Chances are, your business relies on credit card transactions for payment. Therefore, it must be able to pass a Payment Card Industry (PCI) compliance scan. PCI compliance scans measure a company’s implementation of the Data Security Standard (DSS) requirements, developed and enforced by the PCI’s Security Standards Council (SSC). Read on to understand how to pass PCI compliance scans and fully implement the DSS to protect cardholder data (CHD) and avoid noncompliance penalties.
Passing a PCI Compliance Scan in Three Steps
PCI compliance scans are critical to securing your customers’ data and, by extension, your business. There are three crucial steps to passing an internal or external PCI compliance scan:
- Determining which merchant level you fall under and how to report on compliance
- Implementing all 12 PCI DSS Requirements up to their specific Testing Procedures
- Selecting and filling out the appropriate PCI reporting documentation for your level
RSI Security’s PCI compliance advisory services can help your company streamline the entire implementation and PCI compliance scanning phase, optimizing your security at minimal costs.
Step 1: Determine Your PCI DSS Merchant Level
The first step in passing a PCI compliance scan is knowing what type of scan your merchant activity requires.
Depending on the volume and kinds of credit card transactions your company processes, it may require a different kind of scan—conducted internally or by an external third party. These third parties may be Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), or other companies qualified and listed by the SSC.
Individual SSC stakeholders define criteria for Merchant Levels differently. Per Visa’s PCI guide:
- Merchants who process six million or more transactions per year across all channels qualify as Level 1 and have the most strenuous PCI compliance scanning requirements:
- A Report on Compliance (ROC), a long-term external analysis, typically on-site, of all PCI DSS requirements and corresponding security controls in practice
- Merchants who process between one and six million transactions per year are Level 2, and those who process between 20 thousand and one million are Level 3. Both require:
- An Attestation of Compliance (AOC), a slightly less rigorous analysis of all security systems’ and controls’ design, per DSS Requirements, along with the required documentation for a PCI Merchant Level 4 (see below)
- Merchants who process fewer than 20 thousand transactions per year or up to one million e-commerce transactions (in some cases) qualify as Level 4, which requires:
- A Self-Assessment Questionnaire (SAQ), filled out internally by the company being assessed, with simple yes or no answers to questions about all controls
The other four Founding Members of the SSC (American Express, Discover, JCB International, and Mastercard) have slightly different, individual methods for determining a merchant’s PCI level. However, all five require the most rigorous testing for merchants with the highest transaction volumes. Processing larger quantities of cardholder data (CHD) makes dangerous breaches more likely to occur, hence the stringent requirements.
Step 2: Implement All 12 PCI DSS Requirements
The second step in passing a PCI compliance scan is implementing all PCI DSS Requirements.
The PCI DSS is currently in version 3.2.1 (May 2018). It is available for free download from the SSC Document Library with supporting documents upon consenting to a licensing agreement.
PCI DSS v3.2.1 comprises six main Goals, or categories, that inform its 12 Requirements. The Requirements then break down into sub-requirements and Testing Procedures, accompanied by implementation Guidance for each. The primary Requirements break down as follows:
- PCI DSS Goal 1 – Ensure security across all networks and systems:
- PCI DSS Requirement 1: Install and update firewall configurations to establish a secure perimeter around systems containing or connected to cardholder data.
- PCI DSS Requirement 2: Create unique passwords and upgraded security parameters to replace all default, vendor-supplied settings across all assets.
- PCI DSS Goal 2 – Protect all cardholder data controlled, used, or stored:
- PCI DSS Requirement 3: Protect cardholder data in internal or external storage and ensure that cardholder data is only stored and retained if it is necessary.
- PCI DSS Requirement 4: Encrypt all cardholder data and other relevant data pertaining to customers that must be transmitted across any public network.
- PCI DSS Goal 3 – Implement a vulnerability management program:
- PCI DSS Requirement 5: Maintain updated versions of antimalware and antivirus software across all infrastructure to protect sensitive data from malware attacks.
- PCI DSS Requirement 6: Build a secure system and applications, then continuously update them as needed to protect against attacks.
- PCI DSS Goal 4 – Monitor and control all access to cardholder data:
- PCI DSS Requirement 7: Limit the ability of those within your organization to see any cardholder data unless it is necessary for a given employee’s business role and responsibilities.
- PCI DSS Requirement 8: Require security checkpoints, such as passwords and strict authentication (e.g., multi-factor authentication), to access cardholder data.
- PCI DSS Requirement 9: Control who comes into physical contact with systems and spaces containing or connected to cardholder data, including all clientele.
- PCI DSS Goal 5 – Monitor and assess security systems continuously:
- PCI DSS Requirement 10: Log all information regarding who accesses sensitive networks and data (e.g., time, location, users, behaviors).
- PCI DSS Requirement 11: Perform frequent tests of all data protection systems, scanning for both controls and appropriate user behavior across all personnel.
- PCI DSS Goal 6 – Design, implement, and maintain a security policy:
- PCI DSS Requirement 12: Develop and distribute a clear, accessible policy that outlines how all members of your organization should approach data protection.
A preliminary compliance scan or readiness assessment should indicate whether each of these Requirements is being met currently, to what extent, and any additional tools (i.e., “compensating controls”) needed to meet them. A company may also need to account for other PCI frameworks, such as the Payment Application DSS (PA DSS) or PIN Transaction Security (PTS) Requirements—see the SSC’s overview of standards for all applicable controls.
There is overlap between these frameworks, but each one is assessed independently.
Step 3: Assess and Report on PCI Implementation
The last step in the PCI compliance scan process is completing and submitting the required assessment.
As detailed above, the specific PCI compliance scan tools and reporting templates required will vary depending on your merchant level. For companies at levels 2-4 who need to submit the SAQ, there are also slight differences in the kind of SAQ form they need to complete. These depend upon the nature of CHD processing within the company and the extent of its outsourced functions.
For example, e-commerce merchants may need to fill out the SAQ-A if they outsource all CHD functions to compliant third parties or the SAQ-A-EP variant if they outsource some (but not all) CHD functions to third parties. Traditional (i.e., brick and mortar) merchants may need to fill out the SAQ-B or SAQ-C forms if they use standalone dial-out terminals or internet-connected payment applications, respectively.
Protecting Your Customers and Your Business
PCI DSS compliance has multiple layers to understand, including merchant levels, framework requirements, and reporting documentation. Preparing for a scan depends on mastering all three.
If your company understands how to pass PCI compliance scans but has trouble executing its plan, RSI Security is the ideal partner to help you achieve and report on your compliance.
Contact RSI Security today to get started with our PCI advisory services, tailored to your unique needs and means.