In 2004, major credit card brands, including American Express, Discover, JCB, MasterCard, and Visa, came together to form an independent body, the Payment Card Industry Security Standards Council (PCI SSC), which administers and agrees on a global standard for card data security. The result of the unanimous collaboration between the payment industry giants is the Payment Card Industry Data Security Standard (PCI DSS), a standard developed to facilitate the adoption of globally coherent card data security measures.
The PCI DSS is a set of requirements and security best practices intended for organizations and service providers that process, transmit, or store cardholder data. Compliance with the PCI DSS is crucial to protecting against fraud and card data theft. It is also a strong indicator that customers can trust a business or organization to safeguard their sensitive card data. Card payment organizations and businesses that fail to comply with PCI DSS risk financial penalties or withdrawal of the facility to accept card payments.
In 2004, major credit card brands, including American Express, Discover, JCB, MasterCard, and Visa, came together to form an independent body, the Payment Card Industry Security Standards Council (PCI SSC), which administers and agrees on a global standard for card data security. The result of the unanimous collaboration between the payment industry giants is the Payment Card Industry Data Security Standard (PCI DSS), a standard developed to facilitate the adoption of globally coherent card data security measures.
The PCI DSS is a set of requirements and security best practices intended for organizations and service providers that process, transmit, or store cardholder data. Compliance with the PCI DSS is crucial to protecting against fraud and card data theft. It is also a strong indicator that customers can trust a business or organization to safeguard their sensitive card data. Card payment organizations and businesses that fail to comply with PCI DSS risk financial penalties or withdrawal of the facility to accept card payments.
PCI DSS Compliance Levels
The PCI SSC divides requirements for compliance with PCI DSS into four levels—based on the number of annual card transactions a business handles.
PCI DSS Compliance Levels
- Level 1: This applies to businesses and merchants that process more than six million real-world credit or debit card transactions annually. Companies in this category must undergo an internal audit by an authorized PCI auditor once a year. They must also submit a PCI scan run by an Approved Scanning Vendor (ACV) to the PCI governing body once every quarter.
- Level 2: This category is for businesses that handle between one and six million actual card transactions each year. Such organizations must complete a Self-Assessment Questionnaire (SAQ) once a year and may also be required to submit a quarterly PCI scan. They must complete a yearly assessment using the relevant SAQ, possibly requiring a quarterly PCI scan.
- Level 3: Merchants that process between 20,000 and one million e-commerce card transactions annually must comply with level 3 of the PCI DSS. A yearly assessment using the relevant SAQ must be completed, and a quarterly PCI scan may be required.
- Level 4: This level of compliance applies to merchants that process fewer than 20,000 e-commerce transactions annually or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed, and a quarterly PCI scan may be required.
- Level 1: This applies to businesses and merchants that process more than six million real-world credit or debit card transactions annually. Companies in this category must undergo an internal audit by an authorized PCI auditor once a year. They must also submit a PCI scan run by an Approved Scanning Vendor (ACV) to the PCI governing body once every quarter.
- Level 2: This category is for businesses that handle between one and six million actual card transactions each year. Such organizations must complete a Self-Assessment Questionnaire (SAQ) once a year and may also be required to submit a quarterly PCI scan. They must complete a yearly assessment using the relevant SAQ, possibly requiring a quarterly PCI scan.
- Level 3: Merchants that process between 20,000 and one million e-commerce card transactions annually must comply with level 3 of the PCI DSS. A yearly assessment using the relevant SAQ must be completed, and a quarterly PCI scan may be required.
- Level 4: This level of compliance applies to merchants that process fewer than 20,000 e-commerce transactions annually or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed, and a quarterly PCI scan may be required.
PCI DSS Requirements
The PCI DSS outlines 12 compliance requirements distributed across six broad goals, which include the following:
- Secure Network
- Secure Cardholder data
- Vulnerability Management
- Access Control
- Network Monitoring and Testing
- Information security
The six goals above represent the broad classification of the requirements for full compliance with the security measures outlined in the PCI DSS. To achieve these goals, organizations must implement the following 12 requirements:
PCI DSS Requirements
The PCI DSS outlines 12 compliance requirements distributed across six broad goals, which include the following:
- Secure Network
- Secure Cardholder data
- Vulnerability Management
- Access Control
- Network Monitoring and Testing
- Information security
The six goals above represent the broad classification of the requirements for full compliance with the security measures outlined in the PCI DSS. To achieve these goals, organizations must implement the following 12 requirements:
- Use of Firewalls: Firewalls are an important first line of defense and bare network essentials to restrict foreign entities from accessing private data. PCI requires installing and maintaining a firewall configuration to comply with the card security standard.
- Proper Password Protection: Generic passwords accompanying third-party network access products are potential vulnerabilities if left unchanged. PCI DSS encourages organizations to use solid and original passwords in hardware and software that require passwords to ensure compliance with the standard. They must also ensure that their passwords are adequately protected.
- Cardholder Data Protection: Organizations must encrypt card data using encryption keys from specific algorithms. These keys must also be encrypted to complete compliance with the multi-layered security of card data.
- Encryption of Transmitted Data: When transmitting cardholder data across payment processors and other public networks, ensure that the data is encrypted while in transit as it is when at rest.
- Use and Maintenance of Antivirus Software: Another security measure for PCI DSS compliance is the use and periodic maintenance of antivirus software for all devices that interact with or store any card data.
- Regular Update and Maintenance of Business Software: Organizations must develop and maintain secure systems and applications. Organizations should regularly update firewalls and antivirus software used in the data security pipeline.
- Data Access Restriction: Access to cardholder data should strictly be based on a “need to know.” That is, executives, staff, and other third parties who do not necessarily require access to the data to execute their tasks efficiently should not have access to it. The standard also requires that the roles that require access to cardholders be well documented and periodically updated.
- Assignment of Unique Access IDs: Staff that need access to card data should be assigned unique credentials and IDs for access. Stakeholders must have their login to the encrypted data without other employees knowing the login details. Assignment of distinctive access credentials reduces vulnerability through social engineering and fosters quick response in the event of a compromise.
- Restriction of Physical Access to Data: Card data written physically or stored in a hard drive or on-premise data center should be locked in a secure room or cabinet. In addition, anytime the physically stored sensitive data is accessed, the access should be kept in a log.
- Monitor and Log Cardholder Data Access: Access to cardholder data and the network that stores it must be monitored, tracked, and logged. Every activity accessing PAN and other cardholder data requires up-to-date record-keeping to ensure compliance with PCI DSS. The standard also encourages incorporating access logging software to ensure the accuracy of logged data.
- Regular Scanning and Testing for Vulnerabilities: The penultimate PCI DSS compliance requirement is to regularly scan and test the card data security system for vulnerabilities. This is because the earlier mentioned requirements may involve a lot of third-party software products, physical location, and human interaction. Any of these entities can malfunction or go out of date. Therefore, scanning and testing the system for vulnerabilities is essential to detect and address potential security issues early.
- Documentation and Maintenance of Security Policy: The last requirement to maintain compliance with PCI DSS is the comprehensive documentation of equipment, software, and employees with cardholder data access. Protocols and localized data storage and access processes must also be well documented.
- Use of Firewalls: Firewalls are an important first line of defense and bare network essentials to restrict foreign entities from accessing private data. PCI requires installing and maintaining a firewall configuration to comply with the card security standard.
- Proper Password Protection: Generic passwords accompanying third-party network access products are potential vulnerabilities if left unchanged. PCI DSS encourages organizations to use solid and original passwords in hardware and software that require passwords to ensure compliance with the standard. They must also ensure that their passwords are adequately protected.
- Cardholder Data Protection: Organizations must encrypt card data using encryption keys from specific algorithms. These keys must also be encrypted to complete compliance with the multi-layered security of card data.
- Encryption of Transmitted Data: When transmitting cardholder data across payment processors and other public networks, ensure that the data is encrypted while in transit as it is when at rest.
- Use and Maintenance of Antivirus Software: Another security measure for PCI DSS compliance is the use and periodic maintenance of antivirus software for all devices that interact with or store any card data.
- Regular Update and Maintenance of Business Software: Organizations must develop and maintain secure systems and applications. Organizations should regularly update firewalls and antivirus software used in the data security pipeline.
- Data Access Restriction: Access to cardholder data should strictly be based on a “need to know.” That is, executives, staff, and other third parties who do not necessarily require access to the data to execute their tasks efficiently should not have access to it. The standard also requires that the roles that require access to cardholders be well documented and periodically updated.
- Assignment of Unique Access IDs: Staff that need access to card data should be assigned unique credentials and IDs for access. Stakeholders must have their login to the encrypted data without other employees knowing the login details. Assignment of distinctive access credentials reduces vulnerability through social engineering and fosters quick response in the event of a compromise.
- Restriction of Physical Access to Data: Card data written physically or stored in a hard drive or on-premise data center should be locked in a secure room or cabinet. In addition, anytime the physically stored sensitive data is accessed, the access should be kept in a log.
- Monitor and Log Cardholder Data Access: Access to cardholder data and the network that stores it must be monitored, tracked, and logged. Every activity accessing PAN and other cardholder data requires up-to-date record-keeping to ensure compliance with PCI DSS. The standard also encourages incorporating access logging software to ensure the accuracy of logged data.
- Regular Scanning and Testing for Vulnerabilities: The penultimate PCI DSS compliance requirement is to regularly scan and test the card data security system for vulnerabilities. This is because the earlier mentioned requirements may involve a lot of third-party software products, physical location, and human interaction. Any of these entities can malfunction or go out of date. Therefore, scanning and testing the system for vulnerabilities is essential to detect and address potential security issues early.
- Documentation and Maintenance of Security Policy: The last requirement to maintain compliance with PCI DSS is the comprehensive documentation of equipment, software, and employees with cardholder data access. Protocols and localized data storage and access processes must also be well documented.
What is PCI DSS v4?
On March 31st, 2022, the PCI SSC announced the release of version 4.0 of the PCI DSS—the next evolution of the card data security standard. The new version provides updates and significant changes to the previous version (v3.2.1) to beef up card security practices as potential threats evolve. In the governing body’s statement, the changes reflected in the PCI DSS v4.0 emphasize their determination to “continue to meet the security needs of the payment industry, promote security as a continuous process, add flexibility for different methodologies, and enhance validation methods.”
The primary goals for PCI DSS v4.0 include:
- Continue to Meet the Security Needs of the Payment Industry
- Promote security as a continuous process
- Add flexibility for different security methodologies.
- Enhance data validation methods.
Difference Between PCI DSS v3.2.1 and v4.0
Updates to v3.2.1 that are reflected in the new v4.0 can be mainly classified into new requirements and modifications to existing requirements.
Below are some essential highlights from the two classifications.
What is PCI DSS v4?
On March 31st, 2022, the PCI SSC announced the release of version 4.0 of the PCI DSS—the next evolution of the card data security standard. The new version provides updates and significant changes to the previous version (v3.2.1) to beef up card security practices as potential threats evolve. In the governing body’s statement, the changes reflected in the PCI DSS v4.0 emphasize their determination to “continue to meet the security needs of the payment industry, promote security as a continuous process, add flexibility for different methodologies, and enhance validation methods.”
The primary goals for PCI DSS v4.0 include:
- Continue to Meet the Security Needs of the Payment Industry
- Promote security as a continuous process
- Add flexibility for different security methodologies.
- Enhance data validation methods.
Difference Between PCI DSS v3.2.1 and v4.0
Updates to v3.2.1 that are reflected in the new v4.0 can be mainly classified into new requirements and modifications to existing requirements.
Below are some essential highlights from the two classifications.
1. New Requirements
Although the PCI DSS v4.0 still contains the core 12 high-level requirements highlighted in the previous versions, additional detailed requirements are added as subcategories to the 12 fundamental requirements. Depending on the security maturity of an organization, these new requirements may have a highly significant or mild effect on the organization’s card security program.
The following are some new requirements in v4.0:
- Adopt a procedure for controlling and maintaining all payment page scripts that are loaded and run-in users’ browsers.
- Review user access and related privileges every six months for all in-scope user accounts.
- Limit access to application and system accounts and periodically review those accounts’ access rights.
- Implement a payment page change detection mechanism.
- Formalize an annual risk assessment program.
- Conduct yearly hardware and software reviews.
- Organizations must document and annually confirm the scope of requirements they implement.
- Organizations must clearly define roles and responsibilities within each requirement area.
- A risk assessment must be in place for any customized approaches.
- Vendors/Third Parties must facilitate customer requests for roles and responsibilities matrix between the TPSP (Third Party Service Provider) and the customer.
2. Improvements to Previous Requirements
Improvements implemented in V4 include the following:
- Expanded multifactor authentication requirements.
- Update to password requirements.
- New e-commerce and phishing requirements to address ongoing threats.
- Clearly assigned roles and responsibilities for each requirement.
- Added guidance to help people better understand how to implement and maintain security.
- New reporting option to highlight areas for improvement and provide more
transparency for report reviewers. - Allowance of the group, shared, and generic accounts.
- Targeted risk analyzes empower organizations to establish frequencies for performing certain activities.
- Customized approach, a new method to implement and validate PCI DSS the requirement provides another option for organizations using innovative ways to achieve security objectives.
- Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of compliance.
1. New Requirements
Although the PCI DSS v4.0 still contains the core 12 high-level requirements highlighted in the previous versions, additional detailed requirements are added as subcategories to the 12 fundamental requirements. Depending on the security maturity of an organization, these new requirements may have a highly significant or mild effect on the organization’s card security program.
The following are some new requirements in v4.0:
- Adopt a procedure for controlling and maintaining all payment page scripts that are loaded and run-in users’ browsers.
- Review user access and related privileges every six months for all in-scope user accounts.
- Limit access to application and system accounts and periodically review those accounts’ access rights.
- Implement a payment page change detection mechanism.
- Formalize an annual risk assessment program.
- Conduct yearly hardware and software reviews.
- Organizations must document and annually confirm the scope of requirements they implement.
- Organizations must clearly define roles and responsibilities within each requirement area.
- A risk assessment must be in place for any customized approaches.
- Vendors/Third Parties must facilitate customer requests for roles and responsibilities matrix between the TPSP (Third Party Service Provider) and the customer.
2. Improvements to Previous Requirements
Improvements implemented in V4 include the following:
- Expanded multifactor authentication requirements.
- Update to password requirements.
- New e-commerce and phishing requirements to address ongoing threats.
- Clearly assigned roles and responsibilities for each requirement.
- Added guidance to help people better understand how to implement and maintain security.
- New reporting option to highlight areas for improvement and provide more
transparency for report reviewers. - Allowance of the group, shared, and generic accounts.
- Targeted risk analyzes empower organizations to establish frequencies for performing certain activities.
- Customized approach, a new method to implement and validate PCI DSS the requirement provides another option for organizations using innovative ways to achieve security objectives.
- Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of compliance.
PCI DSS v4 Implementation Timeline
With v4.0 now being launched, PCI DSS v3.2.1 will be operational for two years. This transition period from March 2022 to March 31st, 2024, is intended to provide organizations with time to familiarize themselves with PCI DSS v4.0, update their reporting templates and forms, and plan and implement changes to meet updated requirements.
PCI DSS v4 Implementation Timeline
Benefits Of PCI Compliance
- PCI Compliance means that an organization’s card payment systems are secure, and customers can trust the business with their sensitive payment card information.
- PCI compliance boosts your credibility with acquirers and payment brands.
- Compliance with PCI eases efforts to comply with additional regulations, such as HIPAA, SOX, and others.
- PCI compliance is a continual procedure that aids in the mitigation of security incidents and payment card data theft in the present and future.
- PCI compliance improves overall security and the efficiency of an organization’s IT infrastructure.
How to Prepare for the Adoption of PCI DSS v4.0
- Assess your PCI DSS security program with the appropriate SQS or other assessment parameters provided by the PCI SSC.
- Identify compliance gaps in your security program, using v4.0 requirements as the standard.
- Educate concerned employees on the requirement gaps.
- Collaborate with necessary stakeholders to address these compliance gaps.
- Iterate through the new version’s requirements until you’re well compliant with the requirements for your compliance level.
Benefits Of PCI Compliance
- PCI Compliance means that an organization’s card payment systems are secure, and customers can trust the business with their sensitive payment card information.
- PCI compliance boosts your credibility with acquirers and payment brands.
- Compliance with PCI eases efforts to comply with additional regulations, such as HIPAA, SOX, and others.
- PCI compliance is a continual procedure that aids in the mitigation of security incidents and payment card data theft in the present and future.
- PCI compliance improves overall security and the efficiency of an organization’s IT infrastructure.
How to Prepare for the Adoption of PCI DSS v4.0
- Assess your PCI DSS security program with the appropriate SQS or other assessment parameters provided by the PCI SSC.
- Identify compliance gaps in your security program, using v4.0 requirements as the standard.
- Educate concerned employees on the requirement gaps.
- Collaborate with necessary stakeholders to address these compliance gaps.
- Iterate through the new version’s requirements until you’re well compliant with the requirements for your compliance level.
Conclusion
Conclusion
See also: