PCI DSS Compliance: A Guide

The Payment Card Industry Data Security Standard (PCI DSS) is a set of payment security protocols provided by the Payment Card Industry Security Standards Council (PCI SSC), a consortium of payment providers that includes MasterCard, Visa, American Express, Discover Financial Services, and JCB International. 

Originally launched in 2004, the latest iteration of the framework — PCI DSS 4.0 — defines a global standard that offers a baseline of operational and technical requirements businesses must comply with to protect sensitive payment data. Failure to achieve PCI compliance can result in fines and penalties, including potentially losing the ability to process credit card payments altogether.

PCI DSS remains the primary method for protecting payment card transaction data from fraud and theft. Almost two decades after the initial introduction of PCI DSS, fraud continues to ravage global markets. This is largely the result of the rise in e-commerce and the massive profitability of cyber crime. Worldwide fraud losses increased by 14% in 2021, and the global payment card industry is on pace to lose nearly $400 billion over the next decade due to fraudulent activity.

As payment card fraud continues to accelerate, businesses must remain vigilant about safeguarding sensitive consumer information. According to a recent McKinsey study, more than 10% of credit and debit card users experienced fraud over a 12-month period. 

PCI compliance is mandatory for any business that accepts, processes, or transmits credit card or debit card payments. The standard applies to all organizations regardless of size, annual revenue, industry, or location.

In other words, it doesn’t matter whether an organization operates out of Chicago, Paris, or Tokyo. If the company collects credit card data or accepts payments via credit card, it needs to follow PCI DSS standards. Otherwise, the organization risks falling out of compliance — and potentially incurring serious penalties because of it. 

After achieving compliance, the work isn’t done; businesses need to take additional measures to validate compliance each year. However, some payment providers, like MasterCard, now offer a PCI DSS validation exemption program to eligible merchants that use secure technologies. While this doesn’t lift PCI DSS requirements, it does eliminate the need to go through the annual validation process.

Achieving and maintaining PCI DSS compliance takes time, effort, and commitment. Requirements also vary across different payment card providers, which can be confusing for business leaders who need to keep track of an ever-growing list of regulatory procedures. 

Business leaders may question if it’s worth keeping up with changing standards. However, failure to adhere to PCI DSS comes with the risk of severe fines and penalties.

Fines and penalties

PCI DSS violations can carry fines as high as $500,000 per incident. Penalties can also damage relationships with banks and credit card companies, creating further financial strain. Financial partners typically prefer to do business with companies that take PCI DSS compliance seriously, proactively reducing their own risk.

On top of these fines, financial providers can also deem merchants liable for operational costs they incur due to security incidents. For example, a business may be forced to cover the costs associated with reissuing payment cards or recovering fraudulent charges. 

Payment restrictions

Payment providers may also restrict non-compliant merchants from accepting card payments — or even terminate service altogether. In an age where more and more consumers are using credit cards to buy things, this can tremendously impact both customer relations and the bottom line.

Federal audits

The Federal Trade Commission keeps close tabs on organizations that fail to comply with PCI DSS requirements. Non-compliant companies risk facing routine audits from the FTC, along with additional fines and penalties.

Reputational harm

Companies risk reputational harm after a breach — which requires extensive brand rebuilding and PR work to repair. Unfortunately, the fallout is usually much worse for companies that fail to take proper precautions before a security incident occurs. 

It’s not always possible to prevent a security incident. Thus, businesses must ensure they do everything they can to proactively secure customer data, including complying with PCI DSS.

To achieve PCI DSS compliance, businesses have to meet several strict requirements. Generally speaking, each requirement helps protect data while it’s at rest and in transit, restricting bad actors from accessing sensitive information. 

With that in mind, let’s examine some of the basic steps businesses need to take to achieve and maintain PCI compliance, as outlined in the PCI DSS Quick Reference Guide.

1. Install and maintain network security controls 

Most payment card transactions rely on point-of-sale (POS) systems, which connect to computers across networks. Cyber criminals often target merchant networks to steal cardholder and authentication data.

As such, PCI DSS requires businesses to implement strong network security controls to protect customer transactions — like installing and maintaining a firewall and implementing strong access controls. Businesses must also avoid using vendor-supplied defaults for system passwords and other security parameters. 

Brick-and-mortar store owners should consult security and IT personnel to ensure their networks contain strong authentication services. Cyber criminals often avoid networks that are difficult to penetrate, seeking easier targets instead.

Similarly, e-commerce providers need to ensure networks are secure for system administrators and remote employees. They should invest in appropriate security controls and ensure the applications they rely on daily are PCI-compliant.

2. Apply secure configurations to all system components

Threat actors often exploit vulnerabilities to gain network access. As a result, businesses should address vulnerabilities as they're announced to keep threat actors out and sensitive data safe.

PCI DSS recommends developing configuration standards for system components that address known security vulnerabilities. Such standards should be consistent with industry-accepted definitions. 

3. Protect stored cardholder data — or don’t store it in the first place

According to the PCI DSS guidelines, it’s best to avoid storing cardholder data. Further, businesses should never store sensitive data from a chip or magnetic stripe after authentication.

If storing data is unavoidable, it must be unreadable in a company's systems which is possible through cryptography. Businesses that fail to properly dispose of data or store it securely risk non-compliance should a security breach occur.

4. Encrypt all sensitive credit card data

Cyber criminals often attempt to intercept data sent over public networks with weak security controls. In fact, data interception is one of the main ways threat actors steal private cardholder data.

Because of this, PCI DSS requires businesses to encrypt cardholder data so that it is unreadable without a private key. For the best results, businesses must ensure data is encrypted at rest and in transit. That way, even if a bad actor infiltrates a network, they won’t be able to make sense of the data.

5. Protect all systems and networks from malicious software

Malicious software — or malware — is a common and highly effective attack vector for threat actors. To protect against malware, companies should invest in an endpoint protection solution.  Companies also need to produce and retain audit logs and document security policies and operational procedures. 

Unfortunately, security isn’t always on the forefront of workers’ minds. For this reason, companies should consider security awareness training teaching them to avoid common pitfalls cybercriminals use to trick unsuspecting end users.

6. Develop and maintain secure systems and software

One of the main reasons cybercriminals attempt to exploit systems and applications is to access sensitive customer data, which includes cardholder information and primary account numbers (PANs).

Businesses can eliminate vulnerabilities and reduce risk by prioritizing application security and being vigilant about installing vendor-approved security patches as soon as they’re released. PCI DSS requires that all critical systems have the most recently released software patches to avoid exploitation. Additionally, the standard requires businesses to patch less critical systems in accordance with risk-based vulnerability management programs.

7. Restrict access to cardholder data

Strong access controls are another critical requirement for PCI compliance. Companies must ensure that only authorized personnel can access critical data.

Best practices suggest that organizations should embrace the principle of least privilege, only allowing users to access the data they need to do their jobs. For further protection, businesses can also use a trusted access control system that can automatically grant or block access based on a user’s credentials. They can also implement additional controls, like multi-factor authentication.

8. Authenticate access to system components

Companies often struggle with access control, losing track of authorized users. When that happens, organizations can face identity sprawl problems. 

To avoid this scenario, assign a unique identification number to all individuals with access to critical data and systems. Under the PCI DSS, this requirement applies to all accounts with administrative capabilities, including POS accounts and those with access to cardholder data.

9. Restrict physical access to cardholder data

In addition to protecting digital systems, businesses must also restrict physical access to data and systems that house cardholder data.

The PCI DSS recommends using appropriate facility entry controls to restrict physical access to systems in a data center environment. It’s also a good idea to create procedures to distinguish between different types of employees and limit physical access to sensitive areas to ensure only authorized employees can enter.

10. Monitor access to cardholder data

To effectively manage vulnerabilities and perform effective forensics investigations, companies need to use logging mechanisms to track user behavior. 

For this reason, PCI DSS advises companies to use logs in all environments for tracking and analysis purposes. This can help teams rapidly discover the root causes of issues, making it easier to close vulnerabilities quickly.

11. Test system security regularly

Cybersecurity is a never-ending responsibility. To combat evolving cybercrime tactics, businesses must routinely test process and system security, ensuring everything stays updated with the latest patches. As the PCI DSS points out, testing security controls is particularly important when environmental changes occur — like adjusting system configurations and deploying new software. 

As a best practice, companies should conduct internal and external vulnerability scans every quarter and after any major network changes. PCI DSS also requires developing and implementing a framework for penetration testing and using intrusion prevention techniques to limit unauthorized entry.

PCI DSS compliance isn’t a choice for businesses that process payment cards. Companies that process card payments and fail to protect sensitive data from cybercrime are exposed to potential PCI DSS violations, including fines, penalties, and the loss of trust from financial partners and customers.

Because of this, businesses need to take PCI DSS compliance seriously — especially e-commerce organizations that depend almost exclusively on payment cards to complete transactions.

Achieving PCI DSS compliance is no small undertaking. It can be particularly difficult for small- to medium-sized businesses and organizations that are struggling with staffing or budgetary limitations. 

Consider partnering with third-party cybersecurity consultants to guide, plan, and deploy PCI DSS management programs. Companies should also look into obtaining cyber insurance that offers third-party liability coverages, including costs associated with PCI fines and assessments that stem from security failures, data breaches, or privacy violations.