4 Steps to PCI DSS Compliance

Merchants Who Accept Credit Cards

Can take these 4 steps to achieve compliance and peace of mind

There were more than 374 million cardholder accounts in the United States as of 2019, according to a credit card survey by the American Bankers Association. The same survey revealed that almost 60% of Americans own a credit card with a ‘cash back’ feature, about 40% own a retail credit card (such as a Target or Costco card), more than 30% own a low-interest card, and some 16% own an airline or other travel rewards card.

Results of a Pew Research Center survey indicate that cash as a payment vehicle is steadily being replaced by the use of credit cards in Americans’ wallets and digital payment apps on their smartphones.

In 2018, the value of credit card transactions in the U.S. was $3.92 trillion. That volume is expected to exceed $4 trillion in 2020 as enforced isolation spurred unprecedented online purchases of goods and services.

Individual names, credit card numbers, and other personal cardholder information are flying across the Internet at breakneck speed—after being scanned and transmitted by all kinds of devices with varying degrees of security. These are the realities of our digital world.

Compliance Offers Many Benefits

Protecting cardholder data and securing these transactions is of paramount importance, and the Payment Card Industry’s Data Security Standard, with its 12 security requirements based on six fundamental security principles, is designed to ensure that protection and security are provided.

Achieving and maintaining compliance with the PCI Data Security Standard offers merchants a number of benefits, including greater peace of mind knowing that cardholder data has been protected and secured in accordance with established payment card industry guidance.

Additional benefits for merchants, and others seeking PCI DSS compliance, include:

1. Avoiding the costs of non-compliance, which may range from fines and fees applied by merchant banks and card payment processors to the termination of bank accounts and card processing contracts.
2. Reducing the odds of experiencing a data breach by reducing the opportunities for data security breaches.
3. Enhancing the credibility and reputation of the merchant business.
4. Increasing customer confidence and loyalty to the business.

These benefits can be enjoyed by any merchant who makes a commitment to achieve and maintain compliance with the PCI Data Security Standard, which can be accomplished in four essential steps.

Four Approved Steps to Compliance

A wealth of useful information is available on the PCI Security Standards Council website, and merchants, service providers, and other entities seeking compliance are urged to explore this information-rich resource.

Among its guidance, the Council emphasizes that compliance with the 12 requirements of the PCI Data Security Standard should be treated as a continuous, ongoing process validated by formal annual assessments, remediation, and reporting.

According to the Council, investigations into data breaches reveal that more than one organization who had passed the annual compliance assessment had inadvertently shifted out of compliance at the time a data breach occurred months later. Use of a PCI DSS task calendar or checklist can add certainty and convenience to the continuous compliance process.

Step 1 – Scoping

Implementing the PCI Data Security Standard and proceeding toward compliance begins with scoping. Scoping is an annual preparatory process that must occur prior to the annual assessment.

Scoping involves identifying all system components that are located within or connected to the cardholder data environment. This environment encompasses the people, processes, and technologies that touch cardholder data or sensitive authentication data.

Scoping requires merchants, and other entities seeking compliance, to identify all locations and flows of cardholder data to ensure that all applicable system components are included in the scope of the assessment to follow. In other words, it provides the foundation for a thorough assessment.

Once scoping has been completed, the PCI Council recommends a three-step process that includes assessing, remediating, and reporting.

Step 2 – Assessing

The assessment is designed to evaluate the security safeguards in place in the cardholder data environment at the merchant’s business. This step includes:

1. Identifying cardholder data acquired, transmitted, and retained by the merchant.
2. Completing an inventory of IT assets and business processes involved in or supporting payment card transactions.
3. Analyzing those assets and processes to discover any vulnerabilities that could affect the security of cardholder data.

The method recommended by the PCI Council for conducting a proper assessment is to employ the services of a Qualified Security Assessor (QSA). A QSA is a firm specializing in data security, cybersecurity, or security compliance who has been qualified by the PCI Council to perform onsite PCI Data Security Standard assessments. QSAs are required to be re-certified every year and are listed on the PCI website.

24By7Security is a Qualified Security Assessor with the expertise and experience to assist merchants and other entities in successfully achieving and maintaining PCI DSS compliance.

A Qualified Security Assessor will complete specific tasks and protocols as part of the assessment. These include:

• Adhering to established procedures for the PCI Data Security Standard assessment.
• Validating the scope of the assessment (identified during scoping in Step 1).
• Verifying all technical information provided by the merchant or other entity undergoing assessment.
• Evaluating compensating controls.
• Providing support and guidance to the merchant during the process.
• Remaining onsite for the duration of the assessment as needed.
• Applying independent judgment based on experience and training to confirm that the Data Security Standard has been met.
• Producing the final Report on Compliance (ROC) for submission to the merchant’s bank or payment processing brand.

Step 3 – Remediating

In this step, vulnerabilities found during the assessment are remediated or remedied. Not only does this step require fixing the vulnerabilities in order to reduce or remove risk, but also eliminating the storage of cardholder data unless it is deemed absolutely necessary. This is one of the foremost principles of cardholder data security.

Remediation actions may vary widely depending on vulnerabilities discovered during the assessment. In broad strokes, they may include developing or implementing tools, procedures, or policies that address specific data security gaps, or they may call for employee training or retraining, or they may require updates to software or hardware. Remediation actions may encompass any element of the cardholder data environment.

If risk mitigation cannot be completed immediately, a remediation plan will be recommended to ensure that the required controls are implemented in order to achieve compliance with the PCI Data Security Standard.

Step 4 – Reporting

The final step of the annual compliance process entails documenting the assessment in a report for submission to the merchant’s bank and payment card processing company. Reports are the official method by which merchants and other entities document their compliance status to the organizations they work with.

Merchants conducting onsite assessments will need to submit a Report on Compliance (ROC) and an Attestation of Compliance (AOC). Report templates are available in the PCI Document Library; choose PCI DSS from the dropdown Filter menu and Reporting Templates and Forms from the Category menu to locate the latest ROC template (191 pages) and AOC template (8 pages).

These required documents can be prepared with the help of the Qualified Security Assessor who conducts the assessment.

For smaller merchants, self-assessment may be an option, and must be documented in a Self-Assessment Questionnaire. This questionnaire includes a series of Yes/No questions for each applicable PCI Data Security Standard requirement. If an answer is No, the merchant may be required to specify a remediation date and remediation actions.

Individual payment card brands retain the authority to modify these requirements, and may require other documentation as well, such as quarterly network scanning or penetration testing reports. Those brands, along with merchant banks, are responsible for compliance enforcement, and each may have its own specific reporting requirements and procedures.

It is best to know exactly what these entity-specific requirements are before beginning the annual compliance process—just as it is useful to understand some of the myths surrounding PCI DSS compliance.

Summary

Credit cards are fast becoming the payment method of choice in the U.S., with 374 million open cardholder accounts and annual transaction volumes approaching $4 trillion. Securing data at every point in the cardholder data environment is not only good business but is required by the self-governing payment card industry.

Merchant banks and credit card processing brands are responsible for enforcing compliance with the PCI Data Security Standard, which can be achieved in the four basic steps recommended by the PCI Security Standards Council.

The Council also evaluates and certifies security firms to serve as Qualified Security Assessors. These QSAs are authorized to assist merchants in assessing the security of their cardholder data environments and reporting on their compliance status and remediation plans to merchant banks and card processing brands. To ensure the most robust security, the PCI Council encourages merchants and others to adopt a program of continuous compliance validated by formal annual assessments, remediation, and reporting.