according to the PCI SSC. However, these requirements don't apply to accounts used by cardholders.

9. Restrict physical access to cardholder data

Companies should restrict physical access to cardholder data or systems that store, process, or transmit that data. This prevents people who aren't authorized from physically accessing systems or removing paper documents containing this information.

10. Log and monitor all access to system components and cardholder data

It's critical that companies implement logging mechanisms so they can track user activities to detect anomalies and suspicious activity as well as for effective forensic analysis. Logging enables organizations to thoroughly track user activity and detect if something goes wrong. Without system activity logs, it's just about impossible to identify the cause of a compromise.

11. Test security of systems and networks regularly

Researchers and cybercriminals are continuously discovering new flaws in software. In addition, vulnerabilities are introduced when new software is released. Consequently, companies must frequently test system components, processes, and custom software to be sure the appropriate security controls are in place.

12. Support information security with organizational policies and programs

Businesses must ensure that all their employees understand the sensitivity of payment account data and what they have to do to protect it. Implementing a strong security policy sets the tone for security throughout the company, and it lets employees know what their responsibilities are in terms of security.

Do merchants need to be PCI compliant if a third-party processes their payments?

Merchants using third-party payment processors still need to be PCI compliant. However, using third parties will most likely cut down their risk exposure and make it easier to validate compliance.

Third-party payment gateways use data security methods, such as tokenization, that allow companies to store tokens on their local servers instead of the actual data. Tokens replace sensitive card data without exposing actual account details. Tokenization enables businesses to offer customers one-click payments to make the checkout process easier and faster.

Using payment gateways can remove some of the burden of PCI compliance; however, businesses are still responsible for their own security, and they must commit to continually testing, strengthening, and updating their PCI compliance.

What are the 4 PCI compliance levels?

There are four PCI compliance levels that are determined by the number of transactions an organization handles every year. The payment brands, i.e., American Express, Visa, Mastercard, Discover, and JCB, have their own programs for compliance as well as their own thresholds for the levels of PCI DSS compliance.

Level 1: Businesses that process:

• 6 million or more Visa, Mastercard (combined with Maestro), or Discover transactions.
• 2.5 million or more American Express transactions.
• 1 million or more JCB transactions.

In addition, any business that:

• Has had a cyberattack or data breach that compromised cardholder data.
• Has been identified as Level 1 by one of the card schemes.

Key requirements:

• On-site assessment using the PCI DSS requirements and security assessment procedures conducted by an approved security assessor or a qualified internal security assessor.
• Quarterly network scan by an approved scanning vendor (ASV).
• Annual penetration test.

Level 2: Businesses that process:

• 1 to 6 million Visa, Mastercard (combined with Maestro), or Discover transactions.
• 50,000 to 2.5 million American Express transactions.
• Fewer than 1 million JCB transactions.

Key requirements:

• Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ).
• Quarterly network scan by an ASV.
• Annual penetration test.

Level 3: Businesses that process:

• 20,000 to 1 million Visa, Mastercard (combined with Maestro), or Discover transactions.
• Fewer than 50,000 American Express transactions.

Key requirements:

• Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ).
• Quarterly network scan for vulnerabilities by an ASV.
• Completion of the Attestation of Compliance (AOC) form.

Level 4: Businesses that process:

• Fewer than 20,000 Visa or Mastercard (combined with Maestro) e-commerce transactions or up to 1 million total Visa or Mastercard credit card transactions and that have not suffered a data breach or attack that compromised card or cardholder data.

Discover, American Express, and JCB don't have PCI Level 4 designations. Discover and American Express stop at PCI Level 3, while JCB stops at PCI Level 2.

Key requirements:

• Completion of the appropriate SAQ.
• Quarterly network scan by an ASV.
• Completion of an AOC.

Are there PCI compliance fees?

Many payment service providers (PSPs) charge businesses monthly or annual PCI compliance fees. Some PSPs using the more transparent interchange++ pricing model also choose to include PCI DSS fees as part of their IC++ model, as these costs are seen as separate from Visa, Mastercard and other card scheme fees.

Checkout.com, however, does not charge any PCI compliance fees.

PSPs are required to follow PCI standards, but many of them provide their merchants with additional PCI compliance tools and services—and they charge extra for them.

PCI compliance fees depend on the PSPs charging them. But it's often difficult for businesses to know what extra support their providers are charging them for. That means businesses have to do their own research to figure out exactly why they're being charged compliance fees.

How Checkout helps companies with PCI compliance

Checkout is PCI DSS Level 1 compliant (which is the highest standard set by the payment card industry). While PCI compliance may seem overwhelming at first, there are plenty of resources to lean on for help.

For example, Qualified Security Assessors (QSAs) are independent security organizations and individuals that have been qualified by the PCI Security Standards Council. QSAs can validate an entity’s adherence to the PCI DSS and can support merchants through the process.

To offer PCI compliance assistance to our merchants, Checkout.com has partnered with SecurityMetrics, a QSA company.

To find out more about how Checkout.com can help with implementing PCI compliance, see our documentation.

‍