PCI DSS: requirements, fines, and steps to compliance
PCI DSS is a cybersecurity standard backed by all the major credit card and payment processing companies that aims to keep credit and debit card numbers safe. PCI DSS stands for Payment Card Industry Data Security Standard. The standard, which is administered by the Payment Card Industry Security Standards Council, establishes cybersecurity controls and business practices that any company that accepts credit card payments must implement. Companies can demonstrate that they have implemented the standard by meeting the reporting requirements laid out by the standard; those organisations that fail to meet the requirements, or who are found to be in violation of the standard, may be fined.
What is PCI DSS used for?
Credit and debit card numbers are probably the most valuable sequences of digits around: anyone with access to them can immediately make fraudulent purchases and drain money from user accounts. Because banks and other credit card issuers will generally refund their customers in these situations, they have a vested interest in ensuring that credit card numbers remain secure as they are transmitted across the economic ecosystem.
The PCI Security Standards Council was created by these industry players to make sure that transactions involving credit card numbers are secure as possible. The Council lays down several security standards that organisations in different industry segments must implement: for instance, PCI PTS covers manufacturers of PIN-based devices, and PCI PA-DSS governs software developers writing code that manages cardholder data.
Who does PCI DSS apply to?
PCI DSS is the most wide-ranging of the Council’s standards. It applies to “any entity that stores, processes, and/or transmits cardholder data,” which means that any organisation that accepts credit card payments – which is to say, any virtually any organisation that sells anything or accepts donations – must adhere to the standard.
Compliance with PCI DSS represents a baseline of security, and is certainly not a is not a guarantee against being hacked. As we’ll see, compliance can be quite complex, and it’s difficult to say with certainty that every aspect of an organisation’s security is compliant 100% of the time. Some have argued that the credit card and payment companies that make up the PCI Security Standards Council use PCI DSS to shift security responsibilities and the financial burden of breaches onto retailers.
When did PCI DSS become mandatory?
PCI DSS compliance became mandatory with the roll-out of version 1.0 of the standard on December 15, 2004. (PCI DSS 3.2 is the current version of the standard, and 4.0 is in the works.) But we should pause here to talk about what we mean by “mandatory” in this context. PCI DSS is a security standard, not a law. Compliance with it is mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that actually handle their payment processing.
And, as we will see, for most companies compliance with the standard is achieved by filling out self-reported questionnaires. For those merchants, PCI DSS compliance mainly becomes “mandatory” in retrospect: if a breach occurs that can be traced back to a failure to implement the standard correctly, the merchant can be sanctioned by their payment processors and the card brands. Merchants may be required to undergo (and pay for) an assessment to ensure that they have improved their security, which we’ll discuss in more detail later in this article; they may also be required to pay fines. Very large companies may be required to undergo assessments conducted by third parties even if they haven’t suffered a breach.
PCI DSS fines
When merchants sign a contract with a payment processor, they agree to be subject to fines if they fail to maintain PCI DSS compliance. Fines can vary from payment processor to payment processor, and are larger for companies with a higher volume of payments. It can be difficult pin down a typical fine amount, but US firm IS Partners provides some ranges in a blog post. For instance, fines are assessed per month of non-compliance and the per-month charge increases for longer periods, so a company might pay $5,000 a month if they are out of compliance for three months, but $50,000 a month if they go as long as seven months. In addition, fines ranging from $50 to $90 can be imposed for each customer who’s affected in some way by a data breach.
Again, keep in mind that these aren’t “fines” in the same sense that, say, you would pay for violating some government regulation or traffic law; they are penalties built into a contract between merchants, payment processors, and card brands. Generally the card brands fine the payment processors, who in turn fine the merchants, and the whole process is not necessarily based on the same standards of evidence one would expect in a criminal court, though disputes can end up in civil court.
A 2012 case involving Utah restaurateurs Stephen and Cissy McComb brought some of the murky world of PCI DSS fines into the limelight; the McCombs claimed that they had been accused of lax security based on no evidence and that $10,000 had been siphoned from their bank account by their payment processor improperly. In 2013, Tennessee shoe retailer Genesco fought back against a $13 million dollar PCI DSS fine levelled in the wake of a major data breach, eventually recovering $9 million in court.
Still, most merchants seek to avoid having to pay these fines by ensuring that they comply with the PCI DSS standard. So let us dive into the details of what that entails.
PCI DSS requirements
The PCI DSS standard lays out 12 fundamental requirements for merchants:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
What does it mean to be PCI DSS compliant?
DSS compliance comes from meeting the obligations laid down by these requirements in the way best suited to your organisation, and the PCI Security Standards Council gives you the tools to do so. The RSI security blog breaks down the steps in some detail, but the process in essence goes like this:
- Determine your organisation’s PCI DSS level. Organisations are divided into levels based on how many credit card transactions they handle annually. For instance, PCI DSS level 1 organisations process more than six million transactions a year, whereas PCI DSS level 4 orgs process less than 20,000.
- Complete a self-assessment questionnaire. These are available from the PCI Security Standards Council web site, and there are various questionnaires tailored to how different companies interact with credit card data. If you only take card payments online via a third party, you’d fill out Questionnaire A, for instance; if you use a standalone payment terminal connected to the internet, you’d go with Questionnaire B-IP. Each questionnaire determines how well your organisation adheres to the PCI DSS requirements, tailored as appropriate by the ways in which you interact with customer credit card data.
- Build a secure network. The answers you give on your questionnaire will reveal any weak spots in your credit card infrastructure and requirements you fail to meet, and will guide you in plugging those holes.
- Formally attest your compliance. An AOC (attestation of compliance) is the form you use to signal that you’ve achieved PCI DSS compliance. Finishing your questionnaire with no “wrong” answers means that you’re ready to go.
As should be clear, the questionnaires provide a sort of PCI DSS compliance checklist. However, don’t let this be the end of your security journey. As David Ames, principal in the cybersecurity and privacy practice at PricewaterhouseCoopers, said “we have seen that concentrating strictly on standalone compliance efforts can produce a false sense of security and an inappropriate allocation of resources. Use the PCI DSS as a baseline controls framework that is supplemented with risk management practices”
Who is responsible for PCI compliance?
Every organisation will have a somewhat different take on who should lead its PCI compliance team, based on its structure and size. Very small businesses who have outsourced most of their payment infrastructures to third parties generally can rely on those vendors to handle PCI compliance as well. At the other end of the spectrum, very large organisations may need to involve executives, IT, legal, and business unit managers. The PCI Standards Security Council has an in-depth document, “PCI DSS for Large Organizations,” with advice on this topic; check out section 4, beginning on page 8.
PCI DSS certification vs PCI DSS assessment
How can you become PCI DSS certified? The short is you can’t: there is no such thing, in the world of PCI DSS, as “certification.” As discussed, the most common means of showing compliance with the PCI DSS is by completing the appropriate questionnaire and completing an attestation of compliance (AOC). This process is known as self-assessment.
However, merchants may also choose to pay a third-party vendor to conduct a PCI DSS assessment. The PCI Security Standards Council certifies Qualified Security Assessors who can conduct these audits and produce what’s known as a report of compliance (ROC); you may sometimes see this process referred to as PCI DSS certification, though that is strictly speaking not correct. While some organisations pay for ROCs voluntarily, others may be required to acquire one if they have suffered a breach or some other security violation; and large companies that qualify as PCI DSS level 1 are required to get an ROC on a regular basis.
Assessments aren’t cheap, but even you are not required to get one, it may pay off in the long run. As Paul Cotter, senior security architect at West Monroe Partners, said in self-assessments companies tend to look at themselves in “in the most flattering way possible. You might spend $50,000 to hire a professional, but it might wind up saving you in the long run” because you’ll get an honest assessment of your security situation. And at its heart, that is the kind of assessment the PCI DSS standard ought to deliver.
Josh Fruhlinger is a US-based writer and editor for CSO Magazine
IDG News Service