What is PCI compliance?
PCI compliance is officially known as Payment Card Industry Data Security Standard (PCI DSS). It’s a proprietary information security standard for all organizations that store, process or transmit branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover.
It’s a universal security standard that was first set up in December 2004 when the credit card companies came together to form Payment Card Industry Security Standards Council (PCI SSC) the organization behind PCI DSS. The most current PCI DSS (version 3.2) came out in April 2016.
Before the formal security standard was established, different credit card companies had their own set of rules and regulations for credit and debit card. To create an additional level of protection for card issuers by ensuring the merchants minimum levels of security when they store, process and transmit cardholder data.
Is PCI compliance mandatory for everyone?
By federal law, PCI DSS is not required in the U.S. Some state-level laws refer to PCI DSS directly. Example, in 2009, Nevada incorporated PCI compliance into state law, requiring compliance of merchants doing business in the state and shielding compliant organizations from liability. Similar laws also enacted in Washington in 2010. However, PCI compliance was not made mandatory but, like Nevada, compliant organizations are shielded from liability.
Even without federal laws, PCI DSS compliance is required by major credit card schemes once your business reaches a certain size. And there are monetary penalties if organizations remain non-compliant. The fines can range from hundreds to hundreds of thousands of US dollars. Plus, in case of a breach, you’ll be liable for all damages. But since it’s a security issue you probably shouldn’t skimp on your business and customers’ security anyhow.
The road to PCI compliance
PCI DSS are set up in such a way that your responsibilities and requirements increase as you scale up. So, you can take it one step at a time as your business grows. The road to PCI compliance consists of a set of hurdles created by three entities:
- The Payment Card Industry Security Standards Council (the organization behind PCI DSS)
PCI Security Standards Council (PCI SSC) created the PCI Data Security Standard (PCI DSS) to make it easier for everyone to understand and comply with the standard which contains a laundry list of possible requirements.
- Major credit card companies (Visa, MasterCard, American Express, Discover and JCB)
- Acquirer bank/payments processor
The major credit card companies and banks can help you identify which of the requirements from PCI Council’s list you have adhere to. Ultimately, it will depend on the way you run your business and the number of transactions per credit card company you process per year.
Both banks and credit card companies enforce additional requirements that are not covered by the PCI compliance standard. So, you’ll need to be prepared for unforeseen hurdles on the case-by-case basis.
When dealing with PCI DSS requirements, you can either go through the process yourself or get help from PCI SSC Qualified Security Assessor (QSA) who will do most of the work for you.
Still, it’s a good idea to go through the process at least once to get an overview of what’s required and to make an informed decision. Then, as your organization grows (and it gets increasingly difficult to manage everything by yourself) it makes more sense to bring in expert's help.
Now that you understand why you need to be PCI compliant, lets know how. We’ll walk you through all of the requirements, starting with the credit card companies’ required levels of compliance. Then, we’ll talk about the PCI DSS questionnaires and attestation, finally conducting a security/vulnerability scan.
Step 1: Determine your compliance level
To figure out which level of compliance your business falls under, you need to collect data on how many transactions are done with all the major credit card brands, ideally separated also by channel e.g. in-store or online.
Unfortunately, major credit card brands can’t seem to agree on how many levels are required for merchant compliance. For example, Visa has 4 Levels of compliance, while MasterCard has 5. And even if the name of the level is the same, the requirements and documentation needed by each credit card company varies.
Example, for the Visa compliance scheme, a Level 3 merchant is a company that has 2,000 to 1 million e-commerce transactions per year. Meanwhile, the same Level 3 for American Express means that you have less than 50,000 total transactions with them per year.
Although they are named differently, the documentation needed is basically the same. This includes an annual Self-Assessment Questionnaire and a quarterly network scan performed by an Approved Scanning Vendor. You can search compliance levels for each of the credit card brands.
Step 2: Complete the self-assessment questionnaire
The PCI DSS Self-Assessment Questionnaire (SAQ) is a set of documents that contain questions based on the requirements of the PCI DSS. In total, there are 12 requirements for compliance that are organized into 6 logically related groups. See the chart below for more details on the most current version (v3.2).
The variation that you need is dependent on how your organization handles credit card data, if any. For e-commerce-only setups, the ones to look into are SAQ type A or alternatively type A-EP (as described in the below) SAQ type [A & A-EP]
A -Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
A-EP e-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
The key difference between SAQ A and A-EP is in the requirements that you need to fulfill in order to be compliant. Questionnaire A has 20 questions or requirements while A-EP has over a 100. So, it’s important that you identify the right questionnaire early on – so you don’t waste time filling out unnecessary paperwork.
As a final note on SAQs, the various versions of the questionnaire contain only the questions or requirements and offer no guidance. If you do need help, open up the PCI DSS source document and follow the requirements from there. The document contains procedures and guidance on all requirements and sub-requirements.
Step 3: Attestation of compliance
After answering the SAQ, you will need to complete the relevant Attestation of Compliance (AOC). This is necessary to validate that you have complied with all the applicable steps. The questionnaire (SAQ) before, AOC has 9 different versions and you need to complete the one that is relevant to your business. They are attached to the same file as your questions, so you don’t need to find anything extra.
In extraordinary cases, sometime merchants might be asked to also fill PCI DSS Designated Entities Supplemental Validation. Examples of organizations that would need this include those storing, processing, or transmitting very large volumes of cardholder data or businesses that have suffered significant or repeated breaches of cardholder data.
Step 4: Submitting the documents
The final step is to submit your filled SAQ and the AOC along with any other documentation, such as an ASV scan reports to your acquirer bank and to the needed payment brands as requested. The validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
What About ASV and External Vulnerability Scans?
An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools (ASV scan solutions) that conduct external vulnerability scanning services to validate with the external scanning requirements.
It all depends as per you needs. If you’re applying for an SAQ A-EP, you need it. It’s one of the questions in the form and while AOC A it doesn’t necessarily mean that you need to be performing scans by approved ASVs. So, from the point of view of SAQ/AOC A, an ASV scan is not needed. At the same time, some acquirers (payment providers) have it as one of the requirements to use their services. Again, it’s important to your providers directly even if you are applying for SAQ A. The scanning vendors ASV scan solution is tested and approved by PCI SSC before an ASV added to list.
Compliance process summary:
- Determine your compliance level with your bank and different credit card companies. Remember, each has their own slightly different rules.
- Complete the relevant Self-Assessment Questionnaire according to its instructions.
- Complete the relevant Attestation of Compliance form (contained in your SAQ form).
- If needed, complete and obtain evidence of passing the external vulnerability scans by an approved ASV.
- Submit all of the above and any extra documentation that your acquirer bank and/or credit card brand and/or payments provider demanded.