February 26, 2021
PCI Compliance, Demystified
As consumers continue to adopt e-commerce and e-commerce providers streamline the ecommerce buying process, the systems used to process online card payments become popular targets for hacking and fraud. To combat this, in 2001, the PCI SSC was created. The PCI SSC is a joint venture between Visa, Mastercard, American Express, Discover and JCB which created the Payment Card Industry Data Security Standard (PCI DSS). This standard sought to require any company that works with payment card information, whether collecting it, storing it, processing it or transferring it, take certain actions to protect that data.
Because the members of the PCI SSC account for the vast majority of card transactions, they have the power to fine noncompliant companies and even revoke their rights to process payment card data. That, in addition to the obvious costs to public reputation and subsequent loss of business following a data breach, make PCI compliance critical for any business involved with payment card data.
Securing data is essential for any business that transacts payments, and the PCI guidelines are an effective way to do this and show your users that you are doing what you can to protect them.
How is PCI Compliance defined?
PCI Compliance has four levels that are defined by the number of payment card transactions that it processes. The highest level, Compliance Level 1, is for companies that process over 6M payments a year. From there, the levels decrease as the number of payments processed annually decreases until Compliance Level 4 is reached, which is for companies with less than 20,000 transactions.
Compliance Level 1 has a unique requirement — companies that process 6M or more transactions a year must submit a compliance report that has been reviewed by an independent Qualified Security Assessor (QSA). The PCI SSC keeps a database of all qualified assessors. For other compliance levels, typically a self-attestation is required to gain PCI compliance.
Service providers, or those that process payment transactions, that analyze or store transaction data have two tiers, with the first being for service providers that processes more than 300,000 transactions and the second for less than 300,000 transactions.
The PCI SSC has outlined 12 requirements for meeting their standards, which need to be established by an independent audit:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data by masking cardholder data in databases and systems
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors
How the compliance process works
Handling the PCI compliance process on your own requires a large investment of time, money and infrastructure changes. Companies can spend months analyzing their data processing and storage procedures, searching for weak points, updating infrastructure, training employees and possibly getting an independent audit. In addition, you will have to account for any changes you make to these procedures as you make changes to your products, as well as any changes the PCI SSC make to their rules.
While the PCI SSC offers extensive documentation and resources on their website, even the most prepared company will likely need several months to complete all of this compliance work. While this work is necessary to safeguard the company and its customers, any delay in their product development or go-to-market strategy can represent a major risk. This has led many companies to seek out third-party assistance to accelerate PCI Compliance.
How to get started
The first step would be to review the information stored on the PCI SSC website. Much of their documentation is meant to help you plot a course through the process, informing you which Compliance Level you fall under, what milestones you need to meet and so on.
They also have numerous classes and training resources to help you instruct employees on the requirements necessary for them to meet compliance standards. If you are unfortunate enough to be subject to a data breach, they also can put you in touch with third-party investigators who will help determine what happened and how you can prevent it in the future.
How you can speed things up
Skyflow’s PCI Vault is a great solution for companies looking to drastically reduce the time, effort and infrastructural costs associated with PCI Compliance. As experts in the data security and privacy space, we are intimately familiar with the difficulty many companies have meeting these stringent guidelines, so we created a specialized data vault designed to securely store cardholder data that can bring companies up to code in a fraction of the time it normally takes.
You can learn more about the PCI Vault here.