The Payment Card Industry (PCI) Security Standards Council (SSC) is an independent body created by Visa, MasterCard, Discover, American Express, and JCB formed in 2006 to develop and enforce standards to protect credit card information. Together, they created the PCI Data Security Standard (DSS), a baseline set of technical and operational requirements which applies to all entities involved in payment card processing.
What are the PCI DSS Requirements
There are 12 requirements in the PCI DSS, but each has sub controls that your organization is required to meet. The 12 top-level requirements are:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software programs
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Levels of Compliance
PCI compliance is broken up into two broad categories: merchants and service providers. Merchants are organizations protecting the ways in which they collect, store, and process cardholder data for themselves. The level of compliance for these organizations is determined by their acquiring bank. Service providers are organizations that support merchants, and either have access to cardholder data as part of the merchant’s processes or can impact the security of their cardholder data in some way. For service providers, the compliance requirements are determined by the merchant(s) they support.
Within each of these two categories, there are 4 levels, generally determined by the number of transactions processed. Level 1 merchants and service providers are defined as those with more than 6 million transactions per year or supporting organizations with that many transactions, respectively. Below that, Level 2 is comprised of entities processing 1-6 million transactions, Level 3 entities process 20K to 1M transactions, and Level 4 organizations are those with less than 20K transactions a year. Note that these have to do with the number of transactions, not the dollar amounts of those transactions. An acquiring bank or client can force you into Level 1, even with less transactions than the defined threshold, if they deem your organization to be at a higher risk level, such as if you have had a breach in the past or the dollar value of each individual transaction is substantially higher.
Demonstrating PCI DSS Compliance
Level 1 Merchants and Service Providers
Level 1 Merchants and Service Providers, and organizations in lower levels but deemed a higher risk, are required to have a QSA onsite evaluation. A Qualified Security Assessor (QSA) is an auditor who is trained and certified by the PCI SSC to perform level one assessments. During this type of assessment, the QSA will validate every control in the PCI DSS and attest to your compliance. This will result in a Report on Compliance (RoC) and an accompanying Attestation of Compliance (AOC) signed by your QSA.
Level 2 – 4 Merchants and Service Providers
Merchants and Service Providers below level one are able to prove compliance through a Self Assessment Questionnaire (SAQ). An SAQ mandates the same PCI DSS standards that are found in the RoC, but entities are able to certify themselves. The result of this is an SAQ and accompanying AOC signed by your organization, attesting to your own compliance. Some organizations in this category still have a QSA assist them with this process. This makes sure that your organization is accurately scoping your environment, correctly interpreting the PCI DSS requirements to your specific environment, and provides extra credibility for the resulting SAQ and AOC. In this instance, you would still sign the SAQ but you would also have a QSA sign stating that they assisted you in the process.