The Payment Card Industry Data Security Standards and PCI Compliance Requirements
To achieve PCI compliance, companies must work with their payment brand(s) or acquirer(s) to determine their specific compliance requirements. Brands and acquirers include American Express, Discover Financial Services, PCB International, MasterCard, Visa Inc., and Visa Europe. It’s important to note that PCI compliance is not a one-time event. Rather, it’s an ongoing process that evolves as both PCI technology, the organizations they govern, as well as the regulators.
There are 12 requirements laid out in the PCI Data Security Standard (DSS). These requirements are meant to protect cardholder data, ensure that vulnerability management programs are maintained, establish firm access control measures, cultivate secure networks and ensure that information security policies are maintained. These goals are achieved through network architecture, policies, procedures, security management and software design.
PCI Compliance STEP 1: ASSESS
First, entities must identify payment cardholder data and inventory IT operations and assets, define its methods of payment card processing and locate vulnerabilities. This entails identifying the flow of data from the beginning to the end of transactions, including its interaction with third parties that may process, store or transmit data.
PCI Compliance STEP 2: REMEDIATE
Next, entities should account for and fix the vulnerabilities found during assessment, as well as evaluate whether it is absolutely necessary to store cardholder data. Actions for the remediation step include analyzing network infrastructure, reviewing the results of on-site assessments or SAQs and applying solutions to fix unsafe operations.
PCI Compliance STEP 3: REPORT
Last, organizations must submit documentation to the acquiring bank and card brands with which they do business. This documentation states that the entity has assessed and remediated its operations for PCI DSS compliance. There are official PCI Security Standards Council (SSC) reporting templates that have been approved by payment brands, as well as documentation more specific to certain types of entities. These additional PCI DSS compliance certificates may be provided by Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) companies, as long as it is clearly specified that they are supplementary documents.
Types of documentation include:
- Attestations of Compliance
- Attestations of Scan Compliance
- Report on Compliance templates
- Self-Assessment Questionnaires (SAQ)
Merchants and processors are required to make quarterly ASV scan reports, whereas organizations with large data flows must complete yearly onsite QSA assessments. Small businesses are more likely to need a yearly Attestation via an SAQ. PCI DSS 3.1 to 3.2 updates address supplemental assessments for designated entities.