Cybersecurity Insights

Your Quick Reference Guide to PCI DSS Compliance

Written by Ajay Unni | Apr 11, 2021 2:00:00 PM

All organisations that store, transmit or process cardholder data must fulfil a number of requirements as part of the Payment Card Industry Data Security Standard (PCI DSS). These requirements aim to keep cardholder data secure during the process of storing, transmitting and processing cardholder data and provide a consistent framework for keeping data secure at the global level. Breaches of information have been a common problem for many years. They pose a serious threat to both organisations and card owners. The PCI DSS is applicable to merchants, service providers, issuers, processors and all other third parties.

Levels of PCI Compliance

Merchants are divided into four levels based upon their annual transaction volume, as defined by both Visa Inc. and MasterCard. Transaction volume includes all debit, credit and prepaid transactions carried out by a merchant. Here are the four levels:

Merchant Level Criteria
1
  • Any merchant that processes more than 6 million transactions per year, regardless of acceptance channel.
  • Any merchant that experienced a security breach that resulted in data compromise.
2
  • Any merchant that processes 1 to 6 million transactions per annum.
3
  • Any merchant that processes 20,000 to 1 million transactions per annum.
4
  • All those merchants that do not fall under level 1, 2 or 3, regardless of their acceptance channel.

Service providers are divided into two levels. According to MasterCard, any Third Party Processor (TPP) is considered as a Level 1 Service Provider, while Data Storage Entities (DSEs) are considered as Level 1 or 2 Service Providers, depending upon their annual volume of MasterCard transactions. For Visa Inc., all service providers that store, process and/or transmit Visa transactions are ranked as level 1 and 2.

Service Provider Level Criteria
1 Mastercard:

 

  • All Third Party Processors
  • All Data Storage Entities with more than 300,000 total combined annual transactions of MasterCard and Maestro

Visa:

  • Any service provider that stores, processes, and/or transmits over 300,000 Visa transactions per year
2 Mastercard:

 

  • All DSEs with 300,000 or less total combined annual MasterCard and Maestro transactions.

Visa:

  • Any service provider that stores, processes, and/or transmits less than 300,000 Visa transactions per year

Validation of Compliance at Each Level

Every merchant and service provider must fulfil at least two validation requirements to authenticate their compliance with the PCI DSS. Validation requirements for each level can be best understood as follows:

Merchant Level On-Site Security Audit by QSA Network Scan by ASV Self-Assessment Questionnaire 3rd Party Payment Application Validation
1 Required Annually Required Quarterly   Required if applicable
2 Recommended Annually Required Quarterly If a QSA audit is not performed, an SAQ is required annually Required if applicable
3   Required Quarterly Required Annually Required if applicable
4   Required Quarterly Required Annually Required if applicable
Service Provider Level On-Site Security Audit by QSA Network Scan by ASV Self-Assessment Questionnaire 3rd Party Payment Application Validation
1 Required Annually Required Quarterly   Required if applicable
2 Recommended Annually Required Quarterly If a QSA audit is not performed, an SAQ is required annually Required if applicable
         

Security Controls and Requirements of the PCI DSS

The aim to develop the PCI DSS was to enforce secure controls for cardholder data and to reinforce the consistent and worldwide adoption of these security controls. An overview of its 6 security controls and 12 requirements is given below:

Security Control Requirement
Build and Maintain a Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

Achieving PCI DSS Compliance

As already mentioned, it is mandatory for all merchants, service providers and third parties that are involved in storing, processing or transmitting cardholder data to comply with the PCI DSS. Without compliance, these organisations cannot carry out their credit or debit card activities. Although the PCI Security Standards Council manages the PCI DSS, every card brand has its own strategy to enforce compliance on its clients. Requirements for validation of compliance vary for each card brand, but in general, the level of the organisation determines what path should be taken to achieve PCI DSS compliance.

Usually the following steps must be taken by an organisation in order to achieve PCI DSS compliance:

  1. Determine the scope of the PCI DSS’s relevance to the organisation.
  2. Test compliance to the standard on a sample of system components.
  3. Get compensating controls validated by QSA in case the organisation cannot meet a particular requirement due to a technical or business constraint.
  4. Submit Report On Compliance (RoC) and Attestation of Compliance (AoC).
  5. Clarify any ambiguities in the report, if requested by the acquiring bank.

PCI DSS Requirements Scope

Achieving PCI DSS compliance can be a daunting process, but will be much worse if a proper scoping exercise is not done before starting to complete the requirements. It is very important for organisations to understand and minimise the scope of the PCI DSS in order to make the process as easy as possible. The Cardholder Data Environment (CDE) forms the scope of the PCI DSS and consists of the processes, people and technology used for storing, processing and transmitting cardholder data. Similarly, all system components are also included in the scope. These consist of servers, network devices, computer systems, applications and any other components that are connected to cardholder data.

Once the scope is defined, it must be checked for accuracy to ensure that all flows and locations of cardholder data are included in the scope. The following steps should be carried out:

  1. Identify and document the flows in the CDE and verify that no data exists outside the currently defined CDE.
  2. Any data that is not currently defined as a part of the scope should be either be deleted, safely migrated elsewhere or included in the scope.
  3. Keep all documentation showing how the scope was determined to hand it over to the assessor for scope verification.

Choosing a Qualified Security Assessor for your PCI DSS Compliance

Once an organisation has taken all necessary measures to implement the PCI DSS on its systems, it needs to hire the services of a Qualified Security Assessor (QSA) to conduct on-site compliance verification and security assessment. QSA firms are trained and also certified by the PCI SSC.

The QSA serves to verify a merchant’s compliance to the PCI DSS by filling out a Report on Compliance (ROC), which is then sent to the acquiring bank of the merchant. The bank then sends it to the relevant credit card company to verify compliance.

Always select a QSA that has past experience of working with similar organisations and understands your business well. Also, maintaining goodwill and a long-term relationship with your QSA is important to help you with ongoing vulnerability assessments and remediation measures.

Who are we?

StickmanCyber has been certified by the PCI Security Standards Council as a Qualified Security Assessor for the PCI DSS. This was made possible with the help of a hardworking and experienced team, after thorough inspection and scrutiny by the PCI Security Standards Council. We carry out certifications and assessments for merchants, service providers, acquirers and issuers in the Asia-Pacific, Africa and the Middle East.

How can we help you?

As a company certified as a Qualified Security Assessor, we can help you to:

  1. Verify the technical information provided by the merchant
  2. Provide support in achieving compliance
  3. Carry out independent assessment to confirm compliance
  4. Define the assessment scope
  5. Ensure observance of PCI Security Assessment Procedures.
  6. Provide onsite validation of compliance
  7. Evaluate compensating controls
  8. Produce a final report.

At Stickman Consulting, we ensure that our clients are equipped with the necessary knowledge, tools and processes that are needed to develop a secure network. Our specialist team of consultants have years of experience in providing services to banks, government, service providers and retailers.

Is your business looking to get PCI DSS compliant? StickmanCyber's PCI DSS compliance service deploys a 5-step methodology to help you build trust with your customers and guarantee secure transactions with PCI DSS Compliance.