PCI DSS Article 2018: A Comprehensive Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules and regulations for handling credit card information. It was first introduced in 2004 and has been updated several times since then.

One of the key updates was in 2018, which brought about significant changes to the way businesses handle sensitive payment information. The new standards aimed to improve the security and protection of cardholder data.

The PCI DSS 2018 update introduced 12 main requirements, each designed to address a specific aspect of payment card security. These requirements cover everything from building firewalls and encrypting data to regularly updating software and monitoring for suspicious activity.

Businesses that handle credit card information must comply with the PCI DSS 2018 standards to avoid fines and penalties. Compliance is not optional, and it's essential to stay up-to-date with the latest requirements to protect sensitive data and maintain customer trust.

For another approach, see: Pci Dss Information Security Policy

The scope of PCI DSS assessments has been clarified in the updated requirements, which apply to system components, people, and processes that store, process, and transmit cardholder data.

To determine the systems that are in scope, you need to identify the Cardholder Data Environment (CDE), which includes system components with unrestricted connectivity to those that store, process, or transmit cardholder data.

The requirements also apply to system components that could impact the security of the CDE, so it's essential to take an inventory of your IT assets and business processes for payment card processing to identify potential vulnerabilities.

Performing an audit to identify cardholder data and analyzing your IT assets and business processes for vulnerabilities is the first step in assessing your PCI compliance.

You can also opt for a self-assessment, where a qualified staff member or corporate officer from your organization can perform their own audit and sign-off to produce a formal PCI DSS Attestation of Compliance package.

Suggestion: Pci Dss Cde

The scope of assessments is crucial to understanding what needs to be included in your evaluation of PCI DSS compliance.

To determine the scope, you need to identify the Cardholder Data Environment (CDE), which encompasses system components, people, and processes that store, process, and transmit cardholder data and/or sensitive authentication data.

The CDE also includes system components that have unrestricted connectivity to system components that store, process, or transmit cardholder data and/or sensitive authentication data, even if they don't store, process, or transmit it themselves.

You must also consider system components, people, and processes that could impact the security of the CDE, which means you need to think about the potential vulnerabilities that could expose sensitive cardholder data.

To get started, perform an audit to identify the cardholder data you're responsible for, and take an inventory of your IT assets and business processes for payment card processing.

The two-track approach is a significant change in PCI DSS version 4.0. Organizations can now choose between a traditional method and a more flexible, customized approach.

Under the Defined Approach, organizations must implement security controls to meet each PCI DSS requirement. This is the traditional method of validating compliance.

The Customized Approach, on the other hand, allows organizations to implement their own controls to meet specific objectives. This approach requires additional documentation to demonstrate compliance.

Organizations using the Customized Approach must perform a targeted risk analysis for each PCI DSS requirement they meet with their own controls. This adds an extra layer of complexity to the compliance process.

Take a look at this: Pci Dss Requirement 6

To ensure PCI compliance, you'll need to work with certified assessors. The PCI Security Standards Council maintains a program to certify companies and individuals to perform assessment activities.

There are three types of certified assessors: Security Assessors, Qualified Security Assessors (QSAs), and Internal Security Assessors (ISAs). QSAs are individuals certified by the PCI Security Standards Council to validate another entity's PCI DSS compliance.

ISAs, on the other hand, are individuals who have earned a certificate from the PCI Security Standards Council for their sponsoring organization. They can conduct PCI self-assessments for their organization and propose security solutions and controls for PCI DSS compliance.

Suggestion: Cyber Security Pci Compliance

To find the right assessor for your business, look for one that understands your specific needs. PCI QSAs are certified and trained to perform PCI security assessments, but they may have more experience with certain types of businesses.

Ultimately, the goal of an assessor is to help you identify and mitigate potential security risks. By working with a certified assessor, you can ensure that your business is PCI compliant and secure.

Cardholder data is a key focus area for PCI DSS regulations, and it includes primary account numbers (PANs), cardholder name, card service code, and card expiration date.

This data can only be stored while a merchant is waiting for a transaction to be authorized, and anytime the PAN is mobile, it must be encrypted; otherwise, it must be truncated to be unreadable.

Sensitive authentication data, on the other hand, is not to be stored by merchants at any time, including track 1 & 2 data, CVV2, CVC2, CID, and CAV2 codes, and PIN numbers.

The only exception is information needed to complete a transaction, such as a PIN number or card verification code, which must be completely disposed of upon transaction completion.

Here's a breakdown of the data covered under PCI DSS regulations:

Encryption and Security is a vital aspect of PCI DSS compliance. To ensure the security of cardholder data, encryption is required for data transmitted across open, public networks, as stated in requirement 4. This includes using appropriate encryption, verifying encryption keys/certificates, and continually checking for encryption vulnerabilities.

Encryption alone is not enough to render cardholder data out of scope for PCI DSS, as stated in the update on encryption and compliance scoping. The entity's environment is still in scope due to the presence of cardholder data. However, if a service provider merely receives and/or stores encrypted data and does not have the ability to decrypt it, the data can largely be considered out of scope.

For your interest: Pci Compliance Encryption Requirements

The following situations are in scope for PCI DSS: systems performing encryption and/or decryption, encrypted data not isolated from encryption and decryption processes, encrypted data present on a system with the decryption key, encrypted data present in the same environment as the decryption key, and encrypted data accessible to an entity with access to the decryption key.

To ensure the security of your systems and applications, it's essential to have a change management process in place. This will help you keep up-to-date with the latest security vulnerabilities and their threat level.

Having an update server is also crucial, as it allows you to quickly install vendor-supplied security patches on all system components. You should also have a process in place to keep up-to-date with the latest identified security vulnerabilities and their threat level.

Installing vendor-supplied security patches on all system components is a must. This will help protect your systems from known vulnerabilities. Ensuring all security updates are installed within one month of release is also important.

Recommended read: Pci Dss Level 4

Setting up a manual or automatic schedule to install the latest security patches for all system components is a good practice. This will help you stay on top of security updates and prevent potential security breaches.

Here are some key steps to follow:

Credit Monitoring is a crucial aspect of maintaining the security of sensitive information. If a company is suspected of non-compliance, a Common Point of Purchase (CPP) notice can be issued.

This notice requires the company to resolve their credit issues within a limited timeframe. A PCI investigator will review the company's compliance and credit issues.

A CPP notice can be triggered by alleged breaches in a company's security system. This can lead to a thorough investigation and potential penalties if the company is found to be non-compliant.

In this situation, the company must take immediate action to resolve their credit issues and comply with PCI regulations.

Additional reading: Pci Compliance Company

Reporting and validation are crucial steps in ensuring PCI DSS compliance. To report compliance, companies must be PCI-compliant, and how they prove and report their compliance is based on their annual number of transactions and how the transactions are processed.

Merchant levels are categorized based on annual transactions: Level 1 – over six million transactions, Level 2 – between one and six million transactions, Level 3 – between 20,000 and one million transactions, and Level 4 – less than 20,000 transactions.

Compliance validation involves evaluating and confirming that security controls and procedures have been implemented according to the PCI DSS. This can be done through an annual assessment by an external entity or self-assessment.

Here is a summary of merchant levels:

Formal validation of PCI DSS compliance is not mandatory for all entities, but merchants and service providers must be validated according to the PCI DSS.

Reporting levels are determined by the number of transactions processed annually, with merchant levels being placed by an acquirer or payment brand at their discretion.

You might enjoy: Pci Dss Levels Merchant

There are four merchant levels: Level 1, Level 2, Level 3, and Level 4, each with its own set of requirements.

Here's a breakdown of the merchant levels:

Level 1 merchants, which include those processing over 6 million transactions, must complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA).

Level 2 merchants, which include those processing 1 million to 6 million transactions, must complete an annual Self-Assessment Questionnaire (SAQ).

Each card issuer maintains a table of compliance levels and a table for service providers, which can be used to determine a merchant's level and requirements.

Merchants who are placed into a higher level due to a data breach must meet the requirements of their new level, which can include more frequent network scans and a more comprehensive compliance process.

A different take: Pci Dss Level 1

Validation is a crucial step in ensuring the security of cardholder data. Formal validation of PCI DSS compliance is not mandatory for all entities, but it's required for merchants and service providers who process, store, or transmit cardholder data, and for acquiring banks.

Take a look at this: Card Data Covered by Pci Dss Includes

Visa and Mastercard require merchants and service providers to be validated according to the PCI DSS. Visa also offers a Technology Innovation Program (TIP), which allows qualified merchants to discontinue the annual PCI DSS validation assessment.

You can choose to perform your own PCI Compliance Self-Assessment Questionnaire (SAQ) or contract with a certified PCI Quality Security Assessor (QSA) for validation.

There are different levels of PCI compliance, and the level of validation required varies depending on the number of transactions processed. Level 1 merchants, for example, must complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA).

Here's a breakdown of the levels of PCI compliance and the required validation:

It's worth noting that issuing banks are not required to undergo PCI DSS validation, but they must secure sensitive data in a PCI DSS-compliant manner.

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool for small to medium sized merchants and service providers to assess their own PCI DSS compliance status.

There are multiple types of SAQ, each with a different length depending on the entity type and payment model used. Each SAQ question has a yes-or-no answer, and any "no" response requires the entity to indicate its future implementation.

An attestation of compliance (AOC) based on the SAQ is also completed, just like with ROCs.

Formal validation of PCI DSS compliance is not mandatory for all entities, but Visa and Mastercard require merchants and service providers to be validated.

Issuing banks are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner.

To become PCI compliant, you need to follow the 12 PCI DSS Requirements, which are outlined in the PCI DSS roadmap.

The cost of PCI compliance is a pittance compared to the cost of a data breach, and it's simply good data security practice.

You can complete the SAQ, which is a series of yes or no questions to determine your level of compliance with the PCI DSS, and submit your quarterly reports to your required organizations.

Here are the types of entities that are not required to undergo PCI DSS validation:

Many ecommerce organizations, especially small and medium-sized businesses (SMBs), are turning to Software as a Service (SaaS) platforms to save money and reduce the risk of non-compliance with PCI DSS.

SMBs often classify as Level 3 or Level 4 merchants, but this doesn't mean they shouldn't maintain compliance with the same diligence as larger organizations. In fact, non-compliance is equally as costly as a breach, in which you are required to assess to the Level 1 standard for the next year, including an on-site audit.

To ensure PCI compliance, SaaS platforms should prioritize the following: Transmitting and storing credit or debit card data securelyImplementing robust security measures to prevent data breaches

Using a hosted ecommerce service like BigCommerce can be a cost-effective and low-risk option for ecommerce organizations. By paying one monthly fee, you can remain PCI-compliant with a minimum of time and expense.

You might enjoy: Pci Dss Risk Assessment

Third-Party Service Providers play a crucial role in the ecommerce and SaaS ecosystem. They can either make or break your PCI compliance.

Entities must manage and oversee third-party service providers that have access to their Cardholder Data Environment (CDE). This includes service providers that manage in-scope system components on the entity's behalf or can impact the security of the entity's CDE.

The entity must perform due diligence, have appropriate agreements in place, allocate responsibility for each requirement, and monitor the compliance of the service provider at least annually.

A third-party service provider does not need to be PCI DSS compliant for its customer to meet the requirement. However, they can validate their compliance through an annual assessment or multiple, on-demand assessments.

Here are the two options for a third-party service provider to validate their compliance:

Multi-tenant service providers, including cloud service providers, are required to implement logical separation to ensure customers cannot access the provider's environment without authorization. They must also confirm the effectiveness of these logical separation controls every six months via penetration testing.

Take a look at this: Pci Dss Service Providers

To ensure ecommerce PCI compliance, you'll need to determine your required compliance level, which is based on your annual credit or debit card transaction volume. This level will dictate the specific requirements you must meet.

Almost all small and medium-sized businesses (SMBs) classify as Level 3 or Level 4 merchants, but this doesn't mean they shouldn't maintain compliance with the same diligence as larger organizations.

Non-compliance is equally as costly as a breach, in which you are required to assess to the Level 1 standard for the next year, including an on-site audit.

To determine your required compliance level, you'll need to know your annual transaction volume. Here are the compliance levels and their corresponding transaction volumes:

As a Level 3 or Level 4 merchant, you have the option to perform an internal assessment, but this must be done with a qualified staff member or corporate officer from your organization.

Completing a self-assessment questionnaire for Level 3 and Level 4 merchants is based on the honor system, so be honest and accurate to avoid fines and penalties.

Reaching PCI compliance can be a significant undertaking, requiring a substantial amount of time and resources. Merchants attempting to reach compliance themselves can expect to spend upward of 3-4 weeks performing various tasks, including researching the PCI Data Security Standards (DSS) and securing their physical servers.

The costs for doing so can be significant, with merchants needing to budget for outside consultant/auditor fees and provision to hire a third-party Qualified Security Assessor. The estimated costs can range from a few thousand dollars to hundreds of thousands of dollars, depending on the complexity of the undertaking.

Merchants involved in a credit card breach may be subject to fines, card replacement costs, or costly forensic audits. The credit card companies can administer fines to the merchant's bank or similar financial institution, ranging between $5,000 – $500,000 per month for PCI compliance violations or breaches.

Banks and payment processors may terminate their relationship with the merchant altogether or simply increase per-transaction processing fees. The fines can be catastrophic to a business, and it's essential to be familiar with your credit card merchant account agreement(s), which should thoroughly outline your exposure.

Intriguing read: Pci Dss Fines

Here's a breakdown of the estimated costs to reach compliance:

Keep in mind that these estimates factor some time for multiple staff within your organization and consider some budget for outside consultant/auditor fees. The costs can add up quickly, and it's essential to plan accordingly to avoid any potential fines or penalties.