Payment Card Industry (PCI) compliance, specifically PCI data security standard (DSS), is a set of security standards established by the industry to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. By adhering to PCI DSS, businesses enhance and streamline data management, taking into account data development, storage, dissemination, and security. This system of measuring and overseeing compliance was developed by a consortium of key players in the card industry to help reduce fraud and to ensure consistency of processes and operational norms across card issuers.
Why was PCI compliance created?
PCI compliance was born out of a disruption in the payments industry that came about with the advent of e-commerce during the late 1990s and early 2000s. During this disruptive period, many merchants entered into the nascent online shopping arena looking to increase revenues by building a web presence for their brick-and-mortar businesses. With the development of an online marketplace came an increase in the adoption of digital payments. This innovation in payments produced unintended opportunities for crime. Cyber criminals began developing ways to infiltrate card processing systems and payment networks for illegal gains. As this activity became prevalent, the major credit card brands joined forces to develop ways to prevent theft, namely, PCI DSS.
What did the credit card industry initially do to thwart cyber criminal activity?
Initially, when cyber crime first bubbled up as a major issue facing credit card companies, many companies attempted to come up with solutions internally. Visa® made the first attempt at creating a security standard for the payment card industry, in the fall of 1999, calling their standard the Cardholder Information Security Program (CISP). CISP failed because Visa struggled with and was ultimately unsuccessful at sorting out the differences between North American and international security guidelines: they had trouble streamlining compliance practices for their merchants. Visa wasn’t alone in facing difficulty in creating an industry standard as other brands including Mastercard®, American Express®, Discover® and JCB® also made their own attempts and fell short of developing a solution. These founderings made it obvious that working in isolation was not the most effective form of problem-solving for an industry-wide problem. Instead, beginning in 2001, these same five card companies worked together to develop and enact security standards for the industry. If everyone followed a certain protocol they could band together and produce barriers to data access by cyber criminals.
The Debut of PCI DSS to combat cyber crime
The delayed development of a security standard meant that cyber criminals were able to grow in numbers and in sophistication, unfettered by a strong cyber-security protocol. A solution became possible only when all five major credit card brands came together to create a comprehensive standard for all merchants in the payments cycle. The result of this collaboration was the PCI DSS standard. On December 15, 2001, the first PCI DSS standard was released, called Version 1.0. Since then there have been regular updates to the standards, the most recent of which, PCI DSS 4.0 was released in March of 2022. PCI DSS 3.2.1 remains active until March 31, 2024, and the majority of new PCI DSS 4.0 requirements are optional until March 31, 2025. This most recent PCI DSS addresses emerging security threats, facilitate customized security solutions, and provide more clear guidance on security requirements.
What is the PCI Security Standards Council (PCI SSC)?
The PCI Security Standards Council (PCI SSC) was developed to help manage and drive the process of PCI DSS adoption and sharing of best practices. It was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. PCI DSS had a bit of a rocky start. Many professionals criticized the PCI standard at its inception, complaining of a lack of consistency in audits and assessment processes by qualified service assessors. The standards council was developed to help best respond to merchant concerns and keep communication lines open between all stakeholders. In late 2007 the PCI SSC created an easy and standard method for merchants to achieve PCI compliance, which was quickly followed by the creation of the PA DSS (Payment Application Data Security Standard) which helps developers code secure applications that don’t store sensitive credit card data.
The impact of data breaches on your brand and your customers
While the PCI DSS standard has helped alleviate a high percentage of data breaches and fraudulent activity, cyber crime poses a moving target for regulators as perpetrators develop new ways to infiltrate digital technology. Businesses take this criminal activity seriously because when a data breach occurs both a company’s brand and its customers are impacted, and a breach can create onerous legal fees for a business. One infamous example is the 2013 Black Friday cyber attack on Target, resulting in the hacking of 110 million customer accounts and $18.5 million in fees across 47 states remanded to Target. The data was hijacked via a third-party vendor that was using less stringent security measures. This allowed the criminals to enter that third-party vendor’s systems and through that doorway install malware to gain access to Target POS data. That $18.5 million cost was the result of several state attorneys general suing Target, which also culminated in over $202 million in legal fees. Not included were fees associated with class action lawsuits brought against Target. As a result of the breach, Target lowered its fourth quarter earnings that year and adjusted its sales outlook, seeing an immediate impact on business after the breach announcement. This shift in sales outlook included "meaningfully weaker-than-expected sales since the announcement." After an internal review, Target acknowledged they’d been negligent in protecting customer data.
What is a PCI audit and what are the requirements?
A PCI audit involves a thorough examination of the security of your organization's credit-card processing system. There are 12 high level requirements (Version 4.0) with which your business will need to comply for you to pass a PCI audit:
- Install and Maintain Network Security Controls
- Apply Security Configurations to All System Components
- Protect Stored Account Data
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Protect All Systems and Networks from Malicious Software
- Develop and Maintain Secure Systems and Software
- Restrict Access to System Components and Cardholder Data by Business Need to Know
- Identify Users and Authenticate Access to System Components
- Restrict Physical Access to Cardholder Data
- Log and Monitor All Access to System Components and Cardholder Data
- Test Security of Systems and Networks Regularly
- Support Information Security with Organizational Policies and Programs
How can you best prepare for a PCI audit?
- Make sure your third-party web-hosting provider has a hardened, secure system set up
- Ensure all of your vendor and partner transaction processing hardware and software is PCI DSS compliant
- Schedule audits with your partners and third party vendors every six months to make sure each entity is compliant with PCI DSS standards
- Perform adherence reviews of your security policies and systems on a quarterly basis
- Ensure active security alerts are in place
- Ensure all daily audit logs are functioning properly
Here is a detailed checklist to run through before your audit
- Vendor-supplied default passwords should all be updated with new passwords
- Access should be provided to individuals in a restricted manner - only those for whom access is essential to business operations should be given access
- Use unique user access credentials for your system components vs. your network components
- Track and monitor access to network resources and cardholder data
- Any session that includes access to cardholder data should involve detailed audit logs
- For third-party and internal e-commerce environments, put an audit trail system in place
- Protect cardholder data by implementing a firewall configuration
- Make use of malware and anti-virus protections and monitor them
- Disable SSL, and TLS versions 1.0 and earlier (TLS 1.2 is strongly recommended)
- For all open or public networks, use encryption when transmitting cardholder data
How often do PCI audits occur?
It’s standard practice for businesses to carry out an assessment annually. These assessments can be done one of two ways. Businesses can conduct a self-assessment by visiting the PCI security standards council website and completing a Self-Assessment Questionnaire (SAQ). An annual audit can also be undertaken by hiring an independent professional known as a Qualified Security Assessor (QSA) to facilitate the audit. Many businesses perform quarterly tests such as network scans to keep ahead of potential data breaches and be better prepared for the annual audit.
How do you know if your company should prepare for a PCI audit?
Any merchant involved in processing, storing or transmitting credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council. There are four different levels of compliance and your level is determined by the number of card transactions your business processes in a 12-month period. Level One businesses have six million or more transactions a year. Level Two comprises businesses with annual card transactions of between one million to six million. Level Three businesses have annual card transactions of between 20,000 and one million. Level Four houses businesses with annual card transactions of 20,000 or fewer. Each level of compliance has its own unique set of compliance rules.
All companies that accept, process, store, or transmit credit card information can maintain a secure environment for their customers by maintaining PCI compliance, staying up-to-date on the latest preventative measures and conducting regular network scans and annual audits.
Learn more about how WEX payment solutions can be tailored to your business, so you can accelerate and streamline operations while creating lasting growth and success for your organization.
Payment Card Industry Security Standards Council
PCI Compliance Guide
New York Times
Editorial note: This article was originally published on January 23, 2014, and has been updated for this publication.