The Payment Card Industry Data Security Standards For How To Be PCI Compliant.
PCI Compliance Overview
In order to achieve PCI compliance, entities must work with their payment brand(s) or acquirer(s) to determine their specific compliance requirements. Brands and acquirers include American Express, Discover Financial Services, PCB International, MasterCard, Visa Inc., and Visa Europe. It should be noted that PCI compliance is not a one-time event. Rather, it is an ongoing process that evolves as both PCI technology and entities in the industry undergo new developments.
There are 12 requirements laid out in the PCI Data Security Standard (DSS). These requirements are meant to protect cardholder data, ensure that vulnerability management programs are maintained, establish firm access control measures, cultivate secure networks and ensure that information security policies are maintained. These goals are achieved through network architecture, policies, procedures, security management and software design.
Step 1: Assess
First, entities must identify payment cardholder data and inventory IT operations and assets, define its methods of payment card processing and locate vulnerabilities. This entails identifying the flow of data from the beginning to the end of transactions, including its interaction with third parties that may process, store or transmit data.
Step 2: Remediate
Next, entities should account for and fix the vulnerabilities found during assessment, as well as evaluate whether it is absolutely necessary to store cardholder data. Actions for the remediation step include analyzing network infrastructure, reviewing the results of on-site assessments or SAQs and applying solutions to fix unsafe operations.
Step 3: Report
Last, entities must submit documentation to the acquiring bank and card brands with which they do business. This documentation states that the entity has assessed and remediated its operations for PCI DSS compliance. There are official PCI Security Standards Council (SSC) reporting templates that have been approved by payment brands, as well as documentation more specific to certain types of entities. These additional PCI DSS compliance certificates may be provided by Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) companies, as long as it is clearly specified that they are supplementary documents.
Types of documentation include:
- Attestations of Compliance
- Attestations of Scan Compliance
- Report on Compliance templates
- Self-Assessment Questionnaires (SAQ)
Merchants and processors are required to make quarterly ASV scan reports, whereas entities with large data flows must complete yearly on-site QSA assessments. Small businesses are more likely to need a yearly Attestation via an SAQ.