Some of the most publicized credit card data breaches have impacted big brands like Equifax, British Airways, Marriott Hotels, Target, and Capital One. But, in reality, small businesses are equally as vulnerable to cyber risks.
To help organizations of all sizes protect cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) was established as a global standard to enhance the security of payment account data.
PCI DSS compliance is mandatory for all merchants and service providers, whether you process one or one thousand credit card transactions.
In this article, we break down everything you need to know about PCI DSS and the steps to proving and maintaining compliance.
Our latest webinar on PCI DSS walks you through how to streamline and accelerate your road to compliance.
Let’s start with a bit of background on the PCI DSS framework. While ecommerce dates back to the 1970s, the first versions of the online shopping we know today only emerged in the mid-90s. Amazon and eBay led the way with the launch of their online marketplaces in 1995. Then, once PayPal released its digital payment system three years later, multiple ecommerce sites like Alibaba, IndiaMART, and Etsy began popping up in the years to follow.
These online transactions came with an unintended downside — the rise of data theft and fraud. Cyber criminals quickly found ways to infiltrate payment systems and steal confidential credit card information.
Payment brands responded by implementing security standards to protect their cardholder data. Eventually, the “Big Five” — Mastercard, Visa, American Express, Discovery, and JCB — decided to consolidate efforts and formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006.
The Payment Card Industry Data Security Standards (PCI DSS) was created by the PCI SSC as a guide for entities that store, process, or transmit cardholder data. With established policies and procedures, the PCI DSS sets global standards to secure payment card transactions and protect the personal information of cardholders.
The PCI DSS is not a law, but it applies to all entities involved in the payment card ecosystem. Its compliance is also mandated by most major payment brands. Many jurisdictions, such as Nevada, Minnesota, and Washington, have also elected to incorporate PCI DSS into their regulations. Failure to comply can result in fines, penalties, or card processing restrictions.
PCI DSS compliance is mandatory for merchants, service providers, and any other organization involved in the payment card ecosystem.
PCI DSS defines merchants as “any entity that accepts payment cards bearing the logo of a PCI SSC participating payment brand as payment for goods and/or services.”
Service providers encompass a broader spectrum, including any entity “directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.”
An organization can be both a merchant and a service provider. For example, an internet service provider is a merchant that accepts payment cards for monthly bills and is also a service provider if it hosts other merchants as customers.
PCI DSS compliance is mandatory for any entity that deals with cardholder data, but not all requirements will be the same. Factors such as the total number of transactions and particular cardholder data environment will determine the organization’s level and exact compliance requirements.
While each payment brand has their own compliance program and classifications, merchants generally fall into one of four levels:
Service providers are classified into two levels:
* Payment card transactions includes all in-person and online transactions
The PCI DSS outlines six goals and 12 requirements for entities to enhance the security of cardholder data:
Build and maintain a secure network and systems
Protect account data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
There are additional PCI DSS requirements in Appendix A
Note: Every payment brand will also have its own audit requirements.
PCI DSS compliance involves assessing and confirming that the security controls and requirements are sufficiently met by the entity. This involves any of the following PCI SSC qualified industry professionals:
Validation documents are used to convey an entity’s PCI DSS compliance to acquiring banks or payment brands.
Acquiring banks, also referred to as “acquirers” or “merchant banks,” are typically financial institutions that processes payment card transactions for merchants. Payment brands are the card agencies (e.g., Visa, Mastercard, American Express) responsible for implementing and enforcing PCI DSS.
Depending on its classification level or number of transactions, entities are either required to undergo a detailed PCI DSS assessment (performed by a QSA) and submit a Report on Compliance or may be eligible to conduct a self-assessment and submit a Self-Assessment Questionnaire. Both documents are accompanied by an Attestation of Compliance, signed by the entity and the QSA (if applicable).
Quarterly submission of an ASV scan report for network vulnerability scanning may also be required as part of compliance.
Report on Compliance (ROC): A detailed report that documents the results of a PCI DSS on-site assessment performed by QSA. ROCs are more comprehensive than the Self-Assessment Questionnaires, including information about the entity's cardholder data environment, how each requirement was assessed and validated, and samples selected by the QSA.
Self-Assessment Questionnaire (SAQ): An alternate validation report for entities that meet the SAQ Eligibility Criteria and are eligible to conduct self-assessments to satisfy PCI DSS compliance.
SAQs are relatively simpler compared to ROCs and composed of yes-or-no questions. There are nine different SAQs available — eight for merchants and one for service providers — depending on the entity’s environment.
To determine whether an entity is eligible to complete an SAQ and which SAQ is appropriate, it’s best to contact the acquiring bank or payment brand.
Attestation of Compliance (AOC): A declaration of the results of a PCI DSS assessment or audit, completed and signed by the entity and the QSA (if applicable). AOCs are submitted to the acquiring bank or payment brand, along with the ROC, SAQ, and any other documentation.
The table below shows exactly what’s required for each level of PCI compliance:
As you can see, PCI DSS has hundreds of controls and extensive documentation designed to combat data breaches and theft. However, if you’re just starting on your PCI DSS journey, we recommend focusing on a few key points. Here are the four key milestones and estimated timelines to expect on the path to PCI DSS compliance:
Estimated timeline (without Certification Automation): 2-4 months
Estimated timeline (with Certification Automation): 1-3 months
Save an average of one month’s time scoping for PCI DSS compliance, with Certification Automation’s automated scoping wizard that generates required controls, policies, and evidence tasks, and removes duplicative tasks across security frameworks.
Estimated timeline (without Certification Automation): 7-12 months
Estimated timeline (with Certification Automation): 2-6 months
Reduce your assessment time by an average of six months by relying on Certification Automation’s automated readiness assessments, expert guidance, intuitive workflows, and centralized policy distribution and attestation tracking.
3. Third-party audit
Estimated timeline (without Certification Automation): 1-2 months
Estimated timeline (with Certification Automation): 1-2 weeks
Save as many as three weeks on the audit process with a central system of record that controls user access and enables real-time collaboration throughout the evidence collection process.
Estimated timeline (without Certification Automation): 4 months, annually
Estimated timeline (with Certification Automation): 2 months, annually
Save two months every year that you monitor your PCI DSS compliance by automating up to 36% of evidence collection tasks and reinforcing consistent best security practices across your organization.
From the outset, all these PCI DSS controls and compliance requirements can be overwhelming. Just remember that PCI DSS is a standardized framework with a range of tools and actionable steps to protect your cardholder data.
Determining your organization’s level of compliance and its specific validation documents will help simplify the process. OneTrust Certification Automation also delivers built-in expertise and automated integrations to speed up the process and guide you through the steps of your PCI DSS compliance journey.
With OneTrust Certification Automation, you can build, scale, and automate your security compliance program, reduce your cost of compliance up to 60%, and obtain certifications 50% faster.