Consumers’ financial data is a valuable target for cybercrime. As such, compliance with the Payment Card Industry (PCI) regulatory frameworks, like the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), is required for most companies that process credit card payments. But what happens for companies who don’t comply? And who enforces PCI compliance penalties?
This guide answers those questions and more.
Who Enforces PCI Compliance?
Despite the importance of compliance, a staggering number of businesses fail to comply each year. Per Verizon’s 2020 Payment Security Report, under 50 percent of companies have fully complied in eight of the last ten years, with a nadir of just 11.1 percent in 2012. Most of these companies have met with severe consequences.
This guide will break down everything you need to know into three main categories:
- Understanding the key players involved in PCI compliance
- Securing full compliance across both PCI DSS and PA DSS
- Avoiding the sticker price and hidden costs of noncompliance
Let’s start with a close look at who’s who in the Security Standards Council (SSC).
Understanding the Key PCI Stakeholders
In 2006, five of the biggest credit card companies came together to form the PCI SSC: Visa, MasterCard, American Express (AmEx), JCB International, and Discover. In addition to the Founding Members at the top, essential governance of PCI SSC includes the following stakeholders:
- The Executive Committee – Executives from Founding Members, Strategic Members (UnionPay), and Strategic Regional Members (European Card Payment Association)
- The Board of Advisors – Executives elected from the network of Participating Organizations, a range of stakeholders including Amazon, Google, Square, etc.
- The Management Collective – Executives elected from all groups above and the network of Affiliate Members (including Interac, Dutch Payments Association, etc.)
Collectively, these bodies develop and maintain the PCI frameworks, including but not limited to the PCI and PA DSS.
But the enforcement of the frameworks is not their responsibility.
Who is Directly Responsible for Enforcement?
Counterintuitively, the SSC itself does not enforce its own compliance regulations. Instead, the responsibility falls to the five vendors from above: Visa, Mastercard, AmEx, JCB, and Discover.
Enforcement is administered by individual stakeholders, always acting in their own interests. For this reason, enforcement can sometimes seem fraudulent, and there are many legal disputes leveraged against SSC stakeholders. For example, small shoe retailer Genesco sued Visa and won (9 million dollars) for Visa’s overreach in enforcement in response to a hack from 2010.
Aside from the fines that these institutions can enforce, which we’ll detail below, the most significant impact they have stemmed from their position as payment card vendors and processors.
One of the worst consequences they can enforce is freezing your merchant account or adding you to the Terminated Merchant List. The list is typically reserved for perpetrators of fraud and other crimes, but non-compliance can land you on it, too. This can lead to irreversible damage to your reputation and banks refusing to do business with you for years (usually five at minimum).
Who Needs to Maintain PCI Compliance?
All companies that store, process, or otherwise come in contact with cardholder data need to comply with differing extents of verification. As detailed above, one of the leading compliance stakeholders is Visa. Visa also determines metrics for who needs to comply with PCI standards and to what extent across four levels. Per Visa’s PCI compliance support guide, these include:
- Level 1 – Merchants who process over six million transactions annually, across all channels, or Global merchants determined by Visa to be at level 1 in any single region
- Level 2 – Merchants who process between one million and six million transactions annually, across all channels (including e-commerce, physical payments, and others)
- Level 3 – Merchants who process between 20 thousand and one million e-commerce transactions (particularly and irrespective of other payment channels) annually
- Level 4 – Merchants who process fewer than 20 thousand e-commerce transactions annually, and those processing up to one million total transactions across all channels
Counterintuitively, these levels’ respective thresholds scale down as the level itself scales upward. These correspond to validation requirements scaling up to their most intense at level 1, which we’ll cover below. But first, let’s take a close look at the requirements for compliance.
Securing Full PCI / PA DSS Compliance
To avoid PCI-enforced penalties and other hidden costs of noncompliance, you’ll need to verify the continuous implementation of practices up to your level’s standard. In practice, there are 26 total requirements to follow for most companies: 12 in PCI DSS and 14 in PA DSS.
The PA DSS, formerly known as Payment Application Best Practices, extends the protections required by PCI DSS to other payment models that involve new digital platforms rather than the conventional physical payment card infrastructure. These requirements overlap with PCI DSS, and there are workarounds involving apps approved by PCI SSC for immediate adoption.
The following sections will detail both sets of requirements, linking to PCI SSC resources for further information about the implementation of both, beginning with the more prominent PCI DSS.
PCI DSS: 12 Main PCI Compliance Requirements
There are 12 core requirements that make up the PCI DSS, distributed across six groups. Each requirement also breaks down further into several sub-requirements, each subject to one or more testing procedures. With guidance for each sub-requirement, a tabulated matrix is detailed on pages 19-155 of the PCI DSS v.3.2.1.
Here is a brief synopsis of the requirements:
- Building and maintaining secure network systems – Comprising two requirements:
- 1. Install firewalls and other filtering mechanisms to protect cardholder data
- 2. Uninstall and replace all default, vendor-supplied security configurations
- Protecting sensitive cardholder data – Comprising two requirements:
- 3. Protect stored cardholder data with encryption, hashing, and other safeguards
- 4. Use strong encryption for cardholder data transmitted over public networks
- Maintaining a vulnerability management program – Comprising two requirements:
- 5. Safeguard against malware with regular updates to antivirus software, etc.
- 6. Maintain security across systems and applications with frequent patches, etc.
- Implementing strong access control measures – Comprising three requirements:
- 7. Use “business need to know” metric to restrict access to cardholder data
- 8. Require authentication for access to systems connected to cardholder data
- 9. Restrict physical, proximal access to hardware connected to cardholder data
- Monitoring and testing networks regularly – Comprising two requirements:
- 10. Monitor all access to cardholder data and connected networks, systems, etc.
- 11. Perform regular tests of security integrity across all systems and procedures
- Maintaining an information security policy – Comprising just one requirement:
- 12. Maintain policies to address security requirements across all personnel
Importantly, implementing the 12 requirements and all applicable sub-requirements for your level may not be enough for full PCI compliance. You may need to implement PA DSS, as well.
PA DSS: 14 Other PCI Compliance Requirements
To protect cardholder data as used in payment applications, the PA DSS adds another 14 core requirements to follow. Like their analogs in PCI DSS, these also break down into multiple sub-requirements and testing procedures for each. These and guidance are tabulated in a matrix spanning pages 14 through 74 of PA DSS v.3.2.
The following is a synopsis of each:
- Requirement 1 – Avoid retention or storage of protected card verification and PIN data
- Requirement 2 – Utilize encryption to protect any cardholder data that must be stored
- Requirement 3 – Authenticate and restrict all users’ access to protected cardholder data
- Requirement 4 – Document all user access and activity related to payment applications
- Requirement 5 – Integrate security measures into the development of payment platforms
- Requirement 6 – Protect wireless network-based transmissions of cardholder data
- Requirement 7 – Test applications for vulnerabilities and update for patches, as needed
- Requirement 8 – Maintain network security and facilitate reparative work to protect data
- Requirement 9 – Never store any cardholder on any servers connected to the internet
- Requirement 10 – Facilitate security of the cloud and other remote access to applications
- Requirement 11 – Encrypt all cardholder data for transmission over public networks
- Requirement 12 – Secure non-console based data access for administrative purposes
- Requirement 13 – Develop PA DSS implementation guides for resellers, personnel, etc.
- Requirement 14 – Maintain PA DSS training and responsibilities across all staff, etc.
These 14 requirements overlap with the PCI DSS considerably. Nevertheless, it’s imperative to implement all 26 requirements. The PCI SSC maintains a list of verified PA DSS compliant platforms, but it changes regularly, so it’s essential to hold all applications you use accountable.
Avoiding PCI Non-Compliance Costs
Ultimately, steering clear of enforcement and other costs incurred by non-compliance requires implementation and verification of all applicable PCI and PA DSS requirements. Depending on the level your company is at (per Visa’s PCI compliance guide, detailed above), this includes annual submission of internal reporting, external auditing, or some combination of both:
- Level 1 – Third-party auditing and submission of a Report on Compliance (ROC) form, verified by a Qualified Security Assessor (QSA), along with level 2 requirements
- Level 2 – Internal assessment and submission of a Self Assessment Questionnaire (SAQ), along with an Attestation of Compliance (AOC) (see SSC’s Document Library)
- Level 3 – All requirements of level 2, except in exceptional cases determined by the SSC
- Level 4 – SAQ or equivalent exercise, per Visa’s requirements for small businesses
Independently of verification, compliance is the same for all levels. And, regardless of level, all companies need to contract with third parties for compliance. Namely, quarterly vulnerability scanning by approved scanning vendors (ASV) is required by PCI DSS requirement 11.2.2.
Short- and Long-Term Savings of Compliance
The most immediate impact of compliance on your company is savings in terms of both penalties and hidden costs within non-compliance. In the short term, applicable fines include:
- 50 to 90 dollars per cardholder – Irrespective of compliance, in the event of a data breach; the company size and number of impacted cardholder determines the fee
- 5 to 10 thousand dollars per month – For companies non-compliant for 1 to 3 months; smaller-volume clients will pay less, and higher-volume clients will pay more per month
- 25 to 50 thousand dollars per month – For companies non-compliant for 4 to 6 months; smaller-volume clients will pay less, and higher-volume clients will pay more per month
- 50 to 100 thousand dollars per month – For companies non-compliant for seven or more months; smaller-volume clients will pay less, and higher-volume clients will pay more per month
While these penalties can add up over time, they pale compared to the damage an actual cyberattack can do. According to a comparative study from CSO Online, a data breach costs a company 3.86 million dollars, on average, which is up to ten percent over the last five years. The figure is higher for companies in the US, who can expect to pay 8.19 million dollars for a breach.
How Third-Party Advisory Services Can Help
To help your company avoid the penalties Visa, Mastercard, AmEx, JCB, and Discover can enforce, RSI Security offers a suite of PCI DSS services to keep you safe and compliant. The following is a preview of our offerings, which our PCI DSS Data Sheet breaks down in detail:
- All forms of third-party scanning and verification (QSA, ASV, ROC, AOC, etc.)
- Comprehensive guidance and management of first-party reporting (SAQ, etc.)
- Powerful analytical tools like penetration testing and root cause analysis (RCA)
- Patch monitoring, reporting, and repairing, as per PCI DSS requirement 6.2
- Scope reduction reporting on applicable PCI assets, networks, systems, etc.
- Staff-wide PCI education via live training and custom-tailored resources
With a strong understanding of who enforces PCI compliance and the real consequences non-compliance can have for your business, it’s imperative to start your PCI journey as soon as possible. To see how powerful your cyber defenses can be, contact RSI Security today!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.