What is PCI DSS Compliance

A full guide to PCI DSS 4.0. compliance. Secure your cardholder data and stay compliant with Planet 9  

While PCI DSS compliance is not a legal requirement, non-compliance can still carry significant financial, legal, and reputational risks. In the event of a breach, non-compliant businesses may be held liable by card issuers for all expenses related to reissuing credit cards, covering fraudulent charges, and providing six to twelve months of credit monitoring for each impacted customer. Worse yet, improper safeguarding of payment information could result in hefty fines of up to $100,000, along with significant reputational damage.  

A 10% jump in data breach costs in the financial industry from 2023 to 2024 reflects the rising consequences of PCI non-compliance. If your business processes credit card payments, you are responsible for safeguarding cardholder data from potential breaches. Understanding what is the PCI DSS compliance and why it matters is essential to reduce the risk of a breach and limit your liability if one occurs.  

Unfortunately, the Verizon 2024 Payment Security Report reports a significant decline in full PCI compliance. So, we decided to answer the main questions related to PCI DSS compliance to underscore its value for every business dealing with sensitive financial information.

What is PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security requirements designed to safeguard cardholder data during storage, processing, and transmission. Established in 2004 by the Payment Card Industry Security Standards Council (PCI SSC)—founded by major card brands like Visa, Mastercard, and American Express—it aims to reduce credit card fraud and enhance payment security across the globe. PCI DSS applies to any organization that handles credit or debit card transactions, regardless of size, making it a critical framework for businesses to ensure trust and compliance.  

Since its inception in 2006, PCI DSS has had two major updates:

• PCI DSS 3.2.1 (2018): Introduced refinements to authentication methods and enhanced the protection of data during transmission.
• PCI DSS 4.0 (2022): Focused on a risk-based approach, introduced stronger PCI password requirements, API security requirements, improved testing procedures, and provided flexibility for businesses to implement innovative security methods.

The purpose of PCI DSS is to ensure the secure handling of payment card information by organizations that accept, process, store, or transmit it. By implementing standardized security measures, PCI DSS helps protect sensitive cardholder data, reduce the risk of data breaches, and minimize financial and reputational damage caused by payment fraud. Beyond compliance, adhering to PCI DSS fosters customer trust by demonstrating a commitment to protecting their personal and financial information.

What is PCI DSS Compliance

PCI DSS compliance refers to adhering to a set of PCI security requirements, ensuring that businesses and service providers handle credit and debit card data securely. PCI DSS v4.0 consists of 12 detailed requirements organized into six security goals that aim to protect cardholder data, prevent data breaches, and maintain a secure payment environment. Below are the 12 PCI DSS requirements, along with some tips on how to meet these requirements:

Build and maintain a secure network and system

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data. The firewall provides traffic control between an entity's internal (trusted) and external (untrusted) networks. Further, firewalls are used for segregation within internal networks with different security levels.
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Default settings and accounts are well-known in hacker communities and must be changed to prevent unauthorized access. So, for all systems and components, it is better to develop configuration standards.

Protect cardholder data

• Requirement 3: Protect stored cardholder data through strong encryption, tokenization, or other methods. Also, avoid saving cardholder data unless it is necessary.
• Requirement 4: Encrypt transmission of cardholder data across open, public networks to prevent unauthorized access.

Maintain a vulnerability management program

• Requirement 5: Protect all systems against malware by using and regularly updating anti-virus software or programs.
• Requirement 6: Develop and maintain secure systems and applications by applying security patches and conducting regular vulnerability scans.

Implement strong access control measures

• Requirement 7: Restrict access to cardholder data on a need-to-know basis, ensuring only authorized personnel can view sensitive information.
• Requirement 8: Identify and authenticate access to system components by using strong authentication methods (e.g., unique user IDs and multi-factor authentication).
• Requirement 9: Restrict physical access to cardholder data by implementing strong physical security controls (e.g., locked rooms or server racks).

Regularly monitor and test networks

• Requirement 10: Track and monitor all access to network resources and cardholder data by implementing logging mechanisms that capture critical events.
• Requirement 11: Regularly test security systems and processes, including conducting vulnerability scans and penetration testing to identify weaknesses.

Maintain an information security policy

• Requirement 12: Maintain a comprehensive information security policy that addresses all PCI DSS requirements and educates staff about security procedures and best practices.

Why is PCI DSS Compliance Important

Financial institutions must prioritize PCI compliance to navigate evolving data management and security challenges. The consequences of PCI DSS non-compliance for covered businesses can be severe, both financially and reputationally. These consequences can vary based on the severity of the non-compliance, the nature of the breach, and the size of the business, but typically include:

Fines and penalties

Businesses that fail to meet PCI DSS requirements may face significant fines from payment card brands (such as Visa, MasterCard, etc.), ranging from $5,000 to $100,000 per month, depending on the severity and duration of the non-compliance. Fines for PCI DSS non-compliance are typically mediated by banks or payment processors, which may then pass these costs onto the merchant. The exact amount can vary based on the volume of transactions, the level of non-compliance, and the merchant’s history with data security.  

Furthermore, in case of a data breach, many businesses are required to hire a Payment Card Industry Forensic Investigator, and this doesn’t consider the fines themselves—ranging from $20 to $5000 or more per month, depending on the details of the non-compliance and breach.  

Loss of payment card processing privileges

Businesses that fail to achieve PCI DSS compliance may be restricted or terminated from processing credit card payments. For most businesses, especially small and mid-sized ones, this could result in significant operational disruption and loss of revenue, as they may be forced to switch payment processors or change their business model entirely.

Reputation damages and loss of competitive advantage

Failing to comply with PCI DSS can seriously damage a company’s reputation, particularly if a breach occurs. Customers and partners expect businesses to protect their payment information. Business partners require that their third-party vendors and service providers comply with PCI DSS. Businesses that fail to meet PCI DSS standards may be seen as less reliable in the eyes of customers and partners, affecting their competitive position in the market.

Increased security vulnerabilities

Non-compliance can leave organizations vulnerable to cyberattacks, including data breaches, ransomware, and payment fraud. Failure to implement the necessary security controls required by PCI DSS, such as encryption, firewalls, and access controls, increases the likelihood of cybercriminals exploiting these gaps.

Who Needs PCI DSS

PCI DSS applies to any organization involved in accepting, processing, storing, or transmitting payment card data, regardless of its size, industry, or transaction volume. These include financial institutions - banks, credit unions, and other entities that issue payment cards or manage transactions, as well as vendors that can impact the security of cardholder data. In the language of PCI DSS, these entities are divided into two main categories:

PCI DSS merchants

PCI DSS Merchants are businesses of all sizes that accept credit or debit card payments, whether through online platforms, physical point-of-sale (POS) systems, mobile payment apps, or over-the-phone transactions. From small retail stores to multinational e-commerce giants, all merchants are required to comply with PCI DSS.

PCI DSS service providers

Organizations that store, process, or transmit cardholder data on behalf of other businesses. This includes hosting providers, cloud service platforms, payment gateways, managed security services, and outsourced IT providers. Service providers control or could impact the security of cardholder data (for example, managed firewalls, hosting providers, etc.).” In simple terms, service providers are defined as third-party vendors who assist merchants with storing, processing, or transmitting cardholder data.  

The entity’s role in handling payment data varies based on its annual transaction volume and the PCI compliance level.  

Compliance is mandatory for all these entities to maintain the trust of customers and partners, avoid financial penalties, and ensure they can continue processing payments through Visa, Mastercard, and American Express.  

What is the PCI DSS Assessment

The road to PCI compliance lies through a PCI assessment. There are three major elements of the assessment - Report on Compliance (RoC), Attestation of Compliance (AoC), and Self-Assessment Questionnaires (SAQ). Which one of these to choose depends on the merchant or service provider level of your organization.

• PCI Report on Compliance (RoC) provides details about the entity’s environment and assessment methodology and documents the entity’s compliance status for each PCI DSS Requirement. The RoC is developed through a thorough Qualified Security Assessors (QSA) assessment that includes an onsite audit and review of controls.
• PCI Attestation of Compliance (AoC) declares the service provider’s assessment results with the PCI DSS Requirements and Security Assessment Procedures. The AoC is also completed by QSA.
• PCI Self-Assessment Questionnaires (SAQ) enable merchants to measure and self-assess their compliance.

Find out more about RoC, AoC, And other elements of PCI DSS compliance.  Achieving compliance ensures that organizations meet the rigorous requirements for securing cardholder data, reducing fraud risks, and maintaining trust with customers and payment card networks.

What are the PCI Compliance Levels

Merchants are classified into one of four PCI compliance levels based on how many credit card transactions they process each year.

PCI DSS merchants

Depending on their level, merchants will either complete a Self Assessment Questionnaire (SAQ) or go through an assessment by QSA to ensure they are PCI DSS compliant. Here's a breakdown of the levels:

1. Level 1 Merchants: Process over 6 million credit card transactions annually. These merchants must undergo an assessment by a Qualified Security Assessor (QSA), who submits a Report on Compliance (RoC) to the acquiring bank to validate compliance.
2. Level 2 Merchants: Process between 1 and 6 million transactions annually. These merchants fill out an annual Self Assessment Questionnaire (SAQ), but they don’t need a third-party QSA assessment. They also must provide a quarterly network scan from an Approved Scanning Vendor (ASV) and submit an attestation of compliance (AoC) form.
3. Level 3 Merchants: Process between 20,000 and 1 million transactions annually. Similar to level 2, these merchants complete an annual SAQ, present a quarterly network scan from an ASV, and submit an AoC form.
4. Level 4 Merchants: Process fewer than 20,000 transactions annually. These merchants complete an annual SAQ, provide a quarterly network scan from an ASV, and submit an AoC form but don't need an external audit.

PCI DSS service providers

Level 1 Service Providers: store, transmit, or process more than 300,000 credit card transactions annually. These service providers must undergo a third-party QSA assessment annually and get a ROC as a result of this assessment.  

‍Level 2 Service Providers: store, transmit, or process less than 300,000 credit card transactions per year. It requires an Annual Self-Assessment Questionnaire and Quarterly network scan by an Approved Scan Vendor (ASV).  

Merchants and service providers can check their compliance level by consulting their merchant services provider or using the reporting tools provided by the provider. Learn how to identify your PCI compliance level.  

How to Become PCI DSS Certified

If you're looking to obtain your PCI compliance certification, here are some steps you can follow:

• Determine your certification level based on annual credit card transaction volume.
• Understand PCI DSS requirements covering areas such as encryption, access control, network security, vulnerability management, and others.
• Identify potential compliance gaps. Find areas where your systems, processes, or employees might be at risk of not meeting PCI DSS standards.
• Conduct a thorough risk assessment to identify vulnerabilities in your infrastructure, data storage, and payment processing systems. Assess all vulnerabilities that could expose cardholder data.
• Complete Your ROC (Report of Compliance) or SAQ (Self-Assessment Questionnaire). If you’re a Level 1 merchant, you must undergo an external audit by a Qualified Security Assessor (QSA) and complete a RoC. Level 2, 3, and 4 Merchants must fill out the appropriate SAQ based on their operations and risk exposure.
• Verify your PCI compliance status by completing a third-party attestation of compliance (AOC).
• Perform quarterly compliance evaluations.
• Communicate compliance results with banks and payment companies.

Become PCI DSS Compliant with Planet 9

Are you on your PCI DSS compliance journey or unsure where to start? Planet 9 professionals can help you become and remain PCI compliant. Depending on your company’s size and volume of annual credit card transactions, we can, among other things:

 
• evaluate the ‘security maturity’ of your organization to establish a baseline;
• based on the security maturity and validation requirements, prepare a plan to raise the organizational maturity;
• conduct a risk assessment;
• develop a roadmap for mitigating the identified compliance gaps and risks, and then assist the client on executing the roadmap;
• prepare and share the requirements and steps required to complete the required compliance activities

Book a free consultation today to explore how Planet 9 can help you achieve your security and compliance goals. We’ll be happy to assist!