The Security Standards Council (SSC) of the Payment Card Industry (PCI) has developed many frameworks to protect companies from cybercrime targeting consumers’ credit and debit cards. Among the most widespread of these frameworks is the PCI Data Security Standard, or PCI DSS, which protects nearly all consumer card data processed, stored, transmitted, or otherwise contacted by businesses. It brings us to the question: what data falls under PCI compliance, exactly, and which companies need to comply with PCI’s security standards?
To find out, keep reading.
What Data Falls Under PCI Compliance?
The technology that supports payment and money transfers grow increasingly complex every year. And yet, despite changing conventions, cybercriminals seem to find ways to outpace all but the best-protected companies. One of the biggest challenges to fully safeguarding your clients is understanding what exactly needs to be protected, why, and how to protect it.
Below, we’ll break down everything you need to know to keep all protected data safe:
- Precisely what data (and which kinds of companies) are covered under PCI DSS
- Everything it takes to protect that data, from controls to assessment specifications
By the end of this article, you’ll understand whether your company needs to comply, why, and how to do so. But before getting into these details, let’s take a look at what PCI compliance is.
What Exactly Constitutes PCI Compliance?
Compliance with PCI means following one or more sets of rules set up by the PCI SSC. For most companies, this means implementing the main PCI DSS controls to protect the kinds of information specific to credit and debit cards in particular. However, some other companies may be subject to PCI DSS and one or more other PCI frameworks. What matters most is understanding what information the SSC wants you to protect, why, and how.
The SSC, responsible for authorship and enforcement of PCI compliance, comprises five critical stakeholders in the industry: American Express (AmEx), VISA, MasterCard, JCB International, and Discover. PCI compliance conforms to the standards established by these companies; each one has its particular criteria for which specific data it protects and prioritizes.
What Information Is Subject to PCI Protection
Nearly all payment card and cardholder information are subject to PCI protection — most notably, information on credit cards (name, number, etc.) and accounts connected to them.
In practice, this means many, if not most, companies that process payments are subject to some form of PCI compliance. Per one SSC resource charting differences across the PCI security standards, its three main cybersecurity frameworks apply to the following sets of stakeholders:
- PCI Data Security Standard – Applies to all merchants and service providers that store, process, or transmit payment card data, including accepting and processing payments
- PCI Payment Application DSS – Applies specifically to those involved in the design and implementation of payment apps that store, process, or transmit cardholder data
- PCI PIN Transaction Security (PTS) – Applies specifically to manufacturers involved in Hardware Security Module (HSM) and Point of Interaction (POI) security systems
Of all these standards, PCI DSS applies to most institutions. The phrase “PCI compliance” often refers to PCI DSS compliance in particular.
Who Exactly PCI Compliance Impacts, and How
As noted just above, PCI DSS requirements apply most broadly across industries. But that doesn’t mean they impact all companies in the same way. Per a PCI DSS compliance support guide published by VISA, the amount of data also matters when it comes to compliance:
- Merchants processing over 6 million annual transactions are at Level 1 and need to be verified compliant via Qualified Security Assessor (QSA)’s Report on Compliance (ROC)
- Merchants processing between 1 and 6 million transactions annually are at Level 2 and need an Attestation of Compliance (AOC) and Self Assessment Questionnaire (SAQ)
- Merchants processing between 20 thousand and 1 million e-commerce transactions annually are at Level 3 but require all the same documentation as Level 2 merchants
- Merchants processing fewer than 20 thousand annual e-commerce transactions are at Level 4 and need less verification overall, per VISA’s small business requirements
Self-report or external verification of compliance is just one (late) step toward protecting cardholder data. The much more significant and important step is implementing the proper controls.
Requirements of Full PCI DSS Compliance
There are 12 core requirements of PCI DSS compliance to protect all these forms of data, distributed across categories of cybersecurity. These controls break down as follows:
- Build and maintain security in networks and systems
- Requirement 1. Establish firewall protections for sensitive cardholder data
- Requirement 2. Uninstall and replace vendor-supplied security configurations
- Protect sensitive payment card and cardholder data
- Requirement 3. Protect cardholder data stored in internal servers, networks, etc.
- Requirement 4. Protect cardholder data transmitted over open, public networks
- Maintain a robust vulnerability management program
- Requirement 5. Protect cardholder data with regular updates to antivirus software
- Requirement 6. Develop and maintain security across systems and applications
- Implement strong identity and access control measures
- Requirement 7. Restrict use or disclosure of cardholder data by “business need”
- Requirement 8. Restrict access to cardholder data with authentication measures
- Requirement 9. Restrict physical access to servers containing cardholder data
- Monitor and test all relevant networks periodically
- Requirement 10. Monitor access to cardholder data and network resources
- Requirement 11. Test all relevant security systems and processes routinely
- Maintain a robust information security policy
- Requirement 12. Draft policy to address security requirements for all personnel
The body of PCI DSS v.3.2.1 further details all the controls, including testing procedures and guidance for each. Implementing all of them is the key to fully safeguarding cardholder data.
Consequences for PCI DSS Noncompliance
Failure to safeguard the information that PCI DSS (and other frameworks) protects will result in both short- and long-term costs. The former, imposed by the SSC, include the following fines:
- $5,000 to $10,000 dollars for noncompliance, per month, for a period of 1 to 3 months; company size, client volume, and other factors determine the amount per month
- $25,000 to $50,000 dollars for noncompliance, per month, for a period of 4 to 6 months; company size, client volume, and other factors determine the amount per month
- $50,000 to $100,000 dollars for noncompliance, per month, for a period of 7 or more months; company size, client volume, and other factors determine the amount per month
- $50 to $90 dollars, per cardholder, in the event of a data breach; compliance is not a factor, but company size and number of impacted stakeholders are determinants
If these aren’t incentive enough, long-term costs are even more significant. According to a CSO Online analysis, data breach costs average around $146 dollars per record lost. In the event of a “mega breach” that impacts millions of records, companies could lose over $390 million dollars. Professional PCI compliance advisory services are the best way to avoid these and other costs.
Cyberdefense for Payment Card Processors
Here at RSI Security, we’re committed to helping companies of all shapes and sizes with their compliance needs, from PCI DSS to HIPAA and beyond. But we also know compliance is far from the end of cyberdefense; it’s just the beginning. To keep your stakeholders safe, you’ll need a robust security architecture complete with analytical tools and staff awareness training.
Now, to return to the question from above: what data falls under PCI compliance? Simple: all cardholder data. But the simple answer belies complex implications. Since the specification is so broad, PCI requirements apply very widely. That means that if you process payments via card, you likely need to comply. Contact RSI Security today to ensure you’re doing so.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.