Payment Card Industry Data Security Standard (PCI DSS): PCI DSS Explained.

Your business links to a complicated network of issuing banks, card brand networks, and credit card processors when you take credit cards, debit cards, and other forms of electronic payments. Connecting to that system requires satisfying a minimal set of requirements to help secure sensitive data when fraud costs everyone money.

The Payment Card Industry Data Security Standards (PCI DSS) must be followed by every business that takes credit cards. Network architecture, software design, security management, policies, and other crucial preventative measures are all covered under PCI DSS regulations. Businesses are exposed to the negative effects of data breaches, such as penalties, fees, and lost revenue, if PCI rules are not followed.

Over the past two decades, there has been a revolution in electronic payments. How have those developments been reflected in payment security standards? How has the sector reacted to the dangers posed by fraud and data breaches?

The PCI-DSS timeline starts in 2004. As payment fraud started to increase, leaders from the credit card industry gathered to create a shared set of security standards. In December 2004, the PCI DSS 1.0 was released by the founding members of the PCI: American Express, Discover Financial Services, JCB International, MasterCard, and Visa. The new requirement applied to all businesses taking credit cards as well as any businesses engaged in payment processing.

Version 1.1, which was released in 2006, instructed retailers to examine all online apps and set up firewalls for increased protection. The PCI Security Standards Council (PCI SSC), a separate organization that will manage the standards going forward, was also established with version 1.1.

To reflect current best practices, the PCI SSC is updating the standard on a regular basis. Version 1.2, released in October 2008, introduced recommendations for setting up antivirus software and safeguarding wireless networks.

In October 2010, PCI DSS 2.0 was released, with the goal of streamlining the evaluation process. In January 2015, PCI DSS version 3.0 went into effect, focusing on three key areas: increased security education and awareness among all employees of businesses that accept credit cards; greater flexibility for secure authentication methods; and a renewed emphasis on security as a shared responsibility in the era of numerous third-party touchpoints.

The PCI DSS 4.0 version is the most recent. Expanded MFA standards, roles, and duties that are made explicit for each need, and new e-commerce and phishing requirements that address current risks are all part of PCI DSS v4.0.

After some brief information about PCI DSS and its history, we will discuss the subject from various aspects. You'll find answers to the following questions in this article.

• What is PCI DSS?

• What is the latest version of PCI DSS and what is new in it?

• What are the benefits of PCI DSS compliance?

• Who does PCI DSS apply to?

• How does a company become PCI compliant?

• What is a PCI SAQ?

• What are the Four PCI DSS Compliance Levels?

• What are the 12 requirements for PCI DSS?

• What happens if a company is not PCI compliant?

• Does PCI DSS expire?

• What is the difference between PCI and PCI DSS?

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a widely used collection of rules and guidelines created to improve the security of transactions made with credit, debit, and cash cards and shield cardholders from identity theft. PCI-DSS was established in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express, and it is administered by the Payment Card Industry Security Standards Council (PCI SSC). PCI certification maintains the security of card data at your company by adhering to a set of PCI SSC-established rules. Rather than the PCI SSC, payment brands and acquirers are responsible for PCI-DSS compliance enforcement.

What is the latest version of PCI DSS? What is new in it?

PCI DSS 4.0 is the latest version of PCI DSS. The PCI DSS v4.0 standard extends the standard's emphasis to outcome-based standards, making it the gold standard for merchants and financial institutions when it comes to securing sensitive cardholder data.

Since the release of the standard's previous version, v3.2.1, in 2018, a lot has changed. As a result of the epidemic, technology has advanced and cloud platforms are widely utilized to store cardholder data. Online transactions and the usage of point-of-sale (PoS) devices have increased dramatically. Attackers' strategies for the payments sector have also evolved.

The 12 basic PCI DSS criteria, which remain the cornerstone for protecting payment card data, have not changed significantly with PCI DSS v4.0. To guide the implementation of security measures, the criteria have been modified to put more emphasis on security objectives.

The main objectives for PCI DSS v4.0 are as follows:

• Make that the standard remains compliant with the payments industry's requirements for security.

• Increase adaptability and support for alternative security approaches.

• Encourage the constant process of security.

• Improve validation processes and methodologies.

Although PCI DSS 4.0 maintains the current prescriptive way for compliance, it also adds a new alternative technique: customized implementation. The customized implementation allows entities to create their own security measures to achieve the aim while taking the objective's intent into account. Businesses will be able to adjust implementation processes thanks to this adjustment and fulfill the requirement.

The updated version of the standard acknowledges the critical role identity and access management (IAM) plays in protecting cardholder data. The NIST (National Institute of Standards and Technology) recommendations on digital identities for authentication and life cycle management are aligned with PCI DSS 4.0. Stronger authentication criteria for payment and control access logins are required as a result of the payments industry's increasing shift to the cloud. According to PCI DSS 4.0,

• The use of multifactor authentication (MFA) is required for all accounts that have access to the cardholder data, not only administrators.

• Account passwords used by systems and apps must be updated at least once every 12 months and when there is a suspicion of penetration.

• Use of secure passwords that must comprise at least 15 characters, including alphabetic and numeric characters, for accounts used by applications and systems The prospective passwords must be matched to the list of well-known problematic passwords in accordance with PCI DSS requirements.

• Access rights must be examined no less frequently than every six months.

• Only when necessary may vendor or third-party accounts be enabled, and those that are in use may be watched.

The PCI DSS 4.0 standard was developed with a zero-trust philosophy, allowing firms to create their own distinctive, pluggable authentication systems to satisfy the legal requirements for data protection. At the same time, authentication techniques may be scaled to match the business's transactional goals and risk profile. Finally, to implement the use of the 3DS Core Security Standard during transaction authorization, the PCI SSC has worked with Europay, Mastercard, and Visa.

The most recent standard expands on trusted networks and takes a broader approach to the encryption of cardholder data. Additionally, data discovery to find all cleartext primary account numbers (PAN) sources and locations will be necessary more frequently - at least once every 12 months and if there are major changes to the environment or procedures used to handle cardholder data. The justification is that one of the main issues facing financial organizations is rogue programming. Information is obtained through cardholder data transfer once the code has successfully integrated into the network.

Businesses now have additional options because of PCI DSS 4.0's introduction of the customizable implementation strategy. Organizations now concentrate on choosing and implementing solutions that help them meet a particular PCI DSS target because they are no longer required to adhere to the standards and recommended procedures or put in place a cumbersome compensating control. The fundamental idea behind zero-trust security is to secure sensitive cardholder data and online payments using effective IAM and MFA paired with encryption.

What are the Benefits of PCI DSS Compliance?

PCI DSS compliance is more than simply being able to accept certain payment card brands. Meeting its standards helps you in a variety of ways. Let's examine four of the advantages of PCI DSS compliance:

• Stop data leaks: Reducing the risk of security events is the most obvious advantage of PCI DSS compliance and the main reason its measures are in place. By implementing its standards, such as building firewalls, encrypting data, forming an information security management system, and other related tasks, organizations bolster the most frequent vulnerabilities that attackers take advantage of.

• Build consumer trust: An enhanced relationship with your customers and other stakeholders results from increased information security. People are increasingly requesting that businesses recognize the risks, as there is a growing consensus among the public that cyber attacks may target any organization. The public will feel more comfortable utilizing a company's services if it can show that it takes information security seriously, which PCI DSS compliance provides. This isn't even based on the supposition that the organization completely avoids data breaches. In fact, if a company is attacked and responds properly, especially if they adhere to PCI DSS Requirement 12, which outlines the actions that must be performed in the case of a security incident, it even enhances its reputation.

• Avoid fines and penalties: The acquiring bank may be subject to fines under the PCI DSS, which are often transferred to the organization in question. In contrast to the GDPR (General Data Protection Regulation), penalties under the PCI DSS accumulate monthly until the organization obtains compliance. As a result, they accumulate fast or else push the organization to move swiftly toward achieving its demands. In any case, the process will be pricey, but that won't be your only concern. You could discover that non-compliance with the PCI DSS is also non-compliance with the GDPR because the two regulations' standards are identical. Weaknesses in compliance have serious repercussions since the GDPR gives regulatory agencies the authority to impose fines of up to 20 million Euro.

• Adhere to international data security requirements: PCI DSS compliance prove that your security procedures comply with international norms. By meeting the standards of The Standard, which were developed by five of the largest payment card companies in the world, you join other reputable, global shops.

Who Does PCI DSS Apply to?

No matter how big or how many transactions a cloud-hosted business processes, receives, transmits, or saves payment card information, it must follow the PCI DSS.

Additionally, retailers, issuers, acquirers, and processors, basically any organization involved in card payment processing, must comply with the PCI DSS. This implies that regardless of whether you keep card data or not, PCI DSS applies to you whether you take debit cards, prepaid cards, or credit cards for payment online, over the phone, or in person.

Businesses that gather private authentication information, such as card verification values and entire track data, are likewise included in its purview.

You must still ensure that credit card payments are safe and your vendors are adhering to PCI DSS regulations if you, as a cloud-hosted business, outsource payment processing to third-party vendors to lower your risk exposure.

How Does a Company Become PCI Compliant?

Organizations are often urged to first carry out a gap assessment to find holes in control compliance with the PCI DSS since a PCI DSS assessment is a point-in-time examination. After holes have been found, the company must put the required security measures in place before going through the PCI DSS inspection. Due to this and the broad variation in that remediation period, firms are often advised to plan for a six to nine-month compliance journey in order to have a ROC ( Report on Compliance) in hand.

In general, an independent PCI DSS assessment that culminates in the issuance of a ROC (Report on Compliance) and an AOC (Attestation of Compliance) costs between $35,000 and $55,000, depending on the size and complexity of an entity's environment.

In order to make sure your business is PCI compliant, follow these steps:

1. Determine your PCI level: Determine your PCI level by counting the transactions you handle annually and comparing it to the specifications of each credit card provider you intend to accept.

2. Chart the flow of cardholder data: Chart the flow of cardholder data, including the systems, people, and apps that use credit card data. Included must be all credit payment platforms and card data storage systems. Typically, IT personnel help with this.

3. Fill out the Self-Assessment Questionnaire (SAQ): This questionnaire is designed to evaluate PCI compliance and determine whether your company satisfies each of the 12 requirements stated above (arranged into 6 control measures). Each condition is divided into smaller sections. For your company to be compliant, all standards must be met. An auditor who has been approved by PCI will verify your compliance if your company is PCI Level 1.

4. Fill out the Attestation of Compliance (AOC): Fill out the Attestation of Compliance (AOC), which varies depending on your company's level of PCI compliance. AOC makes sure you follow all PCI compliance requirements.

5. Hire authorized scanning vendors (ASVs): Hire authorized scanning vendors (ASVs) to do a vulnerability scan for you to check for security flaws and make sure you adhere to all regulations. Based on the findings of your SAQ, you may determine if you require an ASV.

6. Produce documentation: To banks, credit card firms, etc., you may need to produce documentation, such as AOC, SAQ, and ASV reports.

7. Monitor: With each security scan, your company's operations, infrastructure, and stored data might change. As a result, compliance must be continually checked throughout the year. A security team should be in charge of keeping an eye out for threats and vulnerabilities and acting accordingly.

What is a PCI SAQ?

The Payment Card Industry Data Security Standard Self-Assessment Questionnaire (PCI SAQ) is a validation tool created for businesses and service providers that are allowed to assess their own compliance with the standard (PCI DSS). By completing the self-assessment, PCI SAQ enables service providers and payment processors to better secure cardholder data, which can stop data breaches in their tracks. Merchants are urged to get in touch with their bank or payment provider to find out the prerequisites for choosing the right SAQ level for their business. There are eight SAQ validation types:

• Type A SAQ Validation (SAQ A): Businesses that have completely outsourced all cardholder data-related tasks to a third-party service provider who has undergone PCI DSS validation and who does not internally store, process, or send cardholder data electronically SAQ A is not accessible for face-to-face channels and is solely applicable to card-not-present retailers.
• Validation Type A-EP for SAQ (SAQ A-EP): E-commerce business that doesn't directly receive cardholder data on their website and has delegated all payment processing to a PCI-compliant processor. SAQ A-EP qualified businesses to pass payment entry to an outside e-commerce-specific website that has undergone PCI DSS validation.
• Type B SAQ Validation (SAQ B): Merchants who do not keep cardholder data and solely utilize standalone dial-out terminals or imprint machines for credit cards are eligible for SAQ B, however, they cannot be e-commerce. An image of the card is taken by imprint machines using an actual credit card and multi-page receipts with ink between the pages. The credit card's raised numbers and letters make it feasible for this procedure to take place.
• Validation Type B-IP for SAQ (SAQ B-IP): The merchant must use a PTS-authorized payment terminal with an IP connection in order to be eligible for SAQ B-IP. The terminal only applies to non-e-commerce merchants and cannot keep cardholder data. A Verifone vx520 would be an illustration of a PTS-certified terminal.
• Type C SAQ Validation (SAQ C): SAQ C is applicable to merchants who have an internet-connected payment application system that does not retain cardholder data. The PCI Security Standards Council (SSC) keeps a list of verified and certified payment services that adhere to particular standards for safe credit card processing.
• Validation Type C-VT for SAQ (SAQ C-VT): Merchants who manually enter single transactions using a keyboard connected to an internet-based virtual terminal solution are eligible for SAQ C-VT. No electronic cardholder data are kept, and the solution must be offered by a service provider that has received PCI DSS validation. If the merchant engages in e-commerce, SAQ C-VT is not applicable.
• P2PE-HW SAQ Validation Type (SAQ P2PE-HW): Merchants that simply utilize a hardware payment terminal are one of the most prevalent merchant solutions that self-assess using the questionnaire. The terminal cannot contain cardholder data and must be controlled and certified by point-to-point encryption (P2PE) solution provider that is PCI SSC listed. It would not apply to e-commerce as it is a hardware on-premises ("on-prem") solution.
• Type D SAQ Validation (SAQ D): SAQ D applies to businesses and service providers who do not come within any of the pre-established SAQs A through P2PE-HW but are nonetheless qualified to submit an SAQ.

Obtaining an Attestation of Compliance is the primary objective of completing the PCI SAQ (AoC). The attestation shows that cardholder data is not in danger from electronic data sources or retention, even if it does not provide the business PCI compliance. Many SAQ alternatives rely on a PCI DSS service provider that has been verified to handle the transaction and, in turn, may keep the data for a number of uses. In a way, businesses that are eligible for self-assessment are contracting out the risk of taking on, sending, and processing credit and debit card transactions.

What are the Four PCI DSS Compliance Levels?

Regardless of the size of the business, the PCI DSS is applicable to all organizations that receive, send, or store credit card data. Each of the four PCI compliance categories is determined by the volume of Visa transactions a merchant does over the course of a year.

1. Merchant Level 1: Any business processing more than six million Visa transactions annually, as well as any business that Visa deems to be a danger to the Visa system, must meet the Level One business requirements.

2. Merchant Level 2: Any shop that processes between one and six million Visa transactions annually falls under merchant level two.

3. Merchant Level 3: Any merchant who completes 20,000 to one million Visa e-commerce transactions annually qualifies for Merchant Level 3.

4. Merchant Level 4: Merchant Level Four includes all merchants who process between 20,000 and one million Visa transactions annually as well as those that process fewer than 20,000 Visa e-commerce transactions annually.

All businesses are placed into one of four merchant tiers based on the number of Visa transactions they processed over the course of a year. Transaction volume is determined by adding up all of the Visa transactions, including credit, debit, and prepaid, that a merchant has processed under their Doing Business As (sometimes referred to as "DBA"). When a merchant organization has more than one DBA, Visa acquirers must consider the total number of transactions saved, processed, or transmitted by the corporate entity when calculating the validation level. Acquirers will continue to base their validation level on the DBA's individual transaction volume if data isn't aggregated, which means a corporate entity doesn't store, process, or communicate cardholder data on behalf of many DBAs.

Figure 1. PCI DSS Compliance Levels

What are the 12 Requirements for PCI DSS?

The protection of cardholder data is always the primary goal of the operational and technological criteria put out by the PCI SSC. The following are the 12 PCI DSS requirements:

• Configure and keep up a firewall to protect cardholder data.

• Never make use of the vendor-provided security settings or the system's default password.

• Preserve cardholder data security

• Securely transmit cardholder data across open, public networks

• Whenever required, use and update antivirus software.

• Develop and maintain secure software and systems.

• Impose restrictions on who can access cardholder data for commercial purposes

• Create a unique ID for each person who has access to the computer.

• Restrict physical access to cardholder data

• Track and monitor all network resources as well as access to cardholder data.

• Regularly test security policies and systems.

• Maintain a policy on information security for each employee.

What happens if a company is not PCI compliant?

PCI DSS is a standard, not a law. It is not mandated by national governments but rather by agreements between merchants, acquiring banks, and payment brands. If you are not PCI compliant, the following six negative consequences may occur to your company:

• Fines for noncompliance: The cost of non-compliance fines might go into the hundreds of thousands of dollars for your company. Your interactions with your acquirer can terminate as a result. Your company won't be allowed to take credit card payments online at that point.
• Vulnerable customers data to fraud: Online hackers and scammers frequently target insecure security systems. Both financial and personal information is readily stolen. For those looking to cause harm online, credit card numbers, security codes, names, birth dates, and other private information are popular targets. These details are subject to manipulation by fraudsters who then use them to perform identity theft and other crimes.
• Notice of Common Point of Purchase (CPP): A CPP notification is sent if your security system appears to have been compromised. This indicates that you have 10 days to fix the security problems. If not, you risk fines that will harm your company more. To establish compliance, a PCI Forensic Investigator will examine and fix any breaches.
• Expensive inquiry costs: You'll have to spend a lot of money on a forensic inquiry. You are responsible for paying the investigation expenses if there is evidence of your non-compliance.
• Fines for Card Scheme: Due to data breaches, you may have to pay fines to Card Schemes. You may spend up to a hundred thousand dollars on this. These fines are occasionally transferred from the Card Scheme to the acquirer and the retailer. Non-compliant firms have shut down because their owners were unable to pay the fines.
• Reputation Damage: Your clients lose trust in your company as a result of your noncompliance. If you have had data breaches, your clients will stop doing business with you.

Does PCI DSS Expire?

The frequency of PCI audits required of firms is not specified by the PCI DSS. All firms must typically do their evaluation once a year. These evaluations are carried out either using a Self-Assessment Questionnaire (SAQ) or by employing a qualified security assessor (QSA), an unaffiliated expert.

The financial institution or payment card firm with whom the business is registered, not the PCI DSS, determines how frequently these audits take place. In contrast to VISA or Mastercard, American Express, for instance, will have distinct regulations for companies.

Similar to this, these payment card firms could mandate that some organizations run a network scan on a regular basis. This is carried out by checking for vulnerabilities in the company's payment card network. To make sure the network is secure against intrusions, any vulnerabilities found are patched up. These network checks are typically carried out every three months.

The frequency of these scans, however, is also set by the credit card firm with which the business is registered.

What is the Difference Between PCI DSS and PA DSS?

Making sure that every transaction (and the payment application utilized) is safe and complies with the PCI Security Standards Council guidelines is a key issue for every business in today's environment when more customers purchase online.

Businesses can accomplish this with the aid of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS). PCI DSS secures the handling of cardholder data, while PA DSS guarantees that payment applications are developed and implemented in accordance with specific PCI security standards.

Here is what you need to keep in mind in order to comprehend how PA DSS and PCI DSS vary from one another:

• All firms that store, transfer, and handle cardholder data as well as those that have the potential to affect the security of cardholder data are subject to PCI DSS.

• Only software suppliers and people who create payment apps are subject to PA DSS.