Article

What is PCI Compliance? Standards and Best Practices

About the Article

Brands must prioritize the safety and security of their customers’ sensitive information to succeed. This is particularly true if you have an eCommerce website and accept online payments. PCI compliance addresses the safety concerns that come with online payments by imposing certain standards businesses must follow if they are to accept credit and debit card payments.

What is PCI Compliance?

Payment card industry (PCI) compliance involves meeting a set of security standards for businesses that accept, process, store, or transmit credit card information. Through PCI compliance, businesses of all sizes can prevent fraud and limit data breaches while protecting the sensitive payment data of their customers.

The Payment Card Industry Data Security Standard (PCI DSS) is designed to keep debit and credit numbers secure. The PCI Security Standards Council, a joint venture between the five major payment card brands – American Express, Discover, JCB, MasterCard, and Visa – administers PCI DSS. Since 2006, the PCI Security Standards Council has worked to fulfill its mission of “enhancing global payment account data security.” 

PCI DSS applies to service providers and merchants. A service provider is a business which processes, stores, or transmits cardholder data on behalf of another business. A merchant is a business which accepts credit card payments for goods or services sold online. 

If you’re a business that processes debit or credit card transactions for any reason, it’s important you understand and comply with PCI DSS.

PCI Compliance Standards

PCI DSS comes with 12 specific requirements arranged into six objectives. Here’s a brief overview of what they are. 

Objective 1 – Build and maintain a secure network 

Requirement 1 – Install and maintain a firewall configuration to protect cardholder data. 
Your business must utilize a firewall configuration to protect cardholder data and create a secure network. A firewall controls your network traffic and blocks any transmissions which don’t meet your particular security criteria. 

Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters. 
Your business cannot use the password your software vendor created when you purchased your software. Instead, create your own unique, secure system passwords. 

Objective 2 – Protect cardholder data

Requirement 3 – Protect stored cardholder data
If you store cardholder data, you are susceptible to a potential data security breach. Work with a PCI DSS compliant hosting provider to deliver several layers of data protection via virtual and physical methods. Virtual methods may include passwords and authentication, while physical methods cover restricted access and storage cabinet locks.

Requirement 4 – Encrypt transmission of cardholder data across open, public networks 
Encryption should be applied before data is transmitted from point A to point B. Your business needs to implement strong encryption protocols, and networks must be configured properly so users don't have the ability to access cardholder data. 

Objective 3 – Maintain a vulnerability management program

Requirement 5 – Use and regularly update anti-virus software
Antivirus software is essential to protect your business from the latest malware. If you’re hosting your data on outsourced servers, ensure your managed service provider maintains a secure environment as well. 

Requirement 6 – Develop and maintain secure systems and applications
As long as you opt for a PCI DSS compliant hosting provider, you can count on them to monitor and update their systems to address any vulnerabilities. 

Objective 4 – Implement strong access control measures 

Requirement 7 – Restrict access to cardholder data by business need to know
Don’t give every employee in your company access to cardholder data. Instead, limit the number of individuals who have access, which significantly reduces your risk of a security breach. 

Requirement 8 – Assign a unique ID to each person with computer access
A unique digital ID allows you to track everyone at your company who accesses your network. You should also require users to change their password every 30 days, automatically log them off after a certain time remaining idle, and follow other security best practices. 

Requirement 9 – Restrict physical access to cardholder data
The servers containing your cardholder data should be stored in a secure environment, whether on or off site, accessible only by a limited number of authorized individuals.

Objective 5 – Regularly monitor and test networks

Requirement 10 – Track and monitor all access to network resources and cardholder data Tracking user activity makes it easier to identify the cause of a security breach or any other problem that may arise. 

Requirement 11 – Regularly test security systems and processes
By testing your systems, processes, and software on a regular basis, you’ll be able to discover vulnerabilities as they emerge and help your data hosting provider keep your customers’ data safe.

Objective 6 – Maintain an information security policy

Requirement 12 – Maintain a policy that addresses information security
With a strong PCI DSS compliant security policy, your employees will know exactly what is expected of them. Your policy should clearly outline acceptable technology uses, routine processes for risk analysis, and operational security procedures.

The Importance of PCI Compliance 

As a business which accepts debit and credit card transactions, you cannot overlook the importance of PCI compliance. Failure to do so can lead to a variety of serious consequences:

  • Monthly penalties
    If you don’t comply with PCI DSS,  you may be liable for a monetary penalty imposed by credit card providers. This penalty can range anywhere from $5,000 to $100,000 per month. 
  • Data breaches
    While PCI DSS compliance doesn’t guarantee you’ll never face a data breach, it does reduce the fines you may owe in the event it happens. You’ll need to pay between $50 to $90 for every cardholder whose information has been endangered. You may also have to end your relationship with your bank or payment processor. 
  • Damaged reputation
    If your business suffers a data breach, your reputation will likely be on the line. Once the public finds out your customer’s debit and credit card information is at risk, it will be difficult to regain their trust. 
  • Revenue loss
    Monthly penalties and a damaged reputation can all take a toll on your bottom line. These consequences may lead to a significant reduction in revenue.

How to Achieve PCI Compliance

Merchants who accept debit and credit card payments online are required to meet one of four levels of compliance as part of a PCI DSS assessment. The number of transactions you process each year and your transaction processing history will determine which level you must follow.
These compliance levels can include up to four core requirements:

  • Self Assessment Questionnaires (SAQs)
    The purpose of an SAQ is to prove you’re taking the proper security measures to keep your customers’ cardholder data secure. There are nine different SAQs merchants can choose from, and the way you process credit cards and handle cardholder data will determine which one you need to fill out. 
  • Vulnerability Scans
    Regular vulnerability scans are intended to help you identify potential security flaws. You’ll need to perform internal and external scans on a quarterly basis to ensure your data environment accommodates current security standards. While internal scans should be done from several locations within your network, external scans – designed – for outside of your network must include every external IP address. 
  • Attestation of Compliance
    The Attestation of Compliance is a form which indicates you’ve performed validation correctly and confirms your security protocols are compliant. 
  • Reports on Compliance
    The Report on Compliance must be completed by an outside Qualified Security Assessor (QSA) or an internal security resource which holds an up-to-date Internal Security Assessor (ISA) accreditation. It validates the PCI compliance status of your business.

Four Merchant Levels of Compliance

What is PCI Compliance? Standards and Best Practices

Best Practices for PCI Compliance

If you’d like to ensure PCI compliance, follow these tips:

  • Offer employee training
    It’s difficult to meet PCI compliance standards if your employees are unaware of what they are and why they’re important. Keep them informed through mandatory monthly or quarterly training meetings.
  • Reduce your scope
    PCI compliance will become much more manageable if you reduce your scope of the people, processes, and technologies which store, process, or transmit cardholder data. Isolate the devices handling cardholder data from those that do not.
  • Create a secure network
    A secure network that protects cardholder data is a business necessity. In addition to installing a strong firewall, avoid the use of default passwords and security parameters. Require your employees to change passwords on a regular basis as well.
  • Be patient 
    Unfortunately, it’s impossible to be 100 percent compliant overnight. Focus on one objective at a time so you can achieve incremental progress toward your goal of complete PCI compliance. 

Make PCI Compliance Easy

At first, complying with PCI DSS may seem like an overwhelming endeavor. The good news is it doesn’t have to be. If you’re a merchant, Magento Commerce can help you comply with PCI DSS. It offers integrated payment gateways which make it easy for you to transmit credit card data via direct post API methods or hosted payment forms from the payment getaway and integrated with your checkout page.

Since Magento Commerce is certified as a Level 1 Solution provider, you can use the Magento PCI Attestation of Compliance to support your own PCI certification process. For more information on how Magento Commerce can simplify PCI compliance, request a free demo today.

What is PCI Compliance? Standards and Best Practices