PCI DSS Compliance is an industry-mandated security standard that applies to all businesses that handle, process or store credit cards.
There are 12 core requirements and roughly 250 controls, but as an oversimplification it boils down to three things: 1) all merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times (all deadlines have passed); 2) merchants cannot store certain credit card information including CVV2, CVC2 and CID codes (three or four-digit numbers), track data from the magnetic strip or PIN data; 3) if permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. A number of recent high profile breaches have been raising awareness and risks associated with PCI Compliance.
The motivation to become compliant The major credit card companies have provided both carrots and sticks in order to compel merchants to become and maintain compliance. The incentives include 'safe harbor' from certain penalties and fines if a merchant is compliant at the time of breach.
Without compliance, if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the 'Death Penalty,' preventing them from accepting credit cards. In all, depending on the number of cards stolen, merchants are estimated to spend between $90 and $302 per record (see graph below).
The Payment Card Industry Data Security Standard (PCI DSS)
What is PCI DSS?
It's a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.
Who created it? While Visa and MasterCard originally developed it, as of September of 2006 American Express, Discover, JCB, MasterCard and Visa jointly formed the PCI Security Standards Council.
Why was it created? It was created in response to a spike in data security breaches over the last few years. A large number of both small and large businesses have been breached including TJX, Bank of America, Citigroup, BJ's Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia.
Who's at risk? Any business that processes, transmits, or stores credit card information. While the publicity of security breaches has recently been focused on larger companies, Visa reports that the majority of breaches are occurring at small businesses.
What are the 12 mandated security requirements?
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
What credit card information can and cannot be stored?
How much does it cost to become compliant?
It depends on business type, credit card processing and storage practices and existing IT environment. Read here for a more complete overview.
What do merchants have at risk if credit card information is breached? Fines up to $500,000 per incident. Remediation costs estimated at $90 to $302 per record. Potential customer lawsuits. Company reputation and brand damage.
Are there different requirements for large and small businesses? Yes. Merchants belong to one of four levels that is determined by annual transaction volumes. These transactions volumes apply to the highest number of a single card type per year, e.g. a merchant doing 5,000,000 Visa and 2,000,000 MasterCard transactions annually, even though cumulatively equal 7,000,000, would qualify as Level 2.
Definitions from above:
On-Site Security Audit The audit must be completed by Level 1 merchants. Merchants can choose to complete the audit internally or hire an outside Qualified Security Assessor to complete the Report on Compliance (ROC). PCI Security Audit Procedures & Reporting
Self-Assessment Questionnaire (SAQ) Initially the Council had a one size fits all SAQ but it proved too challenging and complicated for the different types and sizes of merchants. In February 2008, the merchant released four versions of the SAQ in an attempt to better accommodate merchant profiles. Here is a summary:
- SAQ A: Addresses requirements applicable to merchants who have outsourced all processing, transmission and storage of cardholder data.
- SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only.
- SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
- SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.
Network Vulnerability Scans The PCI Standard requires merchants to scan all outward facing IP addresses. These IP addresses are not protected by a firewall and can be hacked through an open port. The SAQ identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside. Validation Dates The Card Associations have set specific dates for validation. Level 1 merchants were required to validate compliance by 9/30/2007, Level 2 by 12/31/07, and the Level 3 and 4 deadlines are processor/acquirer specific.
How to Get Started
1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each area.
2. Determine your merchant level (1-4).
3. Determine which SAQ your organization will need to complete.
4. Evaluate whether your organization will try to achieve compliance internally or engage with a Qualified Security Assessor (QSA).
5. Engage with an Approved Scanning Vendor (ASV) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced.
7. Immediately address any significant deficiencies discovered during the assessment or scan.
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.
What should you do if breached? In the event of a security incident, merchants must take immediate action to:
1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify: * Merchant Account Provider * Visa Fraud Control Group at (650) 432-2978 * Local FBI Office * U.S. Secret Service (if Visa payment data is compromised)
3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report.
Here is a step-by-step guide from Visa - What To Do If Compromised.
Additional resources: A non-profit organization, RSPA produced a 12-minute video aimed at educating smaller restaurant and retail merchants about the risks associated with PCI Compliance.