What’s PCI Compliance and How Does It Work?
PCI compliance is more than just your IT team’s responsibility.
Have you ever seen or heard a word or phrase where you thought you understood what it meant, but you later learned that it meant something else? Or that there was more to the word or phrase than what you thought you knew?
PCI compliance or PCI-DSS is one of those commonly used terms in the world of payments and security that you’re familiar with and are aware that it’s one of the major focuses for an IT team, but you might not know what it all involves, how it works, or that everyone at your organization plays a part in maintaining compliance.
Maintaining PCI-DSS isn’t just your IT department’s responsibility. It’s a topic that everyone at the company should be educated on because everyone plays a role in protecting the organization’s data, reputation, and most importantly, customers’ information.
We’re going to cover the basics of this topic so that you have a solid foundation to start with and the next time you see or hear those words, you’ll have a better understanding of it.
What’s PCI Compliance?
First things first, what’s PCI compliance? The Payment Card Industry Data Security Standard (PCI-DSS), is an information security standard that encompasses a detailed set of regulations for organizations to manage and secure payment card data. It was established by the Payment Card Industry Security Standards Council (PCI SSC), which is an alliance of the five major credit card companies – VISA, American Express, JCB, Discover, and MasterCard. These card providers created the guidelines to ensure that a baseline of security requirements was established to protect cardholder data and to accommodate emerging payment methods. If your organization accepts, stores, processes, or transmits cardholder data – regardless of the size and transaction volume – then you’re expected to comply with PCI-DSS.
What’s Considered to be PCI Compliance Data?
Cardholder data as defined by the PCI-DSS is the primary account number (PAN) at the minimum, or any combination of the PAN and the cardholder name, card expiration data, and the service code. Additionally, sensitive authentication data falls under PCI compliance and must not be stored unless it’s absolutely necessary. Only card issuers or companies that support card issuing services may store sensitive authentication data. This can include card validation codes, track data from a magnetic stripe or card chip, PINS, or other information used to validate cardholders or transactions.
Does PCI Compliance Apply for International Businesses?
If a business stores, accepts, transmits, or processes payment card information, then they’re subject to following the guidelines and standards set by PCI SCC. Since the framework was mandated by the 5 leading international payment card providers, it’s considered to be a global industry standard to help ensure that cardholder information is being handled securely. Europe does have their own set of data security standards called the General Data Protection Regulation (GDPR). GDPR and PCI-DSS share some overlap, so businesses that are following both are better protecting their data.
As companies continue to find new ways to accept and process card data, then these guidelines will evolve. While staying on top of this can seem tedious, it’s more beneficial in the long run to not only protect your reputation but your customers’ data as well.
How Does PCI Compliance work?
While PCI compliance can seem daunting, think of it as a checklist of best practices that an organization can use as a framework when dealing with cardholder data. PCI compliance is an ongoing process that needs to be evaluated every year. It can be broken into three parts:
Assess: This is the step where you take an inventory of all your IT assets and identify where cardholder data is located. This step is critical in determining where you’re exposing yourself to vulnerabilities.
Repair: This is where you would fix those “holes.” In this stage, you’d also remove any cardholder data storage and implement secure processes to better manage cardholder information.
Report: In this stage, you document your assessment and submit your reports to the card brands and acquiring bank that you do business with. PCI compliance isn’t the same for all organizations.
It consists of 4 levels and an organization is required to maintain compliance within that specific level. As a company’s number of transactions fluctuate, then they can either move up or down levels.
Depending on their compliance level, some organizations may need to contract an independent, PCI SSC-approved Qualified Security Assessor (QSA) to carry out an on-site assessment of compliance with the PCI-DSS requirements and complete a Report on Compliance (ROC) afterwards. Other merchants may fill out a Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance (AOC) instead of a ROC. An Approved Scanning Vendor (ASV) may also be needed for quarterly network scans.
There are 4 PCI compliance levels for merchants, including the steps required to achieve compliance with each level:
Level 1: Merchants processing over 6,000,000 transactions annually. Level 1 merchants must contract a QSA, file a ROC and pass quarterly network scans using an ASV.
Level 2: Merchants processing between 1,000,000 and 6,000,000 transactions annually. Level 2 merchants may complete a SAQ and AOC and pass quarterly network scans using an ASV.
Level 3: Merchants processing between 20,000 and 1,000,000 transactions annually. Level 3 merchants may complete a SAQ and AOC and pass quarterly network scans using an ASV.
Level 4: Merchants processing less than 20,000 transactions annually. Level 4 merchants may complete a SAQ and AOC and pass quarterly network scans using an ASV if it is applicable to their cardholder environment.
Additionally, there are 2 PCI compliance levels for service providers.
Level 1: Service providers processing 300,000 or more transactions annually. Level 1 service providers must contract a QSA, file a ROC and pass quarterly network scans using an ASV.
Level 2: Service providers processing less than 300,000 transactions annually. Level 2 service providers may complete a SAQ and AOC and pass quarterly network scans using an ASV.
These compliance levels are aimed at simplifying the process of achieving and maintaining PCI compliance for smaller organizations processing fewer transactions compared to larger organizations with more resources to dedicate towards compliance, and as such are ranked by the volume of transactions processed by an organization in a year.
PCI-DSS is a broad and complex topic, but it helps to have a good grasp of what it is at a fundamental level so that you’re better equipped to help protect your organization and customers’ information, no matter what your role is.
Next up, we’ll dive into the twelve requirements of PCI compliance and why organizations should be compliant.
Interested in learning more? Check out A Definitive Guide to PCI Compliance.
About the Author
Chandra is the former Communications Manager at Sertifi where she contributed to the blog and oversaw content and branding.