PCI DSS Compliance Checklist
Are you PCI DSS Compliant? If you answer NO to any of these questions, you may not be compliant.
- Has your hardware and IT systems been audited for credit card numbers in the last 6 months?
- Do you store customer credit card information within your IT system?
- Do your call centre agents hear credit card information from customers or are they hidden from them?
- Do you have controls in place that outline how you collect, process, store and transmit customer credit card information?
When assessing if you are PCI DSS compliant, it is essential to fully understand the purpose and requirements that are defined by the PCI DSS standards. Below is a list of frequently asked questions that clients often ask when they begin the process of becoming PCI DSS compliant.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standards. It is a set of standards covering payment system security created and maintained by the Payment Card Industry Standards Council, a worldwide forum founded by American Express, MasterCard, and Visa, Inc. Today, the council includes all five of the major payment brands and other financial industry stakeholders. The PCI DSS standard is enforced by the payment brands themselves to ensure that transactions remain secure for both cardholders and the institutions that process their payments.
What is PCI DSS compliance?
PCI DSS compliance consists of implementing a set of data security measures to ensure that sensitive personal and financial information is not lost or stolen from a business’s payment processing or storage systems. The data covered by PCI DSS includes:
- The cardholder’s name, primary account number, card expiration date, and service code.
- Authentication data for the card such as the data encoded on a magnetic strip, PIN numbers, and other security codes like CVC2 and CVV2 numbers.
If any of this information is processed or stored during or after transactions, then PCI DSS compliance requires a list of safeguards be put into place and maintained by the business.
Why was PCI DSS compliance introduced?
Credit card fraud has been growing over the past two decades and that is predicted to continue. By 2014, credit card fraud had reached $16 billion by 2014, and financial industry estimates expect it to reach $35 billion by 2020. In addition to the immediate financial losses suffered by banks and consumers when a card account is used fraudulently, the release of personal information obtained from credit card data breaches also contributes to identity theft.
The majority of payment card fraud happens because of data breaches at businesses and payment processors. Card account and authentication information that’s stolen during these breaches are used to make unauthorised purchases online, and duplicate payment cards are made and used at bricks-and-mortar stores.
This trend led to the formation of the Payment Card Industry Standards Council, which created the first version of PCI DSS in 2004. The payment card industry enforces its requirements with merchants that do business with their cards by making them liable for fines and other fees when they are found to be out of compliance or suffer data breaches.
Who needs to be PCI DSS compliant?
The data security standards apply to any business that conducts transactions using one of the five major payment card brands or that stores cardholder information. These businesses need to ensure that their data systems comply. If a third party conducts a business’s transactions on its behalf, that business is still responsible for ensuring that the payment processor complies.
What are the benefits of being PCI compliant?
PCI DSS compliance reduces the likelihood that a security breach will impact the customers who do business with a company. This gives the compliant company a couple of benefits.
The financial benefit gain is avoidance of the costs involved with a data breach due to being out of compliance. Fines imposed on merchants who suffer breaches can be as high as $50,000, not to mention the damage to the company brand due to the data breach. The cost of post-breach security investigations, providing credit monitoring services to affected customers, and other legal liabilities can push the cost of a breach much higher.
Beyond the financial benefit, however, is the benefit to a company’s brand and reputation among its customers and peers when it takes measures to secure customer credit card data. Customer trust is difficult to win back after a major data breach.
What are the key requirements for PCI DSS compliance?
The PCI DSS compliance checklist consists of twelve essential requirements:
- Install a correctly configured firewall that protects cardholder information
- Ensure that default passwords and configurations on third-party equipment are changed to secure settings
- Maintain protections for cardholder information that’s stored in a business’s data systems
- Ensure that cardholder information is encrypted when transmitted over public networks
- Maintain anti-malware and virus protection on all the business’s information systems
- Establish and maintain secure data processing and storage systems
- Maintain confidentiality of cardholder information, allowing access only on a “need to know” basis
- Identify all system components and maintain their security
- Secure physical access to the business’s data systems containing cardholder information
- Monitor and log all traffic to and within the business’s network and systems containing cardholder information
- Test security policies and systems on a regular basis
- Create an enterprise-wide information security policy that applies to all employees
This list of requirements becomes the outline of a company’s PCI checklist as they bring their information and payment processing system into compliance.
Are there different levels of PCI DSS compliance?
Yes, there are four merchant levels of PCI compliance. Which of these levels applies to a company is determined by the volume of payment transactions it processes and its data breach history. Levels 2, 3, and 4 are for merchants with transaction volumes up to 6 million annually. All three require a self-assessment questionnaire, a network scan by an Approved Scanning Vendor quarterly, and submission of an Attestation of Compliance Form.
Level 1 merchants have annual transaction volumes over 6 million, have suffered a data breach that resulted in data loss, or has otherwise been identified as a level 1 merchant by the council. In this case, the merchant must also submit a Report on Compliance made by a Qualified Security Assessor (QSA).
How do you know if you are PCI DSS compliant?
PCI compliance can be a complicated process because of the comprehensive nature of its requirements. Compliance can be achieved by instituting a set of high-level goals that guide a company’s security policies. When these measurable goals are met, a QSA can determine if they have achieved PCI DSS compliance.
Here is an example list of goals a company can pursue to achieve full compliance with PCI DSS:
- Create secure information systems and internal networks
- Maintain a program that manages vulnerabilities as they are discovered
- Monitor and test the security of company networks
- Create an information security policy and adhere to it
- Institute access control measures both internally and externally
- Encrypt customer information and restrict access to it