37 Basic Things You Should Know About PCI Compliance
If you're new to PCI Compliance or have just started a business or organization that accepts payment or donations online, you are probably wondering what PCI Compliance is, why it exists, if you need to deal with it, and what the best way of handling your web security is. While you may at some point need or want to read the full PCI security standards document (which is over 100 pages long), this brief guide should give you most of the information you need to get started with the process, especially if you are going to outsource your security to a third-party web security company.
What PCI Compliance Is and Why You Should Maintain It
- The PCI acronym stands for Payment Card Industry and the purpose for PCI data security standards (or PCI DSS) is to prevent data breaches and respond appropriately if a security breach does occur.
- The PCI standards are developed and managed by the PCI Security Standards Council, and can be found online here:
- If you accept online payment or donations, you are required to maintain PCI compliance.
- If you don’t maintain PCI compliance, fines will be levied by the payment card vendors (Visa, American Express, etc.). The PCI Security Standards Council just maintains the standards and provides guidance in implementing them—they are enforced by the payment card companies and federal agencies.
- If you accept card payments or donations, there is nothing more important for your business or organization than paying extremely scrupulous attention to your web security and maintaining PCI compliance.
- Depending on your type of business, there are two types of data you might need to protect: cardholder data (including primary account number, cardholder name, expiration date, and service code) and sensitive authentication data (including full track data on a magnetic strip or chip, card verification codes and values, and PINs or PIN blocks).
- You can store cardholder data, but the primary account number must be stored in an unreadable encrypted form to protect the cardholder in the event of a data breach.
- You cannot store sensitive authentication data, even if it’s encrypted.
- Payment applications (not just processed payments) must also be protected, by the same standards, but PA DSS compliance does not necessarily mean a business is also PCI DSS compliant.
- The PCI DSS compliance standards apply to all "people, processes, and technologies" in the Cardholder Data Environment (CDE) that "store, process or transmit cardholder data or sensitive authentication data."
The PCI Data Security Standards
You should also be familiar with the PCI standards themselves, even though you may not be running web security and vulnerability scans yourself. There are 12 PCI standards:
- You need to install and maintain a firewall configuration in order to protect cardholder data.
- You cannot use vendor-supplied passwords or other security information, which is easily used by hackers to steal information.
- You must protect stored cardholder data, which you can do using methods like encryption, truncation, masking, and hashing.
- You must encrypt transmission of cardholder data across open, public networks, which might be easily accessed by malicious individuals.
- You must protect all systems against malware by regularly updating your antivirus software.
- You need to develop and maintain secure systems and applications, including appropriate patches to your antivirus software as they are developed.
- You must restrict employee access to cardholder data on a need-to-know basis, by setting up security so that access is restricted based on need and job responsibility.
- You should authenticate and identify access to system components by assigning a unique ID to each person who has access, so that individuals are uniquely held accountable for their actions.
- Restrict physical access (not just electronic access) to cardholder data, including access of full and part-time employees as well as visitors.
- Track and monitor all access to network resources and cardholder data. This will make it harder for malicious individuals to access the data, and should there be a data breech, you will have an easier time figuring out who was to blame.
- You must regularly test security systems and processes. This demonstrates that your systems are keeping up with the ever-changing web security environment.
- You should develop and maintain a strong security policy that informs personnel of exactly what is expected of them with regards to any sensitive information that is collected, stored, or transmitted.
The First Step in Achieving PCI Compliance: Determining Your Scope
- The first thing you need to do to be PCI compliant is to determine the scope of your review. This should be done at least once a year. You will need to identify and document the existence of all cardholder data in the CDE so you know that there is not any cardholder data lingering unidentified outside the CDE.
- After you’ve identified all the cardholder data, make sure that the scope is appropriate for the data you have and need to protect. You can do this using an inventory of data locations.
- Then consider all data found to be in the PCI scope and within the CDE. If there is relevant data outside the CDE, make sure it is either securely deleted, or incorporate it into the CDE.
- You need to keep documentation of how PCI compliance scope was determined. This will be a good reference for next year’s annual PCI compliance scope review.
- PCI security standards do not require network segmentation, meaning that you separate the locations that process cardholder data from other segments of your business, but this practice is strongly encouraged because it will reduce the scope and cost of PCI DSS compliance analysis.
- If you use a third party for hosting, storing, processing, or transmitting cardholder data, part of your PCI scope review should include determining which data locations are the responsibility of the third party to scan and which locations fall under your responsibility.
The Second Step: Your Part in Implementing the PCI Standards
- Some parts of PCI Compliance, like limiting physical access to cardholder data, can only be handled by your company or organization and must be done on your business site.
- For a lot of the other components of PCI Compliance, you can handle them yourself if you want to, but you don’t have to. If you are familiar with web security best practices, it may make sense for you to handle your web security yourself. However, if you’re not very familiar with web security, it may be the best business option for you to focus on the production and marketing of whatever your business is, and leave the web security nuts-and-bolts to the experts.
- If you are going to attempt to address web security issues yourself, you should be sure to download and read the full length PCI DSS document here, so you know exactly what is expected of you and whether or not you are capable of the task: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
- You should remember that the PCI Data Security Standards are more about security than compliance, and that just because you are compliant does not mean you are necessarily as secure as you should be. PCI Compliance is a minimum requirement and a jumping off point, not an end goal.
- It is important to remember that any web security features you handle yourself should be incorporated into your Business-as-Usual practices rather than conducted periodically. This means that you should be continuously monitoring your security controls (like firewalls), addressing any security failures immediately, and reviewing changes to the security environment and organizational structure on a regular basis.
The Final Step: Third-Party Outsourcing for PCI Compliance
- Some parts of PCI Compliance, especially scanning your security systems for vulnerabilities, can be (and are often most easily) handled by a third-party web security company.
- Vulnerability scanning must be done at least quarterly to maintain PCI Compliance, but should be done weekly or daily if you are regularly and frequently accepting payments or donations online. Even if your company doesn’t yet have the volume to make paying for daily scanning practical, choosing to do weekly scanning rather than quarterly scanning will increase customer trust in your company and boost your sales.
- Web security companies, like Trust-Guard, will run your scans for you on the schedule you determine, inform you immediately of any security failures and help you to correct those failures, and will provide a seal customized to your website that shows the date of your last security scan and makes it easy for your customers to see that you are keeping their information secure.
- Final bonus: having a third-party vulnerability scanner provide a trust seal to your website will also increase the trust customers have in your company. This will ultimately boost your conversion rates and increase your sales!