As cyber threats evolve, the need for secure processing, storage, and transmission of payment card data becomes a paramount concern. The Payment Card Industry Data Security Standard (PCI DSS) is the gold standard for payment information security, mandated for companies that process online payments.
This article explains everything you need to know about PCI DSS, including its compliance levels and the requirements companies must meet to handle their customers’ data.
What Is PCI DSS?
The Payment Card Industry Standard (PCI DSS) is a globally recognized set of security standards that ensures payment card details are safely accepted, processed, stored, and transmitted online. It is a guideline established by major credit card companies to ensure organizations are equipped to handle data theft, data breaches, and other online vulnerabilities. Companies that are not compliant with PCI DSS risk legal penalties and damaging their reputation with their customers and partners.
Learn more about the differences between security and compliance.
PCI DSS Compliance Levels
There are four levels of PCI DSS compliance. They are determined by the volume of transactions an organization processes annually.
1. PCI DSS Compliance Level 1
Level 1 applies to merchants with over 6 million payment card transactions processed annually across all channels, including ecommerce, mail/phone orders, and in-store purchases. This level also applies to any merchant that has suffered a data breach in the past and resulted in cardholder data being compromised.
PCI DSS Compliance Level 1 merchants must undergo an annual on-site assessment by a Qualified Security Assessor (QSA), who will create a Report on Compliance (ROC). This assessment can also be performed by an internal security assessor (ISA) who will liaise with an external auditor. Level 1 businesses also need to get an Attestation of Compliance (AOC), which confirms the accuracy of the ROC.
Additionally, Level 1 compliance requires quarterly network vulnerability scans and annual penetration testing that is also repeated any time the system undergoes significant changes. These security assessments need to be performed by an Approved Scan Vendor (ASV).
Find out what an IT security policy is, and why every business should have one.
2. PCI DSS Compliance Level 2
Level 2 applies to merchants who process between 1 and 6 million payment card transactions annually across all channels. To be Level 2 compliant, businesses are required to complete the annual PCI Self-Assessment Questionnaire (SAQ) designed for their specific environment and the way they process payments (i.e., card-not-present, POS, ecommerce platforms). They must also conduct quarterly network vulnerability scans by an ASV and complete the AOC Form.
3. PCI DSS Compliance Level 3
Level 3 applies to merchants who process between 20,000 and 1 million online card transactions annually. They are required to complete an annual PCI SAQ specific to their payment processing methods. To achieve compliance, they must also perform quarterly network vulnerability scans by an ASV and fill out the AOC Form.
4. PCI DSS Compliance Level 4
Level 4 applies to merchants who process less than 20,000 online card transactions annually and businesses that process up to 1 million regular payment card transactions during the same period.
Level 4 merchants must complete the annual PCI DSS SAQ, perform quarterly network vulnerability scans by an ASV, and fill out the AOC Form.
Regardless of their PCI DSS compliance level, businesses must ensure the compliance and invincibility of their payment data storage and processing infrastructure.
phoenixNAP's PCI-compliant hosting solutions are trusted by Visa. Discover the optimal hosting solution for your business. Contact us today.
PCI DSS Compliance Requirements
Achieving compliance with PCI DSS standards demands that businesses be aware of the specific requirements that change based on the organization’s size, scope of cardholder data processing, and compliance level.
Below is the list of essential PCI DSS compliance requirements every business should meet:
- Install and maintain firewall configuration. Firewalls protect cardholder data from unauthorized access by creating a barrier between trusted and untrusted networks.
- Do not use vendor-supplied defaults for passwords. Default passwords should immediately be changed to stronger passwords after deploying a system or an application. Also, never use the same password in more than one place.
- Protect stored and transmitted payment card data. All stored and transmitted payment card data must be protected with encryption, multi-factor authentication, or other sophisticated methods that safeguard sensitive information.
- Use and regularly update anti-virus software. This protects systems from malware and other network security threats.
- Develop and maintain secure systems and applications. By regularly updating and patching software and systems, businesses reduce vulnerabilities.
- Enforce strict Identity and Access Management (IAM) policies. Each employee should be given a unique identifier when accessing business computers and other devices. Access to cardholder data should be given on a need-to-know basis to ensure minimal data exposure. This also includes physical access, which must be protected and monitored.
- Regularly track, monitor, and log access. All activities regarding cardholder data should be recorded, logged, and monitored for safety. This also helps when performing mandatory audits.
- Regularly test security systems. By performing vulnerability scans and penetration testing, companies ensure their systems and staff stay vigilant against cyber threats.
- Maintain a strong and clear security policy. Companies should clearly outline the security principles that employees and contractors must follow. This prevents confusion and ensures everyone is aware of the latest security procedures.
- Stay informed. Both PCI DSS standards and security threats evolve. Keep abreast of all the changes that may impact your compliance and cyber security, and inform your staff about it regularly via security awareness training.
Check out our PCI compliance checklist to ensure your business is up to date with the latest payment processing standards, or learn more about PCI DSS 4.0, its implementation mechanisms, and the deadlines for becoming compliant..
PCI DSS, the Payment Processing Security Benchmark
PCI DSS is a set of strict standards every company must adhere to if they want to process and store payment card information safely. All organizations, no matter their size or transaction volume, must ensure compliance with these standards to conduct business safely and protect their customers and assets.
PCI DSS is not the only security standard data centers and hosting solutions must comply with. Learn more about other data center compliance and auditing standards.