A guide to PCI DSS requirements

Understanding PCI DSS compliance and its importance for your business

PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.  

Companies can maintain PCI DSS compliance either by conducting a self-assessment or through a third-party auditor, depending on the nature of their business and their required level of PCI compliance.

Many companies choose to outsource the handling and storage of sensitive card data to a partner.

That said, many companies feel it’s not worth investing the time and resources necessary to maintain PCI compliance on their own, so they choose to outsource the handling and storage of card data to a partner (more on this later).

If you’re curious about whether and how to become PCI DSS compliant, this guide is for you. In it, we’ll address the following questions:

• What is PCI DSS compliance? 
• How many PCI DSS requirements are there?
• How to meet PCI DSS guidelines for cardholder data security?

What is PCI DSS, and to whom does it apply?

Payment Card Industry Data Security Standard (PCI DSS) is a list of compliance obligations you must satisfy if you handle cardholder data and/or sensitive authentication data. 

“Cardholder data” includes the following:

1. Card number
2. Cardholder name
3. Card expiration date
4. Card service code

“Sensitive authentication data” includes the following:

1. Full track data (found on a magnetic stripe or chip)
2. Personal identification number (PIN)
3. Personal identification number (PIN) block

Back in 2004, in an attempt to slow the rise of card fraud, five leading credit-card networks collaborated to design and implement PCI DSS 1.0. Their goal was to ensure that all businesses that handle credit card information maintain a secure environment. Since then, there have been three more versions; the most recent, version 4.0, was released in March 2022.

PCI DSS compliance requirements apply to all entities that handle card data from Visa, Mastercard, Discover, American Express, and JCB International. Companies that are frequently subject to PCI DSS compliance include:

• Merchants who handle card data—e.g., Walmart, Amazon)
• Financial apps and services (e.g., Chime, LendingTree) 
• Payment processors (e.g., PayPal, Square)
• Companies that make credit cards and debit cards (including virtual cards) available to their customers (e.g., Roofstock, AngelList)

What are the risks of PCI non-compliance?

Many decision makers at tech companies we've spoken with wonder whether they really need to worry about maintaining PCI DSS compliance (and/or outsourcing these obligations to a partner).

The answer is a resounding "yes." Here's why: 

• Organizations must comply with PCI DSS requirements in order to accept credit- or debit-card payments, and failure to comply can result in fines and a loss of the ability to process card transactions.

• Digital payments have skyrocketed over the last few years—and so have cyber threats. Non-compliance can increase the risk of data breaches and card fraud. 

• The loss or theft of sensitive customer information can result in legal fines and regulatory penalties, especially if you are subject to privacy laws such as General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States.

• A breach could also damage your company's reputation and customer trust, leading to loss of business. 

The average cost of a data breach in the United States is $9.44M. In fact, perhaps as a result, the percentage of organizations maintaining full PCI DSS compliance grew from 27.9% in 2019 to 43.4% in 2020, per the Verizon 2022 Payment Security Report (PSR).

On the positive side, PCI compliance helps to provide peace of mind to customers who are concerned about the security of their personal information—especially their financial information. It helps to build your reputation as an organization that values security and takes all steps needed to protect customer data.

PCI can also enable new partnerships and business opportunities; that’s because large companies often require their partners to be PCI DSS compliant. Along with popular frameworks like SOC II and NIST, it helps businesses demonstrate a more comprehensive approach to security. (Meeting PCI requirements can also make it easier to achieve these other regulatory standards and frameworks.)

What are the 12 PCI DSS requirements?

PCI DSS has 12 requirements that address areas ranging from network security and password management to data protection and access control. 

Some requirements are more challenging than others. In fact, the Verizon 2022 Payment Security Report (PSR) shows higher compliance (90.8%) with requirements that address encryption and access control (numbers 4 and 7, respectively). On the other hand, the requirement to test security, which requires more specialized skills and expertise, has the lowest compliance (60%).

The complete list requires organizations to: 

1. Secure your network. This first requirement ensures that organizations protect their systems with network security controls.

2. Apply secure configurations. Examples of applying secure configurations include requiring your employees to change default usernames, passwords, and settings which can be easily guessed. 

3. Protect stored cardholder data. Storage of data should be kept to a minimum, and the length of the retention period should be determined. Mechanisms for protecting stored account data should be implemented; for example, any stored data must be encrypted.

4. Encrypt transmission of cardholder data over open, public networks. Encryption is the process of converting data into a form that is unreadable unless you have specific cryptographic keys. This way, you limit the likelihood of attackers making use of your data in case they intercept the transmission.

Many tech companies wonder whether they really need to worry about maintaining PCI DSS compliance. The answer is a resounding "yes."

5. Protect systems and networks from malicious software. Organizations should maintain updated anti-malware software and establish a vulnerability-management program.

6. Keep systems and software secured and updated. This requirement helps to ensure that organizations are updating and patching their systems. 

7. Restrict access to systems and cardholder data on a business need-to-know basis. Organizations should establish role-based access control and document who has access to cardholder data.

8. Identify users and authenticate access. Organizations should assign a unique username to every employee, leverage multi-factor authentication, and disable inactive accounts.

9. Restrict physical access to cardholder data. Organizations are required to restrict access to cardholder data—for example, by implementing physical-access controls at the workplace. 

10. Log and manage access. Establishing log management is critical to track and monitor access to resources and data.

11. Test security systems and processes regularly. Organizations should run a vulnerability scan and conduct a penetration test as a way to ensure strong security. Scans and penetration tests should be performed by qualified personnel or a third party.

12. Implement information-security policies. Organizations should document policies and procedures, including risk assessment, awareness training, and incident response plans. 

There are four merchant levels based on the volume of transactions a business processes annually. Organizations with higher transactions are subject to stricter controls, which will require more resources to ensure compliance. But it is important for all businesses to be aware of and comply with the requirements of PCI DSS, regardless of their merchant level.

Three ways to satisfy the requirements of PCI DSS

In general, there are three ways to achieve and maintain PCI DSS compliance. As you’ll see, they vary widely in terms of their time to market, required investment, and required staffing.

• Do it yourself. Under this model, card data will pass through your system, and you’ll need to achieve and maintain your PCI DSS certification on your own. That will likely involve hiring a full-time security professional. If you’re a level 1 merchant, you’ll also need to pass an onsite assessment conducted by a qualified security assessor (QSA). This can take anywhere from 3-12 months, and you’ll need to recertify your compliance annually.

• Work with a provider who will help you meet PCI requirements. Under this model, you’ll avoid saving or processing any card data on your system, but you’ll still need to implement PCI controls and have your system audited. It involves finding and integrating with a vendor (like Very Good Security) who will process and store card data for you.

• Partner with a platform that is PCI compliant. Under this model, you partner on all PCI-related activity with a platform that is already PCI compliant. This option is typically the fastest to market and requires the lowest investment of resources.

PCI DSS compliance checklist

If you’ve decided to become PCI DSS compliant on your own, then we recommend the following checklist. 

1. Assess the current state of your organization's security posture and identify any gaps or deficiencies in relation to the 12 requirements for PCI compliance.

2. Develop a plan and timeline for implementing PCI DSS controls and safeguards, including any necessary upgrades or changes to your existing infrastructure.

3. Train your personnel on the requirements of PCI DSS and the importance of protecting cardholder data.

4. Implement the technical controls and safeguards required by PCI DSS, such as encryption, access controls, and logging and monitoring.

Bear in mind that, if you decide to become PCI DSS compliant on your own, your compliance must be validated and re-certified annually.

5. Integrate relevant security tools (e.g., firewalls, endpoint protection) into your development pipeline.

6. Block deployments that violate your security policies and expose your data and systems to attacks. 

7. Obtain PCI compliance certification. You will need to attest compliance by completing a PCI Self-Assessment Questionnaire (SAQ) or be audited by a Qualified Security Assessor (QSA), depending on your merchant level.

8. Test your PCI DSS controls after implementation with regularity to ensure they are effective and functioning as intended.

9. Conduct regular internal or external audits and assessments to verify and maintain your organization's compliance with PCI requirements. 

‍Interested in learning more about PCI DSS requirements? Ready to take the next step? We’ve got strong opinions, and we’d love to chat.