Focus on security: Guide to becoming PCI DSS compliant

16 August 2016

The Payment Card Industry Data Security Standard, or PCI DSS for short, is a set of principles and directions designed to ensure the security of payment card information. All companies accepting credit or debit card payments on their sites must comply with the PCI standards to improve the security of payment card data and prevent data breaches and identity theft. However, achieving and reporting your organization’s compliance with PCI DSS requirements can be a challenging and sometimes time-consuming task.

Payment Card Industry Data Security Standard

The PCI DSS was developed in 2004 by major payment card brands: MasterCard, Visa, American Express, Discover, and JCB as a response to the sharp increase of cyber-attacks and data theft. All businesses involved in processing, storing or transmitting payment card data, even if they have a limited number of transactions, have to meet the certain level of security and integrate daily security practices into their business operations.

The PCI Data Security Standard defines twelve requirements that can be grouped into six 6 core areas covering different information security domains. They include the requirements to organize a secure network, to perform network tests on a regular basis, to protect obtained cardholders’ data from theft and unauthorized access, to adopt a vulnerability management program including anti-virus software, and others.

If your company fails to comply with PCI DSS requirements, you will have to pay costly fines and penalties – from $2,000 to more than $100,000 per month, especially if you experience a data breach. Moreover, your merchant account can be suspended and your payment services maybe revoked. That’s why complying with PCI DSS requirements is vitally important – it can protect not only your customers, but also your budget and business reputation.

Undergoing PCI DSS Compliance

PCI DSSThe PCI DSS compliance validation should be performed annually. All businesses that deal with payment card data are classified into several different levels and types taking into consideration the number of their card transactions per year. These levels and types determine the applicable set of validation requirements and the frequency of security scans that they must undergo. Different payment card brands may impose different validation levels.

High-volume merchants (Level 1) that process more than 6 million transactions per year and service providers that process more than 300,000 transactions per year must undergo quarterly network scans and an annual audit performed by an independent Qualified Security Assessor or by their own internal auditor who creates a Report on Compliance to verify the business’ PCI DSS compliance. The average cost of all necessary procedures is $50,000 per year.

Companies handling smaller transaction volumes (Level 2, 3 and 4 merchants and service providers) must complete a Self-Assessment Questionnaire and undergo quarterly network scans performed by an Approved Scanning Vendor. If a Level 2, 3, or 4 merchant suffers a serious security breach that results in data leakage, the payment processor may refer them to a Level 1 compliance validation level regardless of their transaction volume.

External Network Vulnerability Scans

Internal and external network vulnerability scanning is a key component of Requirement 11. To achieve PCI DSS compliance, all merchants and service providers must undergo a vulnerability scan of their cardholders’ data environment performed by an Approved Scanning Vendor. It is necessary to run the scan at least quarterly and after any significant change in the network, for example when you have upgraded your payment system or installed a new component.

The PCI Security Standards Council has approved over 100 scanning vendors in different regions and countries. The U.S. list includes such companies as McAfee Inc., Digital Defense Inc., Core Security Technologies, Cisco Systems, Inc., AT&T Consulting Solutions, and others. Their scanning solutions have been tested and approved by the PCI Security Standards Council.

The scanning vendors use automated tools to check your external IP addresses and identify potential security flaws – configuration issues, missing patches, dangerous services, etc.  They can also verify all detected vulnerabilities manually to ensure the accuracy of the scan and provide you the opportunity to dispute any result that you consider false positive. The average scanning fee for 5 IP addresses is $250 per year, for 20 IP addresses – $399 a year.

You can significantly simplify your PCI DSS efforts if your stored, processed, or transmitted payment card data is being hosted on outsourced servers from a third-party provider. In this case, it is your server provider who is responsible for implementing PCI DSS requirements, maintaining a secure data environment and undergoing quarterly vulnerability scans.

A PCI compliant hosting provider has to offer several levels of data protection, including physical methods (restricted access, firewalls, data encryption, anti-virus programs, monitoring and testing services) and virtual methods (password authentication, biometric security). For example, Condero offers PCI DSS compliant infrastructure and audit logs for $25 per month.


A PCI compliant hosting provider has to offer several levels of data protection, including physical and virtual methods


Self-Assessment Questionnaire

The Self-Assessment Questionnaire is intended to reduce the costs of undergoing PCI DSS compliance for small and medium-size businesses – the documents should be completed by your own staff on an annual basis. The Questionnaire includes a set of questions concerning your organization and its payment setup as well as all applicable PCI DSS requirements.

There are nine different versions of the Questionnaire for different merchant environments, depending on the way they process, store, and handle payment card data. That’s why for some companies, the appropriate questionnaire will be short and easy to complete, while for others it will be more technical. You can find all SAQ forms and their descriptions on the PCI Security Standards Council website.

After filling in the information about your company, you need to answer a series of yes-or-no questions covering different areas of information security – for example, how you store and process sensitive payment card data. If you answer No to any of the questions, it means that you don’t comply with PCI DSS requirements. In this case, you need to solve all security problems identified by the Questionnaire and take it again.

The Self-Assessment Questionnaire also includes an Attestation of Compliance necessary to confirm that you have performed the appropriate self-assessment and can receive a compliance certificate. Once completed, all validation results including your ASV vulnerability scan reports, Self-Assessment Questionnaire and Attestation of Compliance must be submitted to your payment processor for revision.

The success and growth of any company often rests on its solid business reputation, so keeping your customers’ data safe and implementing fraud prevention solutions should become your key responsibility. The impact of a security breach may be far greater than you could expect. The PCI standards can serve as a basis for companies who want to improve their overall security posture and avoid data leakage.

Blockchain techs
Mastercard may launch a payment system for fast cryptocurrency transactions
Banking techs
Korea digitizes mortgage and loan documents on a blockchain platform
Writing a White Paper for an ICO: expert recommendations
Show more posts...