PCI DSS compliance: Guide to the 12 requirements

PCI DSS is an acronym for Payment Card Industry Data Security Standard, which is comprised of 12 mandatory requirements that were created to enhance payment account data security throughout the transaction process. PCI DSS compliance requirements were established in 2004 by major credit card companies, including American Express, Discover, JCB International, MasterCard, and Visa. Compliance with this global standard is a contractual requirement for any organization that accepts, transmits, or stores cardholder data.   

The objective of PCI DSS compliance is to protect cardholder data from theft and unauthorized access by requiring organizations that handle credit card data to: 

• Create and maintain an information security policy
• Implement strong access control measures
• Maintain a secure network
• Regularly monitor and test networks

These are meant to prevent credit card theft and fraud, defend against cyber attacks, and mitigate security vulnerabilities and threats. PCI DSS compliance requirements are also intended to prevent identity theft. 

What is PCI DSS compliance?

All organizations that handle credit card transactions, no matter their size or transaction volume, are required to maintain PCI compliance. To do this, organizations must commit to a continuous process that involves: 

• Assessing the current payment card processing environment 
• Identifying cardholder data flows 
• Remediating any identified gaps in compliance by implementing required security controls and measures  
• Reporting compliance to the relevant acquiring banks and card brands 
• Undergoing an onsite audit conducted by a Qualified Security Assessor (QSA) for some organizations 

PCI DSS levels 

PCI DSS classifies organizations into four merchant levels and two service provider levels, determined by the number of credit card transactions they process over a 12-month period. These levels help determine the specific compliance validation requirements each merchant or service provider must fulfill.   

Merchant levels

• Level 1 
  Applies to merchants processing over six million Visa or MasterCard transactions per year across all channels. PCI DSS compliance validation demands a yearly Report on Compliance (ROC) done by a Qualified Security Assessor (QSA) or an internal auditor, with endorsement from a company officer, in addition to a quarterly network scan executed by an Approved Scanning Vendor (ASV). 
• Level 2 
  Applies to merchants who process one million to six million Visa or MasterCard transactions per year across all channels. Compliance validation requires an annual Self-Assessment Questionnaire (SAQ) and a quarterly network scan by an ASV. 
• Level 3 
  Applies to merchants processing 20,000 to one million Visa or MasterCard e-commerce transactions per year. Compliance validation requires an annual SAQ and a quarterly network scan by an ASV. 
• Level 4 
  This applies to merchants handling fewer than 20,000 Visa or MasterCard e-commerce transactions annually and to all other merchants who process up to one million Visa or MasterCard transactions each year. Compliance validation typically requires an annual SAQ and may require a quarterly network scan by an ASV, depending on the acquirer’s discretion. 

Service provider levels

• Level 1   
  Applies to service providers that handle more than 300,000 Visa or MasterCard transactions per year. Compliance validation requires an annual ROC by a QSA or an internal audit if signed by an officer of the company and a quarterly network scan by an ASV. 
• Level 2   
  Applies to service providers that handle fewer than 300,000 Visa or MasterCard transactions per year. Compliance validation requirements are similar to those of Level 1 service providers, including annual ROCs and quarterly ASV scans, but the specifics can vary based on the card brand requirements. 

Enforcement of PCI DSS compliance 

The Payment Card Industry Security Standards Council (PCI SSC) enforces PCI DSS compliance. This group is made up of the major credit card companies, including American Express, Discover, JCB International, MasterCard, and Visa. The PCI SSC is responsible for developing, enhancing, storing, disseminating, and implementing security standards for the protection of cardholder data. 

However, while the PCI SSC develops and maintains the PCI DSS requirements, it does not directly enforce PCI DSS compliance. Enforcement is carried out by the individual payment card brands and acquiring banks. These organizations mandate PCI DSS compliance and have the authority to impose penalties, fines, or restrictions on any merchant or service providers who fail to comply with the PCI DSS requirements. The level of enforcement and the specific consequences for non-compliance can vary depending on the card brand and the merchant’s acquiring bank. 

Fines for failing to maintain PCI DSS compliance 

Fines for failing to meet PCI DSS compliance are levied by the payment card brands on the acquiring banks, which often pass these costs onto the non-compliant merchant. The fines vary widely depending on several factors, including the size of the business, the duration of non-compliance, and the severity of the security breach, if there was one.  

• For small businesses—fines can range from $5,000 to $50,000 per month   
• For larger entities—the financial penalties can be even more substantial, potentially reaching millions of dollars 
• Per incident fines—in cases where a security breach occurs, and the merchant is found to be non-compliant, fines can be up to $500,000 per incident   
• Compensation fees—in the event of a data breach, businesses may be required to compensate affected customers, with fees ranging from $50 to $90 per affected individual  

Benefits of PCI DSS compliance 

PCI DSS compliance is important for several reasons that impact both the organizations that handle cardholder data and the individuals whose information is being processed. The following are the key benefits of PCI DSS compliance. 

Avoiding financial penalties 

Failure to meet PCI DSS compliance requirements can result in large fines from payment card issuers and acquiring banks. These fines vary based on the severity of the infraction and the volume of transactions processed. In addition to fines, organizations that fail to maintain PCI DSS compliance can face increased transaction fees or lose the ability to accept card payments. 

Building and maintaining customer trust 

Increase consumer confidence by adhering to PCI DSS standards.  

Organizations that demonstrate their commitment to protecting customer data build trust with customers, which is essential for customer retention and brand reputation. 

Customers often view PCI DSS compliance as a mark of reliability and security. When customers know that a business follows strict data security standards, they are more likely to trust that business with their sensitive information. This trust can translate into higher customer retention rates. 

Enhancing IT infrastructure 

The requirements for PCI DSS compliance often lead to improvements in an organization’s IT infrastructure and security practices, making it more robust against all types of threats. 

Ensuring legal compliance 

In many jurisdictions, regulations require businesses to protect personal and financial data. By complying with PCI DSS, organizations also ensure they are in line with other laws and regulations related to data protection and privacy. 

Facilitating faster incident response 

Part of being PCI DSS compliant involves having an effective incident response plan. This ensures that, in the event of a data breach, the organization can quickly take action to mitigate damage. 

Improving data security 

At its core, PCI DSS compliance is about safeguarding sensitive cardholder data. By adhering to the stringent security measures detailed in the PCI DSS standard, organizations have robust security measures (e.g., encryption, firewall installation, and the use of secure systems and applications) to protect cardholder data as well as other sensitive information and resources.   

Increasing operational efficiency 

Implementing PCI DSS compliance helps streamline and optimize payment processes, leading to operational efficiencies that can benefit the overall business performance. 

Preparing defenses against emerging threats 

The PCI DSS compliance requirements are regularly updated to address new and evolving threats to payment card security. By staying compliant, organizations ensure that their security measures are up to date, preparing them to face emerging threats.   

Promoting a culture of security 

The process of maintaining PCI DSS compliance encourages organizations to adopt a security-first approach to their operations, policies, and procedures. This culture of security benefits all aspects of an organization beyond just cardholder data protection. 

Reducing the risk of data breaches 

The security requirements for PCI DSS compliance involve implementing robust systems and processes that reduce the chance of a data breach, which can result in legal issues, financial losses, and reputational damage. 

Safeguarding against identity theft 

The PCI DSS compliance requirements for securing cardholder data help protect against identity theft.   

Standing out in the market 

In competitive markets, being PCI DSS compliant can serve as a differentiator. PCI DSS compliance broadcasts to potential clients and partners that an organization takes data security seriously. This can influence their decision to work with a PCI-DSS-compliant organization over a non-compliant competitor in markets where privacy and data security are a concern. 

Supporting global business 

Since PCI DSS is a globally recognized standard, compliance is often necessary for doing business internationally. PCI DSS compliance assures partners and customers worldwide that an organization meets international security standards. 

What are the 12 requirements of PCI DSS?

1. Build and maintain a secure network   

• Ban direct public internet access to systems within the cardholder data environment. 
• Configure firewalls to protect cardholder data.   

2. Do not use defaults for system passwords and other security parameters 

• Change default passwords and other security parameters before installing systems on the network. 
• Secure system passwords and other security parameters to prevent unauthorized access. 

3. Protect stored cardholder data 

• Encrypt sensitive cardholder data stored on systems or media. 
• Restrict how much cardholder data is stored and the retention period for cardholder data to the minimum required for operations, legal, or regulatory purposes. 

4. Encrypt cardholder data when transmitting it across open, public networks 

• Implement encryption and security measures to protect sensitive cardholder information during its transmission across open, public networks. 

5. Protect cardholder data from malware and viruses 

• Install anti-virus software on all systems that could be affected by malware. 
• Ensure that anti-virus mechanisms generate audit logs. 
• Update anti-virus software regularly. 

6. Develop and maintain secure applications and systems 

• Identify and address vulnerabilities by installing security patches promptly. 
• Develop applications in accordance with secure coding guidelines to prevent common vulnerabilities. 

7. Restrict access to cardholder data   

• Limit access to cardholder data to users whose job requires it. 
• Implement access controls to ensure that access is granted based on job role. 

8. Implement systems for identity authentication and access management for system components 

• Assign unique identities to users. 
• Implement strong authentication for users and devices. 

9. Restrict physical access to cardholder data 

• Protect against unauthorized physical access, tampering, and theft. 
• Use appropriate physical controls to secure locations and equipment storing cardholder data. 

10. Monitor and record all access to network resources and cardholder data 

• Implement logging mechanisms and regularly review logs to track user activities related to cardholder data. 
• Ensure that logs are secure, current, and retained according to PCI DSS compliance requirements. 

11. Regularly test security systems and processes 

• Perform vulnerability assessments and penetration tests to detect and fix security vulnerabilities. 
• Routinely evaluate security systems and procedures to verify their effectiveness in safeguarding cardholder information. 

12. Create policies for personnel information security protocols   

• Create, issue, distribute, and maintain a security policy focused on safeguarding cardholder information. 
• Ensure that employees and contractors understand the information security policy and their roles in securing cardholder data. 

PCI DSS compliance: Mandatory, but beneficial 

While PCI DSS compliance is mandatory for any business that handles cardholder data, it does provide many valuable benefits for the ongoing optimization of security systems and processes. As threats to data security become more sophisticated, the importance of elements associated with PCI DSS compliance will only increase.  

Organizations committed to maintaining high standards of data security agree that PCI DSS compliance has become more than a regulatory requirement. For many, it has become a critical component of their overall security strategy. Achieving and maintaining PCI DSS compliance has proven to be a strategic investment in an organization’s security, reputation, and future growth. 

You might also be interested in: