Data security is paramount when accepting payments through credit & debit cards and payment processing software. Any organization processing, storing, or sharing cardholder data (CHD) is mandated to abide by the global PCI DSS framework. Implementing the framework’s Requirements can go a lot smoother by outsourcing to an expert third party. Whether you are exploring how to make your website PCI DSS compliant or looking for ways to secure other facets of your enterprise, outsourcing can bring multiple benefits to your business through PCI DSS compliance solutions.
PCI Compliance Outsourcing 101
The PCI DSS guidelines require all covered entities to implement the framework comprehensively. This involves ensuring robust network security, strong data encryption, cloud security, user authentication, and much more. However, organizations can easily face challenges while ensuring complete PCI DSS compliance (e.g., PCI DSS knowledge and the bandwidth limitations of in-house implementation and verification).
Outsourcing your PCI DSS compliance to a third party can be a lifesaver in this case—bringing battle-tested expertise and access to industry-leading tools and processes. But before going ahead and freeing up internal resources, it’s crucial to brush up on the following:
- What is PCI DSS?
- PCI DSS Goals and Requirements
- PCI DSS compliance Levels & reporting
- PCI DSS 4.0’s upcoming changes
- PCI DSS compliance best practices
- Pros and cons of PCI compliance outsourcing
Download Our PCI DSS Checklist
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is one of the most widely-applicable regulatory frameworks. All companies that store, process, transmit, or are indirectly connected to card payments and cardholder data, like service providers of software services, are bound by its stipulations. Unlike many industry-based compliance frameworks, the PCI DSS is based on payment card data that most organizations interact with daily.
This Standard comprises technical and operational requirements set by the PCI Security Standards Council (SSC), made up of the original founding members (Visa, Mastercard, American Express, Discover, and JCB International) and other stakeholders.
PCI DSS Goals and Requirements
The PCI DSS v3.2.1 consists of six Goals laid out by the SSC, broken down into 12 Requirements aimed at protecting CHD and CHD environments (CDE) by helping organizations implement, operationalize, and maintain the stipulated security controls. They are as follows:
- Build and maintain a secure network
- R1: The first Requirement recommends the installation of a network firewall to guard CHD.
- R2: The second suggests not to use default passwords and security configurations supplied by vendors.
- Protect CHD on public networks
- R3: The second goal is concerning the protection of all stored CHD through appropriate safeguards.
- R4: It also mandates encrypting CHD for transmission on open and public networks that are generally unsecured.
- Implement a Vulnerability Management Program
- R5: The third goal requires all organizations to protect systems against malware and regularly update their anti-virus software.
- R6: The second Requirement for this goal doubles down on the development and maintenance of secure systems from the ground up.
- Establish secure access to CHD
- R7: Access to CHD should be restricted on a need-to-know basis
- R8: Secondly, all personnel provisioned with access to CHD should be required to authenticate themselves while accessing it.
- R9: Lastly, it recommends restricting physical access to all CHD to the employees.
- Monitor and test networks regularly
- R10: All access to CHD and organizational networks should be tracked and monitored 24 hours per day, seven days per week.
- R11: There should be periodic testing of all security systems and protocols to identify and remove vulnerabilities.
- Institute an Information Security policy
- R12: The final goal and requirement of the framework require organizations to implement and regularly update an information policy covering all personnel.
PCI DSS Compliance Levels & Reporting
The enforcement of PCI DSS primarily occurs through compliance reporting documentation submitted by subject organizations (termed “merchants”). PCI reporting involves providing a combination of documentation to the SSC, depending on the PCI Level applicable to your organization.
Ensuring PCI compliance is just the first step; you also need to ensure you regularly file the appropriate reports proving your compliance.
There are primarily three different reports, one or more of which can apply to your organization:
- Self-Assessment Questionnaire (SAQ) – The SAQ consists of a ‘yes or no’ questionnaire and an Attestation of Compliance (AOC). These two documents (or just the SAQ) are sometimes enough to fulfill your compliance reporting responsibilities.
- Attestation of Compliance (AOC) – The AOC is a legal agreement or verification that you’ve met all your compliance requirements. This report must be completed by a SSC-certified Qualified Security Assessor (QSA), such as RSI Security.
- Report on Compliance (ROC) – The ROC is required for merchants handling the largest annual transaction volumes. ROCs are the reporting documentation completed by a QSA following a comprehensive, on-site audit they’ve conducted of your PCI DSS implementation.
Note that the SAQ is the only reporting documentation that a merchant self-completes. AOC and ROC documentation are both completed by a QSA. Still, merchants should extensively prepare for the respective evaluations to minimize their impact on regular operations.
Whether you need to submit just one or all of these reports depends on your annual transaction volume, which determines your PCI Level. These levels are (generally) as follows:
- Level 1 – Organizations that process more than six million annual transactions, across all sales channels, must submit a ROC and an AOC.
- Level 2 – Organizations processing between one and six million annual transactions must submit a SAQ and an AOC. This includes all sales channels.
- Level 3 – Organizations that process between 20,000 and one million annual e-commerce transactions must submit a SAQ and an AOC. Do note that these numbers refer specifically to Visa-specific e-commerce transactions.
- Level 4 – Lastly, organizations processing less than 20,000 annual e-commerce transactions through Visa, or up to one million Visa transactions across all channels, must submit a SAQ.
Merchants should note that the credit card companies comprising the SSC sometimes categorize these Levels according to slightly differing transaction volumes or channels (e.g., eCommerce). The Levels above are those set by Visa. Partnering with a QSA is the best method for ensuring your reporting documentation reflects your appropriate Level per each credit card company’s stipulations.
PCI DSS Noncompliance Penalties
There are heavy penalties for non-compliance, enforced by members of the SSC (Visa, Mastercard, etc.):
- $5K-$10K monthly for 1-3 months of non-compliance
- $25-$50K monthly for 4-6 months of non-compliance
- $50K-$100K monthly for 7+ months of non-compliance
- $50-$90 per customer who is impacted in a data breach
PCI DSS 4.0 – What Is Set To Change?
PCI DSS v3.2.1 has been the most current version of the CHD protection framework since 2018. With the advancements in payment processes since then and the associated security challenges that have arisen, PCI DSS 4.0 is set to come into effect sometime in Q1 2022.
While organizations already compliant with PCI DSS v3.2.1 need not completely rethink their systems and processes, a few significant changes are being introduced to four of the 12 Goals of the PCI DSS. These additions mainly target new payment methods such as contactless payments and the growing dependence on third-party companies in the payments ecosystem.
The four Goals of the PCI DSS that will be updated are:
PCI DSS Compliance Best Practices
Whether you decide to outsource your PCI compliance reporting or not, there are a few best practices that should be an integral part of your compliance program. These practices can prove to be some of the most effective PCI DSS compliance solutions you can have in your organization.
A robust network security program is the foundation of protecting CHD and complying with PCI DSS requirements. Implementing a network firewall, keeping anti-virus software updated, encrypting all data on public networks, and maintaining strict data access controls are some of the ways to abide by the various goals and requirements laid out in the PCI DSS.
You should also regularly check for vulnerabilities in your network security and implement modern threat detection protocols to stay ahead of hackers looking to exploit security loopholes. Note that you may choose to search for vulnerabilities more frequently as a best practice, but quarterly scanning is mandated for PCI DSS compliance. Lastly, security patches should be automatically pushed to all devices, including mobile devices.
Data encryption is directly covered in the second goal of the PCI DSS. It mandates that all CHD be end-to-end encrypted when transmitting over public networks. The current standard for data encryption is AES-256. It provides impenetrable data security through 256-bit encryption and is unbreakable by most traditional methods.
Multifactor Authentication (MFA)
Multifactor authentication (MFA)—sometimes referred to as “two-factor authentication” (2FA)—is a way to provide two or more layers of security to the conventional entry of a username and password. It ensures that by enforcing the use of additional ‘factors’ when personnel verify their identity during login processes.
Additional factors must be different in nature from those first requested of the user (e.g., something they know compared to something they have) to protect against unauthorized access in case credentials are lost or compromised.
Whenever organizational data utilizes cloud environments or services, additional security controls must be implemented to ensure comprehensive data security. The strategies used to protect data from unauthorized access on the cloud are unique to this environment.
Vulnerability assessment, continuous threat monitoring, threat detection and response, and web application security are only some of the pillars of a successful cloud security program.
Pros & Cons of PCI Compliance Outsourcing
Once you’re up to date on the detailed requirements of the PCI DSS, the reports you need to submit regularly, and the security best practices to ensure successful compliance, you might be considering outsourcing as a viable option.
And compliance outsourcing does indeed offer significant benefits over in-house compliance management. But there might be a few downsides you need to be cognizant of as well—and how you could tackle them.
Benefits of PCI Compliance Outsourcing
PCI DSS compliance is a crucial shield against omnipresent cyberattacks and keeping sensitive customer data safe. Not only that, your organization stands to lose a lot—beyond just financial penalties—in case of a security breach. Brand erosion, litigation hassles, and loss of customers are some of the additional and potentially more damaging impacts associated with PCI DSS non-compliance.
- Outsourcing your compliance requirements to a managed security services provider (MSSP) specializing in compliance frameworks can protect your organization from unintentionally finding yourself on the wrong side of the law. And it will allow your professionals to focus their energies on other business-critical activities while compliance is taken care of by your vendor partner.
- Depending on your PCI level, you might require verification of your AOC and ROC reports by a Qualified Security Assessor or QSA. Partnering with a service provider that is also a QSA will save you both time and money while staying up to date with your compliance needs.
- A comprehensive compliance services partner will not only handle all your SAQ, AOC, and ROC reporting but also train your employees on cybersecurity awareness and PCI compliance best practices.
Drawbacks of PCI Compliance Outsourcing
It’s not all hunky-dory when it comes to outsourcing a critical function to a third party. There exist a few drawbacks as well.
- Overseeing your organization’s security and compliance function needs a dedicated Chief Information Security Officer (CISO) who can provide strategic guidance and be the main point of contact when contracting outside vendors.
- Any third-party tools and processes that you onboard will be new for your staff and they would have to be trained on the adoption and continued use of those tools. This impacts personnel’s bandwidth and may become a tiresome process if your MSSP doesn’t know how to streamline training.
- Partnering with any outside entity can expose your organizational data to additional risks regarding identity & access management and network security. Thankfully, QSAs regularly undergo extensive SSC-certification processes of their own. Still, PCI DSS compliance remains your responsibility regardless of any third-party involvement. So, you’ll want to evaluate your potential QSA and advisory partners thoroughly.
PCI Outsourcing with MSSP—How to make website PCI compliant
Partnering with a managed security services provider (MSSP) that has achieved QSA certification gives you the added benefits of incident response, threat detection, penetration testing, and vulnerability management in addition to managed compliance services.
An MSSP also provides you the option of onboarding a virtual CISO (vCISO) to gain expert security advisory services at a fraction of the cost of a traditional CISO. And, with Third Party Risk Management services and centralized Security Training, you can safely minimize the potential drawbacks of outsourcing.
Become PCI Compliant Today
As a certified QSA and a leading MSSP, RSI Security offers you peace of mind with its unparalleled data security and compliance advisory services. You can rest assured that your data—and your customers’—remains secure.
With our track record of helping over 250 organizations achieve PCI compliance, we take pride in offering a top-of-the-line experience above all. Contact RSI Security today and take your first and last step towards PCI compliance.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.