Modern commerce in one way or another is faced with electronic methods of payment for services and goods, and in this place enterprises are faced with such a delicate issue as the security of customer payment data. In this article, we will briefly talk about what the PCI DSS standard is, why it is important for your business, and how to get certified. Read on to find out more.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry. It was developed by the five largest payment systems: Visa, MasterCard, Discover Financial Services, JCB International and American Express, which formed the PCI Security Standards Council in 2006. And it is aimed at protecting credit and debit card transactions from data theft and fraud.
PCI DSS is not a mandatory standard, and if you do not use it, then in general, you are not violating any laws. However, if your business processes credit and debit card transactions of the mentioned companies, and, accordingly, processes and stores customer data, you must comply with it.
For non-compliance with the PCI Data Security Standard (PCI DSS) requirements, the organization will sooner or later be charged with a fine in the amount of 10 to 200 thousand dollars. The amount of the fine depends on the type of payment system, the status of the company, the frequency of the violation, and some other factors.
Benefits of PCI DSS certification
The benefits of PCI DSS certification can be roughly divided into two categories: company image and technology.
The standard dictates certain conditions that an organization must comply with. Thanks to this, an enterprise can structure the criteria that must be met in order to ensure the proper security of transactions, taking into account the specifics of the business.
PCI DSS certification allows you to work with banks directly through the payment interfaces of the bank and the enterprise itself. This allows you to exclude the transition of the buyer to the site of a third-party organization. Accordingly, the likelihood of fraud is reduced, as well as the fact that the client changes his mind about making a payment.
The fact of a successful audit for compliance with the PCI DSS standard makes it clear to your customers that you care about the security of cardholder data. Accordingly, they will be more willing to use your services, which will increase business income.
In general, PCI compliance is the best way to protect sensitive data and information in this area. Also, the presence of a certificate allows you to build more trusting relationships with customers and business partners.
PCI DSS compliance levels
Since cardholder data can be stored not only by companies that are engaged in trade, but also by service providers: payment intermediaries, financial and service companies, etc., compliance for them, respectively, is slightly different.
For merchants, there are 4 levels of certificates, which in turn differ in the maximum possible number of processed transactions:
Level 4: allows you to process up to 20 thousand transactions per year. A quarterly network scan by an Approved Scanning Vendor (ASV) is required, as well as completion of a Self-Assessment Questionnaire (SAQ).
Level 3: from 20 thousand to 1 million transactions per year. Quarterly ASV scans and SAQ are required for certification.
Level 2: 1 million to 6 million transactions. As with the previous levels, an ASV scan and SAQ completion is required. At the same time, to fill the SAQ at this level, it is necessary to involve auditors, or send your employees to special training.
Level 1: over 6 million transactions. In this case, the company undergoes the most thorough check — auditors check the company’s documentation and infrastructure to make sure that all processes in the company meet the standard.
Because service providers may not accept payments directly, they may still be in contact with payment data. Therefore, the conditions for them are slightly different, and there are fewer levels:
Level 2: less than 300 thousand transactions per year. Completing the SAQ is usually sufficient for this level.
Level 1: allows you to process more than 300 thousand transactions per year. The provider must complete a Report of Compliance (ROC).
The main difference between SAQ and ROC is that SAQs are conducted by internal company experts, while ROCs are conducted by Qualified Security Assessors (QSAs) or Internal Security Assessors (ISAs).
It is worth noting that often merchants and providers choose the second option, since it involves more stringent verification, which has a positive effect on security and marketing.
At the same time, you can use automated solutions for payment card industry data security standard compliance. For example, we at ESKA use a product from Vanta in our work with clients, which greatly simplifies the process of preparing for an audit and reduces the time for ROC and SAQ.
Key PCI DSS requirements
In total, 12 requirements apply to the enterprise, they are divided into 6 categories and are presented below:
1. Network security support:
a. Computer network protection and firewall configuration;
b. Changing the default settings for network equipment.
2. Data protection:
a. Protection of cardholder data;
b. Protection and encryption of transmitted data about cardholders.
3. Vulnerability management:
a. Antivirus soft;
b. Need to develop and maintain secure systems and applications.
4. Access control:
a. Restriction of access to cardholder data;
b. Implementation of authentication mechanisms;
c. Restriction of physical access to information infrastructure.
5. Network monitoring:
a. Logging of events and actions;
b. Regular checks of information security systems.
6. Information security management:
a. Creation of an effective information security policy.
In total, the standard requires the pass of about 440 verification procedures.
PСI DSS compliance: preparation for audit and certification
First of all, your enterprise must prepare all regulatory and administrative documents on information security: policies, descriptions of procedures, instructions and regulations. Remember also that the documentation should be reviewed and corrected if there were any changes in the infrastructure. In addition, the standards also periodically change and are supplemented with new rules. Therefore, it is advisable to monitor this and make adjustments in a timely manner.
If the organization is being audited for the first time, then management needs to determine what part of the enterprise infrastructure will be certified. This is necessary so that you do not have to accompany any changes to the infrastructure with new tests for compliance with the requirements of the standard.
A penetration test is a very important step in preparing a company for PCI DSS certification. Therefore, it is necessary to treat it with the utmost care. You can learn more about penetration testing here.
The final stage, during which the auditor, first of all, evaluates the documentation of the enterprise. Also, during the audit, security system parameters, network topology, isolation of infrastructure segments and other characteristics are checked. In addition, the auditor communicates with employees to ensure that they comply with the company’s security policies, know how to act in cases of information security threats, etc.
PCI DSS compliance automation
ESKA specialists are Qualified Safety Assessors (QSA) and can replace a whole team of external consultants. Using tools from Vanta, we can increase the speed and quality of audit preparation. This happens due to the automation of work processes with SAQ and ROC. And also due to continuous security monitoring and an integrated approach to work. With us, you will be able to bring your enterprise to compliance with the PCI Data Security Standard in the shortest possible time.
Compliance with this standard is not just a formality, but a matter of the security of your customers’ data, and, accordingly, your reputation. The implementation of PCI DSS allows you to streamline certain processes in your business and open up new horizons for your enterprise. If you have any questions regarding standardization, please leave your contacts in a special form on our website, and our specialists will contact you as soon as possible.