PCI DSS Compliance - Requirements and Merchant Levels

If your organization or business accepts credit card payments from any of the five major credit card brands; American Express, VISA, Mastercard, Discover and JCB then you are expected to be PCI Compliant within a range of levels depending on the volume of your transactions. Our past blog outlined what is PCI DSS and the benefits of PCI DSS compliance.

In this blog, we share a breakdown of the PCI DSS requirements and the various merchant levels 

6 Goals and 12 Requirements of PCI DSS Compliance

The official PCI Security Standards Council website states that there are six goals and 12 specific requirements in place in order to reach those goals.

They are as follows:

Goal #1 – Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

You’ll need to have an effective firewall in place to keep customers’ sensitive financial information secure. When it comes to creating passwords, they should always be strong and unique. They should not be passwords that the software vendor already had in place because this can create vulnerabilities.

Goal #2 – Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

If you store customers’ data for any length of time, you’ll need to have multiple levels of defence in place to protect it. This can include both digital security such as authorisation and authentication as well physical security such as guarding servers/equipment and monitoring who can access them.

In terms of encryption, this simply means that plaintext is converted into ciphertext so that it cannot be decoded by unintended parties. Although this doesn’t eliminate threats entirely, it significantly reduces any risks.

Goal #3 – Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications

Not only must you install an effective anti-virus software, it must be regularly updated in order to thwart attacks. You should remember that this isn’t a one-off type of deal. Malware and other attacks become increasingly advanced over time, so maintaining anti-virus best practices is a must.

When it comes to systems and applications, you’re responsible for using a hosting provider who is PCI compliant and for using a system that automatically alerts you whenever threats or vulnerabilities are detected. This way you can act quickly and hopefully prevent a minor issue from escalating into a major one.

Goal #4 – Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

This mainly relates to physical security and restricting who has access to sensitive information. Limiting the number of individuals who have access to cardholder data reduces the chance of an incident occurring.

Providing individuals with a unique ID involves following password best practices like using strong, unique passwords, routinely updating them, etc. As for restricting physical access, this can include taking serious security measures when accessing servers such as implementing biometrics systems (e.g. fingerprint and retinal scanning) as well as surveillance cameras.

Goal #5 – Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

This is pretty straightforward and involves using systems that log whenever someone accesses them and tracking who those individuals are. You’ll also want to get into the habit of routinely testing all aspects of security to ensure that it’s functioning properly.

Goal #6 – Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for employees and contractors

Incorporating information security into your company’s policies will provide both employees and contractors with a detailed set of guidelines to follow. This will highlight which behaviours are and are not acceptable, how to address potential threats, which procedures to follow and so on.

It’s also smart to educate employees and contractors on information security best practices. A Ponemon Institute report found that careless employees accounted for 56 percent of all data breaches. Equipping these individuals with the right knowledge can be a tremendous asset.

What are the levels of PCI Compliance?

There are four unique levels of PCI Compliance that merchants are divided into based on card transaction volume (credit, debit & prepaid) per annum. In the event of a merchant suffering a data breach they may be forced to increase their level of compliance. 

Level 1 Merchants 

This level consists of merchants that process over 6 million transactions over a period of 12 months through all channels (card present, card not present, eCommerce) This also includes global merchants who process 6 million transactions across all their regions, which may cause the entire business to comply. 

If you are a level 1 merchant you need to:

  1. Complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
  2. Complete quarterly network scans by an Approved Scanning Vendor (ASV)
  3. Complete the Attestation of Compliance Form​

Level 2 Merchants 

This level consists of merchants who process between 1 and 6 million transactions over a period of 12 months through all channels (card present, card not present, eCommerce)

If you are a level 2 merchant you need to:

  1. Complete an Annual Self-Assessment Questionnaire (SAQ)
  2. Complete a quarterly network scan by an ASV
  3. Complete the Attestation of Compliance Form

Level 3 Merchants 

This level consists of merchants who process 20,000 to 1 million transactions over a period of 12 months via eCommerce processing methods.

If you are a level 3 merchant you need to:

  1. Complete an Annual Self-Assessment Questionnaire (SAQ)
  2. Complete a quarterly network scan by an ASV
  3. Complete the Attestation of Compliance Form

Level 4 Merchants

This level consists of merchants who process up to 1 million transactions annually via all channels (card present, card not present and eCommerce) and doesn’t process more than 20, 000 transactions annually via eCommerce. Similarly a merchant who processes under 20, 000 transactions annually via eCommerce can also qualify for level 4 status. 

If you are a level 4 merchant you need to: 

  1. Complete an Annual Self Assessment Questionnaire
  2. Complete a quarterly network scan by an ASV
  3. Complete the Attestation of Compliance Form

Identifying what merchant level your organization comes under

Merchants can consult with their merchant services provider to help assign a level of PCI Compliance or utilise the tools provided to them by their merchant. 

Organizations that fall under levels 1-3 tend to have compliance requirements of higher complexity, mainly because of the size and nature of their business. Many organizations that fall under these levels tend to take the help of internal IT and compliance teams to implement and monitor their compliance programs.  

On the other hand, smaller to medium-sized businesses fall under the level 4 category. Unlike the latter levels, level 4 merchants may find their compliance requirements to be simpler. However, without the help of an internal IT infrastructure (assuming your business doesn’t have one) small to medium-sized businesses can find it challenging to meet their compliance requirements. 

About the SAQ Questionnaire

A Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data. The questionnaire includes a set of yes or no questions for each PCI DSS requirement. There are a number of questionnaires to meet different merchant environments. 

The Benefits

Besides the obvious advantage of having more secure payment processors and protecting cardholders’ data, there are some distinct benefits that compliance with the PCI DSS can have for your company. Perhaps the biggest relates to finances.

Noncompliance fines can be steep and range anywhere from $5,000 – $500,000 USD depending on the nature of the penalty and the time and resources required to investigate it. You can find further details on noncompliance fines on this resource from Focus on PCI. By staying compliant, you greatly reduce the odds of your organisation getting hit with costly fines.

It’s also important to note that there are other costs that can stem from a data breach, which can include damages from lawsuits, loss of business and so on.

Research found that 60 percent of small to mid-sized businesses end up closing their doors within six months of a data breach. Being compliant can save you from financial backlash and even factor into your company’s longevity.

This is also critical for gaining the trust of your customers. Shoppers are more wary than ever and want to ensure that their sensitive financial and personal information is being safeguarded.

HubSpot even points out that concerns about transaction security is the number two reason for online shopping cart abandonment. PCI compliance and being diligent about transaction security is a huge selling point and is likely to increase your overall conversion rate.

Finally, there’s the issue of brand equity. Even a minor data breach can quickly sour your organisation’s reputation. Consumers will become sceptical and may choose to go with competitors with whom they trust.

In a world where nothing is secret and negative press can go viral in hours, protecting your brand reputation is essential.

The Bottom Line

Like it or not, cybercrime and data breaches are a new reality for organisations in the 21st century. Although payment cards offer convenience, they can also compromise security. That’s why the PCI DSS was set into place.

It provides a universal standard for protecting cardholder data and gives companies a detailed sequence of steps to follow. Regardless of size, your organisation is required to comply with the PCI DSS if it stores, processes or transmits customer payment card data.

Doing so protects your customers’ sensitive financial and personal information and significantly minimises the threat of a data breach occurring. At the same time, this mitigates risk for your company as well and can potentially mean the difference between its longevity and going out of business.

Is your business looking to get PCI DSS compliant? StickmanCyber's PCI DSS compliance service deploys a 5-step methodology to help you build trust with your customers and guarantee secure transactions with PCI DSS Compliance.

Similar posts

 

Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.