What does PCI-DSS stand for? If you've been involved with e-commerce or have accepted credit card payments, you’ve probably heard of Payment Card Industry Data Security Standards, or PCI-DSS. Major credit card providers have adopted these standards to ensure that cardholder information remains secure during every transaction. This includes Visa, Mastercard, American Express, Discover and JCB.
What are those standards? How do you make sure your site and payments system is in compliance? Here, we’ll go over every step and help you protect your customers.
What is PCI-DSS compliance?
PCI-DSS includes several best practices, including 12 specific requirements, outlined by the PCI Security Standards Council. It is a fundamental part of all merchant’s security protocol and is viewed as a requirement to take electronic payments.
The standards require merchants to:
- Maintain a secure network
- Protect customer data
- Test and patch vulnerabilities
- Restrict access
- Regularly test networks
- Document all policies and procedures
What is required to be PCI-DSS Compliant? A checklist of what’s needed:
The PCI Security Standards Council has 12 requirements that must be met to be in compliance.
1. Use and maintain firewalls
The first step in defending against hackers and preventing unauthorized access.
2. Proper password protections
Passwords for all systems and devices (including routers, point of sale systems and modems) should be kept in a secure location and regularly changed.
3. Protect cardholder data
All card data must be encrypted with encryption keys and should be scanned regularly for any unencrypted data.
4. Encrypt transmitted data
Any cardholder data sent across any channel, like a payment processor, must be encrypted.
5. Use and maintain anti-virus
Anti-virus software must be installed on all devices that touch customer data and should be regularly updated.
6. Properly update software
Third-party software should regularly be updated, including operating systems, firewalls and anti-virus programs.
7. Restrict data access
Access to customer data should be extremely limited and employees or third parties that do have access must be documented.
8. Unique IDs for access
Anyone with access to customer data must have a unique login that only they use.
9. Restrict physical access
All data - be it physical or digital - must be kept in a secure location.
10. Maintain access logs
Anyone accessing sensitive information must be documented. These logs must be maintained daily.
11. Scan and test for vulnerabilities
Merchants must self-test themselves and actively look for flaws in their systems. These could be hardware, software or process issues.
12. Document policies
An inventory of all equipment, software, employee access and procedures should be documented. There are also levels of compliance dependent on the volume of transactions processed annually.
What are the PCI-DSS compliance levels? What’s the difference?
There are four levels of compliance. Transactions are considered for all regions and any breach may push a merchant to a higher level.
Level 1 PCI-DSS Compliance
The highest level is reserved for merchants processing over 6 million transactions annually via e-commerce. It has the strictest requirements:
- An Annual Report on Compliance (ROC) performed by a third-party Qualified Security Assessor (QSA)
- A quarterly scan of your network by a third-party Approved Scanning Vendor (ASV)
- Perform a penetration test, internal scan and complete an Attestation of Compliance form
Level 2 PCI-DSS Compliance
Level 2 includes merchants that process between 1 and 6 million transactions annually. Compliance requirements include:
- Completion of a Self-Assessment Questionnaire (SAQ), preferably by a certified Internal Security Assessor
- An on-site assessment by a third-party QSA
- A quarterly scan of your network by a third-party ASV
- Complete an Attestation of Compliance form
- A penetration test or internal scan may also be required
Level 3 PCI-DSS Compliance
Level 3 includes merchants that process between 20,000 and 1 million transactions annually. Compliance requirements include:
- Completion of a SAQ
- A quarterly scan of your network by a third-party ASV
- Complete an Attestation of Compliance form
- A penetration test or internal scan may also be required
Level 4 PCI-DSS Compliance
Level 4 includes merchants that process under 20,000 transactions annually. Compliance requirements include:
- Completion of a SAQ
- A quarterly scan of your network by a third-party ASV
- Complete an Attestation of Compliance form
Importance of PCI-DSS compliance
Compliance may feel like a large hill to climb. You wouldn’t necessarily be wrong. However, with the right tools, being compliant can be a breeze. Failure to be in compliance could be disastrous to your customers and your company. By following these best practices, you’re ensuring that you’re doing right by both.