PCI Compliance deals with the Payment Card Industry (PCI). If your entity is a merchant that is involved in processing payment card transactions, then the standards apply to your entity and your entity should be compliant with the PCI Data Security Standard (DSS) in order to protect cardholder data. While the PCI DSS is not required by federal law, several states have made PCI DSS a requirement or other similar protections.
What is PCI DSS Compliance?
The PCI DSS is a set of six (6) objectives achieved by meeting twelve (12) requirements for merchants that accept, process, transmit, or store payment card information. In 2004, the principal payment card companies banded together to identify minimum levels of security required to be in place by a merchant to prevent theft of cardholder data and to prevent and reduce credit card fraud. The Payment Card Industry Security Standards Council (PCI SSC) was formed a couple of years later, in 2006, as the governing body tasked to continue to shape and evolve PCI DSS. The current version of PCI DSS is 3.2.1 which was released in May 2018.
4 Levels of PCI DSS Compliance
There are four (4) levels of PCI DSS compliance based upon how many payment card transactions are processed in a year by the entity as follows:
- Level 1 – >6 million transactions
- Level 2 – Between 1-6 million transactions
- Level 3 – Between 20,000 and 1 million transactions; and
- Level 4 – <20,000 transactions.
Some of the largest data breaches include familiar companies such as Marriott, Equifax, Home Depot, and Target. Compliance with the PCI DSS standard helps to reduce merchant risk and reduce the most common causes of payment card data breaches by addressing critical security controls.
These six (6) objectives and the twelve (12) requirements set by PCI DSS include technical and operational controls that help to protect cardholder payment data. A high-level summary of the six (6) objectives and twelve (12) requirements follow.
1. Build and Maintain a Secure Network and Systems
Configure firewalls to protect cardholder data. Build and maintain firewall and router configurations that restrict traffic, inbound and outbound, from untrusted networks. Firewalls are devices that control computer traffic into and out of the entity’s network including into sensitive internal networks. Prohibit direct public access to the sensitive cardholder data environment.
Modify vendor-supplied defaults. Prevent access to internal networks through the exploitation of default system settings and passwords by modifying vendor default passwords or settings upon deployment. Disable default accounts before installing the system on the internal network. Develop standard configuration settings for all system components and update them when new vulnerabilities become known.
2. Protect Cardholder Data
Protect cardholder data at rest. Entities that possess cardholder data whether printed, processed, transmitted, or stored in any manner have the responsibility to prevent its unauthorized use. The data may be truncated, masked, or encrypted to render the data at rest wherever it is located unusable except to those individuals with an authorized business need. Data should be retained no longer than necessary for business needs. Printed sensitive information should be maintained in locked filing cabinets or shredded when no longer needed.
Protect cardholder data in transit. Entities transmitting cardholder data across open public networks should encrypt the data in transit to protect the cardholder data from unauthorized use utilizing strong industry best practices for encryption.
3. Implement a Vulnerability Management Program
Protect information systems against malware. The Home Depot data breach in 2014 was attributable to its point-of-sale systems being infected with malware. The entity needs to protect all systems against malicious software to reduce the risk of exploitation by malware. Anti-virus software should be installed on all systems including workstations and servers. The anti-virus software should be kept up-to-date and current.
Install security patches regularly. Systems and applications should be securely maintained at all times. Security patches should be installed timely upon their release (e.g., monthly) in order to keep systems and applications healthy and to minimize known vulnerabilities from being exploited to gain unauthorized access to sensitive cardholder data.
4. Implement Strong Access Control Measures
Adopt Principle of Least Privilege. The Marriott data breach in 2018 was attributable to unauthorized access to the network. Logical and physical access to cardholder data should be provided based upon the need to know for the user to perform their job duties. Access should be revoked timely upon termination.
Identify and Authenticate Access. Users should have a unique identification (ID) allowing accountability for their actions on critical system components or cardholder data. Secure access with multi-factor authentication should be in place particularly for administrative and remote access.
Restrict Physical Access. The Target data breach in 2013 was attributable to hackers gaining access through a third-party HVAC vendor to its point-of-sale payment card readers. Physical access to cardholder data or systems including paper or electronic media should be appropriately restricted to only those individuals requiring such access based upon their job function in order to limit unauthorized access or removal of data. This includes access granted to contractors, consultants, and other vendors or guests. Facility access should be controlled to limit only authorized entry and revoked timely upon termination.
5. Regularly Monitor and Test Networks
Log and Monitor Access to Network Resources and Cardholder Data. By logging and monitoring access to network resources and cardholder data, entities are able to track user activity allowing analysis of the logs in case unauthorized access is detected and helps to minimize impact of a data compromise. Without these audit trails, it is difficult to identify and trace events that have occurred. Logs of critical activity should be reviewed regularly to identify anomalies and suspicious activity in a timely manner.
Perform Vulnerability Scans and Penetration Tests. The Equifax data breach in 2017 was attributable to an application vulnerability on one of their websites. Internal and external network vulnerability scans should be performed regularly (e.g., quarterly) to detect new vulnerabilities so that they may be timely remediated. Penetration tests by an independent third-party should be conducted at least annually. Performing regular vulnerability scanning and penetration tests help to ensure security is maintained over time. Critical issues identified should be remediated in a timely manner to prevent unauthorized access.
6. Maintain an Information Security Policy
Document an Information Security Policy. An Information Security Policy should be documented and accessible to all employees so that they are aware of their responsibilities related to security and protecting cardholder data. The policy should be reviewed and updated at least annually or more often if needed for any needed modifications so that it remains pertinent and incorporates any regulatory, system, or environmental changes. Users of the policy should be adequately trained on the policy so that it is understood by everyone.
How Do You Become PCI DSS Compliant?
Depending upon the entity’s PCI DSS compliance level, the entity may perform a self-assessment or be required to engage a Qualified Security Assessor (QSA). If a self-assessment is considered adequate for the entity, a Self-Assessment Questionnaire (SAQ) is completed by the entity that covers the PCI DSS requirements. If a self-assessment is not considered adequate, a Report on Compliance (ROC) will be required that is conducted by an independent QSA. A QSA is qualified by the PCI SSC to conduct on-site PCI DSS assessments and perform PCI compliance testing. The ROC will report on the results of the QSA’s on-site visit regarding the entity’s processes and controls in place for compliance with the PCI DSS requirements.
If your entity accepts, processes, transmits, or stores payment card data, the PCI DSS standards apply to your entity. Compliance with PCI DSS is a continuous process of assessing potential vulnerabilities that could expose cardholder data, remediating vulnerabilities identified, and reporting compliance results.
The PCI DSS came into being to assist the industry in preventing theft of cardholder data and to reduce fraud in the payment card industry. The controls required for PCI DSS compliance are also similar to the controls that help to meet the criteria for a System and Organization Controls (SOC) 2 assessment. While a SOC 2 assessment is broader in nature than the PCI DSS standards, not all of the requirements to meet the criteria for a SOC 2 assessment are required for PCI DSS compliance.
Linford and Company assists organizations with SOC 2 assessments among other services such as SOC 1, FedRAMP, HITRUST or HIPAA audits. If you would like to learn more about Linford and Company, please don’t hesitate to contact us.
Becky McCarty (CPA, CISA, CRISC, CIA, CFE) specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. She completed her Master’s degree in Information Systems in 1996, started working with KPMG in 1999, and joined Linford & Co., LLP in 2018. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC audit reports based on their applicable trust services criteria.