PCI DSS Compliance Checklist
By Mariana Almeida Marques
As payment digitalisation becomes more popular than ever, private information and payment data is also more likely to be compromised. These risks don’t concern financial institutions solely, but any company that handles card data. The PCI DSS is a crucial set of standards, established to prevent and reduce fraud whilst ensuring cardholders’ protection. In this article, we discuss what is the PCI DSS, its objectives and requirements.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standards) is a set of information security standards developed by the PCI Security Standard Council in 2006. It aims to reduce card payment fraud risk and protect cardholder data. This set of standards are mandatory for any company that requires or handles card data and personal information, regardless of company size, the number of transactions or amount of data it collects. The PCI Security Standard Council (PCI SSC) is an independent body composed of the main card payment brands, which include Visa, Mastercard, American Express and Discover.
Payment security is taken very seriously by customers, so payment fraud can truly damage a company’s reputation. PCI DSS plays an important role in providing companies with the right guidance when it comes to security systems and tools. Compliance with this standards is therefore crucial to ensure that all tools are in place to authenticate and monitor payment and customer data and to prevent and mitigate fraud risks.
What are the PCI Compliance levels?
There are four merchant levels, determined by the number of transactions that companies perform each year. The different levels still have to comply to the same requirements. However, the main difference between them is that level 1 is required to get an on-site external audit, performed either by a QSA (Qualified Security Assessor) or an ISA (Internal Security Assessor). This external auditor then has to submit an RoC (Report on Compliance) to the company’s acquiring banks. Companies in levels 2 to 4 don’t need an external auditor, and can complete a self-assessment questionnaire (SAQ) themselves. Level 2 companies must also complete a Report on Compliance.
PCI levels are defined by:
- Level 1: Merchants with over 6 million transactions annually, or any merchant that has had a data breach
- Level 2: Merchants with between 1 to 6 million transactions annually, across all channels
- Level 3: Merchants with between 20,000 and 1 million online transactions annually
- Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year
The PCI DSS 6 goals and 12 requirements
The requirements of PCI DSS are both technical and operational, all aimed at protecting cardholder data and preventing fraud. These 12 requirements of PCI DSS are divided into 6 goals:
Build and Maintain a Secure Network
1. Protect your systems with firewall configuration
The first step to becoming PCI compliant is to install a firewall. This will prevent hackers from accessing your data and contribute to a much safer network overall.
2. Do not use vendor-supplied default settings
These default settings include passwords and other details that are pre-configured by vendors. Default settings are easier to hack, so they put your organisation at an incredibly high risk of vulnerability.
Protect Cardholder Data
3. Protect stored cardholder data
This section details how companies can protect stored cardholder data, including encryption, and how data should be displayed when needed.
4. Encrypt transmission of cardholder data across open, public networks
This requirement aims at ensuring that data is safe when being moved across networks. This includes encrypting data and making sure that the recipient has a valid security certificate.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programmes
Anti-virus software needs to be frequently updated and it needs to cover all known malware. Companies also need to maintain a list of procedures that check for the effectiveness of the anti-virus software used.
6. Develop and maintain secure systems and applications
Similarly to updating your anti-virus software programme, keeping all security systems and applications updated prevents the increase of vulnerabilities.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
Access to cardholder data should be restricted and accessed only by those who need it to perform their jobs. There should also be defined roles and different permissions based on the information each person needs to access.
8. Assign a unique ID to each person with computer access
Providing each person with a unique ID enables organisations to track which information is seen or used by whom, making it easier to hold people accountable. Users should also have two-factor authentication, as recommended by the PCI DSS.
9. Restrict physical access to cardholder data
If any cardholder data is kept physically on a specific location, access to this location should be as restricted as possible, especially to those outside of the organisation. The location should also be monitored with a video camera.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
Using activity logs to track and monitor access to cardholder data enables companies to have a clearer view of how data is being used and act faster should it be compromised.
11. Regularly test security systems and processes
Testing security systems and processes regularly enables companies to ensure that their procedures and security tools are working efficiently.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
This requirement includes establishing company policies that address all security components and applications, as well as all possible vulnerabilities.
Imburse can deliver a fully Level 1 PCI compliant solution whilst offering a truly payment provider agnostic ecosystem and highly customizable user interfaces and journeys. Imburse is PCI Level 1 compliant, delivering a suite of services and features that suit a wide set of needs in the enterprise world.
Imburse is a cloud-based middleware connecting large enterprises to the payments ecosystem, regardless of their existing IT infrastructure. Through a single connection to Imburse, enterprises can collect or pay out using a variety of payment technologies and providers around the globe.
In a world where consumers payment preferences and technologies are ever-evolving, Imburse works with insurers to future-proof their payment requirements. Regardless of the business area, market, or requirements, Imburse will connect you to your choice of technology and provider.
Reach out to our team below should you want to discuss how Imburse can help you. Our team is happy to show you what our platform can do for your business and offer you a free demo.