PCI DSS Compliance For Your Business

When you launch an online business that sells products or services — whether it is cat toys or dance lessons — your main focus should be on security. Of course, smart navigation, catchy slogans and pictures of cute animals all help. But the most important thing is the safety of your customers. When you accept payments online, you deal with sensitive information like cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) can help you ensure that you are managing that data securely.
6 min read
Auf Deutsch lesen
By Roman Denisenko
Security Consultant at DataArt
PCI DSS Compliance For Your Business

PCI DSS — What Is It?

PCI DSS is a set of rules that were created by major stakeholders in the payment card industry. Achieving PCI DSS compliance is mandatory for companies that accept debit or credit cards. Even if you are working with third-party gateways like Stripe or PayPal, your business still needs to be PCI compliant. There are different levels of PCI compliance that take into account the number of transactions you process and how the payments are handled. The levels are as follows:

  • Level 1: Any merchant processing more than 6 million payment card transactions per year. The companies that fall into this level must adhere to the strictest and the most detailed PCI DSS compliance requirements. Any business that suffers a data leak can be placed into this level, regardless of how many transactions it processes.
  • Level 2: Any merchant processing between 1 million and 6 million payment card transactions per year.
  • Level 3: Any merchant processing between 20,000 and 1 million e-commerce payment card transactions per year.
  • Level 4: Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants processing up to 1 million payment card transactions per year. In contrast to Level 1, Level 4 has the simplest rules and is usually applicable to smaller businesses.

All individuals, processes and technologies involved in the «processing, transmission or storage of cardholder data» are subject to PCI DSS, as well. All of these entities are required to erase physical media that contains cardholder information when it is no longer needed for legal or business purposes. This includes digitally processed permanent account number (PAN) numbers, as well as physical artifacts like receipts and printouts.

How Do I Ensure My Business Is PCI DSS Compliant?

When you are working on achieving PCI DSS compliance for the first time, you may find yourself overwhelmed with tasks. However, if you are thorough in your planning and break your compliance activities down into simple steps, you will be able to make the certification process much easier.

Step 1. Determine the level of compliance for your business to better understand the list of requirements. You can either estimate it yourself (based on the descriptions of the levels), or you can ask the vendor that is requestion certification (usually the bank or gateway payment). You could also choose to use third-party tokenization services (making sure that your service provider is PCI DSS compliant), which will allow you to avoid PCI DSS certification entirely.

Practical Tips

Let’s assume we have a small store that uses Stripe and performs 1.1M transactions per year. Clients’ card data is entered via a form on the company’s website and is sent directly to the payment gateway. This business would be at Level 3 for PCI DSS compliance, with SAQ-A-EP having 191 requirements.

NB: If card data is entered on the provider side with the help of a redirect from our application to the merchant’s website or via an upload of form payment through an iframe within our website, you will have to meet the lowest level of PCI Compliance and use a SAQ A form containing only 22 requirements.

Step. 2. Find out where PAN numbers are generally accepted, processed, and stored. You should also consider how you will isolate these places within the same subnet.

Practical Tips

To reduce the scope and cost of a PCI DSS assessment, network segmentation or isolating the cardholder data environment from the remainder of an entity’s network is strongly recommended.

Step 3. Bring the system to a state where it meets all the requirements and where you have implemented necessary infrastructure/organizational changes. The evaluation includes interviews with the company’s employees, an assessment of the information systems and an analysis of internal regulatory documents. An integral part of the audit involves determining the scope of PCI DSS requirements in the information infrastructure of the company. The PCI DSS Self-Assessment Questionnaire can come in handy here. The implementation phase includes equipment and information systems configuration, improving software, installing updates, and modernizing the company’s business processes and information security management.

Practical Tips

In the context of our small store, the steps might involve:

  • Setting up a firewall that isolates the perimeter where cardholder data is retained. This protects against other company’s infrastructure and ensures that all the services are performing the proper functions. It is also important to ensure that credit card account numbers stored in your database are encrypted and that the data stays secure when transferred outside your company.
  • Log management and log retention: PCI DSS requirements demand that audit logs must be stored for one year, with the last three months available in an easily accessible storage unit.
  • Don’t forget to deploy and regularly update antivirus software on all systems.
  • For each requirement, you will need to save proves (e.g., architecture diagrams, logs, role matrix, firewall settings, even screenshots) that can be presented if an audit is required.

Step 4. Execute ASV-scanning (if required). Execute an automated vulnerabilities scan of the external network using an Approved Scanning Vendor (ASV). Internal network scanning can be done independently.

Practical Tips

You need to perform a vulnerability scan of external infrastructure (all servers accessible from the internet). If we use our small store example, we can say that it falls under SAQ-A-EP, so it needs ASV scans.

Step 5. Execute a penetration test against the external infrastructure (if required). Servers that expose web applications outside the system should also be included into the scope of the testing.

Step 6. Certification. Depending on the level of PCI DSS compliance, you must have a certified QSA/ISA audit performed by a dedicated QSA/ISA specialist, or you must fill out a suitable Self-Assessment Questionnaire confirming that all requirements are met. As a result, a Report on Compliance (ROC) is prepared.

Practical Tips

Don’t forget to collect evidence of compliance with each requirement of the standard (architecture diagrams, role matrices, server configurations, and security policies). This data will be required if there is an unplanned audit or as a proof of your certification if your system is compromised.

Using our small store as an example, only a SAQ-A-EP questionnaire needs to be filled out.

Step 7. Support compliance of PCI DSS. Set up regular procedures to protect card holder data according to the requirements of the PCI DSS standard. The requirements are simple:

  • If pentests are required, do them every six months OR if there were any significant changes in the infrastructure.
  • If ASV scans are required, do them every quarter OR if there were any significant changes in the infrastructure.
  • Do not forget to ensure that existing infrastructure and any new parts meet the requirements.

What to Expect Moving Forward

The PCI Security Standards Council is currently working on PCI DSS v. 4.0. The changes will go live in mid-2021. A great starting point would be our «Getting Ready for PCI DSS 4.0 with DataArt» white paper, which is an overview of the main changes expected in the 4.0 version and will help you start to plan how you can achieve compliance.

Sign Up for Updates!

Subscribe now to receive industry-related articles and updates

Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Sign Up for Updates!
Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
We are glad you found us
Please explore our services and find out how we can support your business goals.
Get in Touch Envelope