PCI DSS stands for Payment Card Industry Data Security Standard. This standard is set forth by the PCI Security Standards Council, an organization founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc.
The PCI DSS sets security rules for any business that accepts their cards, with the goal of protecting customer credit and debit card data. Any business that accepts any non-cash payments needs to meet the PCI standards.
In this guide, we’ll walk you through the basics of PCI security standards and why they’re important, define PCI DSS, and lay out who needs to comply with PCI security standards.
What is PCI security?
PCI security refers to the requirements set forth by the PCI Security Standards Council for organizations accepting or processing payment transactions, as well as for the software developers and manufacturers to help create the mechanisms for those transactions.
There are three PCI security standards:
- PCI Data Security Standard: The PCI DSS is the most well-known security standard, applying to all businesses that store, process and/or transmit cardholder data.
- PIN Transaction Security Requirements: The PCI PTS requirement applies to manufacturers that specify and implement device characteristics and management for PIN entry terminals used in card financial transactions.
- Payment Application Data Security Standard: The PA-DSS is for software developers and integrators of applications that store, process or transmit cardholder data; it governs any applications that are sold, distributed or licensed to third parties.
Most businesses, including software vendors and manufacturers, must comply with PCI DSS, the most common PCI security standard. PCI PTS and PA-DSS are more niche technical requirements specific to those businesses that make card machines or payment-processing apps, such as Venmo or Zelle. So, when we talk about PCI compliance, we’re usually referring to PCI DSS.
PCI Security Standards are enforced by the card companies that established the council, namely American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Fines for not adhering to the PCI Security Standard applicable to your company can be steep. PCI DSS fines, for instance, can range from $5,000 to $100,000 per month.
Deep dive: PCI DSS security standards
PCI DSS can be a little complicated at first glance. Merchants fall into one of four categories, with 12 different requirements at different levels of stringency depending on which merchant category you fall into.
The first step in PCI DSS compliance is to understand which merchant category your business falls in. All merchants fall into one of these four levels based on the volume of Visa transactions that the business processes over a 12-month period (including credit, debit, and prepaid sales).
- Level 1: Merchants who process more than 6 million Visa transactions per year.
- Level 2: Merchants who process 1 – 6 million Visa transactions per year.
- Level 3: Merchants who process 20,000 – 1 million Visa transactions per year.
- Level 4: Merchants who process fewer than 20,000 Visa transactions per year.
Once you’ve verified which level you fall under, the business must meet the 12 security requirements set forth by the PCI Council. The 12 major requirements are, according to Investopedia:
- Implement firewalls to protect data
- Add appropriate password protection
- Protect cardholder data
- Encrypt transmitted cardholder data
- Utilize antivirus software
- Update software and maintain security systems
- Restrict access to cardholder data
- Assign unique IDs to those with access to data
- Restrict physical access to data
- Create and monitor access logs
- Test security systems on a regular basis
- Create a policy that is documented and that can be followed
Meeting these requirements is necessary to become certified as PCI DSS compliant. “Merchants and service providers can demonstrate their compliance with the PCI DSS by completing an audit of their CDE (cardholder data environment) against the applicable requirements of the Standard,” wrote IT Governance.
How to meet PCI data security standards
The steps for meeting PCI data security standards are relatively prescriptive. The standards involve a combination of IAM best practices, device security, encryption and security controls, such as cloud DLP and firewalls.
The requirements start with hardware before moving on to other security strategies. For instance, PCI DSS requires that merchants only use approved PIN entry devices at the point-of-sale. They should configure wireless routers to be password protected and encrypted. Check PIN entry devices regularly to make sure there is no malware or skimming software stealing cardholder data. No cardholder data should be stored in computers or on paper where anyone could access it.
In addition, merchants should deploy firewalls and data loss protection to help reduce the risk of unauthorized access. In addition to basic security measures like encryption, firewalls, user access management, consider implementing a cloud data loss prevention tool like Nightfall.
Nightfall can help you first discover and classify sensitive customer data like PII, PHI, and PCI that must be protected. Nightfall uses machine learning detectors individually trained to identify cardholder data that is protected by PCI compliance regulations. The platform provides a way to quickly remediate any security issues by notifying admins and quarantining or deleting data.
Finally, IAM best practices involve using strong passwords, changing them regularly, and making sure all employees are trained to reduce the risk of exposing data. It’s helpful to provide training throughout the year to help keep everyone on track.
Learn how Nightfall can help achieve PCI DSS compliance by setting up a demo at the link below.