Any business that accepts credit cards online for good or services rendered needs to comply with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS comprises of several guidelines that merchants must comply with to protect their customers’ credit card data. However, many companies struggle with security requirements. In most organizations, InfoSec managers are not sure whether their networks and systems fall under the PCI DSS scope.
What is PCI DSS?
PCI DSS is an acronym for Payment Card Industry Data Security Standard. The five major payment card companies created the security standard: Visa, MasterCard, JCB International, Discover Financial Services and American Express, and provides the best practices for handling and storing cardholder data (CHD).
PCI DSS requirements are a series of standards for processing card payments that protect both merchants and consumers. These standards are generally referred to as the Payment Card Data Security Standard.
Understanding Cardholder Data (CHD)
PCI DSS defines cardholder data (CHD) as any information that can identify a person and link them to a credit or debit card. The personally identifiable information (PII) may include the name of the customer and their address.
Apart from PII, cardholder data includes the primary account number (PAN) of the cardholder, together with the card service code and expiration date.
Securing Cardholder Data Environment (CDE)
Cardholder data environment (CDE) refers to any infrastructure or systems that process, transmit or store cardholder data.
The infrastructure includes components such as computers, applications, and networked devices that have direct or indirect contact with cardholder data. These infrastructure components must be PCI DSS compliant.
The PCI standard requires the cardholder data environment to be separated from other systems or components used by your organization. Any devices connecting to the CDE through insecure connections could put your firm at risk of third-party intrusions and, consequently, heavy fines by regulatory bodies.
Overview of the PCI DSS Scope
For your firm to be PCI-compliant, you have to determine the CDE. Make a list of the networks, systems, applications, and devices that interact with CHD and are, therefore, part of the CDE.
All the systems and components that transmit, handle or store CHD in any form should be separated from the other infrastructure and secured according to PCI requirements.
Importance of Creating a Data Flow
It is essential to know the exact steps that data follows when it is transmitted, managed and handled in your IT infrastructure. For example, your network may be set up to store CHD and, at the same time, receive data from a non-cardholder application.
In such a case, the non-cardholder application will have to be secured according to PCI standards since it is in the CDE. If the user is not protected, a malicious intrusion through it can compromise the CDE.
Understanding how data flows in your IT infrastructure is critical to determining the security measures to implement for risk mitigation and prevention.
What is an SAQ?
The PCI Security Standards Council has a Self-Assessment Questionnaire (SAQ) that merchants can fill to review their technology and find out whether they are PCI-compliant. The SAQ limits the CDE and makes it easy to identify which infrastructure components fall under PCI DSS scope.
Merchants that take credit card payments physically at their establishments can use PCI SSC approved point-to-point encryption (P2PE) devices to be PCI DSS compliant. This lower compliance standard applies to merchants that:
- Process payments using PCI DSS-approved P2PE devices
- Have P2PE devices that only interact with their approved Point of Interaction (POI) devices
- Have implemented all the required P2PE controls
- Di not collect, transmit or store electronic cardholder data
- Do not store legacy information electronically
The lower PCI-compliance standard is applicable for brick-and-mortar stores that use PCI-compliant devices and do not store electronic cardholder information in any form.
PCI Compliance Audits
Your organization’s PCI compliance must be overseen by third parties known as Qualified Security Advisors (QSAs). These auditors are trained in PCI compliance and will review your cardholder data environment to ensure it is appropriately secured.
If your organization uses a Software-as-a-Service (SaaS) platform to process payments, the platform is also considered part of the PCI compliance scope if it stores, processes or transmits CHD. For this reason, it is critical to establish whether the payment platform you may want to use is PCI-complaint.
Vendors need to provide the following documentation to prove compliance:
- Independent assessments carried out annually and presented to their customers
- Multiple on-demand evaluations that may be required by users
Use Compliance Software to be PCI-Compliant
You can use various programs to meet your firm’s PCI compliance requirements. The compliance software will act as a single-source-of-information, enabling you to see your current security controls. You can then map your organization’s controls align with PCI DSS requirements.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the IT governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.