PCI certification
29.03.2023

PCI DSS and PCI Certification: All You Need to Know

 

PCI DSS compliance is a global standard. It is not required by legislation, but all countries have more or less similar regulations regarding cardholder data. If companies are not compliant with the PCI standard, this usually leads to hefty fines. Let us find out more. 

What is PCI DSS Compliance?

The PCI-DSS (Payment Card Industry Security Standard) is a security standard for credit card data binding for all institutions that process cardholder data or store credit card data. This PCI data security standard was developed by American Express, Mastercard, Visa Inc., JCB International and Discover Financial Services to curb fraud in credit card payments on the Internet. The goal of PCI DSS is to protect online merchants and end users from fraudulent attacks, card misuse and theft.

All companies that process cardholder data must comply with PCI DSS and obtain PCI certification. PCI compliance validation and certification is performed by a Qualified Security Assessor (QSA), an Internal Security Assessor (ISA) or a Self-Assessment Questionnaire (SAQ). The latter applies to those companies that process data of this type only in small quantities.   

Why is PCI DSS important?

Complying with PCI DSS means taking appropriate steps to protect the PCI data from cyber theft and fraudulent use. Compliance or non-compliance with PCI security standard has implications for your business and, more importantly, for your customers. The consequences of even one successful cyber-attack are major and might include loss of revenue, customers, reputation and trust. With this in mind, it is more important than ever to take responsibility for this customer data and ensure it is adequately protected according to the PCI data security standards.

Security breaches are to be avoided by adhering to this PCI standard. This is not only a recommended organizational structure for handling sensitive cardholder data within the company concerned, but also a technical specification. The basic requirement for this PCI security standard is that it is taken into account by all parties involved in the credit card transaction. 

Criteria for PCI certification

In order to assess when PCI certification is required, one should know which parties might be involved in a credit card transaction. In addition to the credit card holder (i.e., the customer), these include the online merchant, the acquirer (i.e., the bank that settles credit cards for the online merchant), and the payment service provider (the payment processor). In addition, the payment module or plug-in in the store software, the store software itself and the interface to the payment service provider or bank are involved. PCI certification is always required if a locally executed and self-developed checkout form is used. However, even if the additional software for payment processing used by the online store accepts the credit card data on its own server, PCI certification is inevitable - e.g. Visa or Mastercard PCI compliance. The same applies if a store operator stores cardholder data in its own systems.

 

What do I need to do to become PCI DSS compliant?

Companies that want to become PCI DSS compliant and get PCI certification must first understand how payment data is collected, stored and organized. Many companies use a fully hosted solution to do this. PCI compliance is measured by the merchant or service provider by auditing the environment in question against the PCI standard. Within IT Governance, the PCI data security standard requires merchants and managed service providers (MSP's) involved in the storage, processing or transmission of cardholder data to:

  • Establish and maintain a secure IT network
  • Protect cardholder data
  • Implement a vulnerability management program
  • Use strong access control measures
  • Monitor and test networks on a regular basis
  • Maintain an information security policy

 

The individual requirements are further broken down into 12 conditions that each merchant or MSP must meet to be PCI compliant.

  1. Install and maintain a firewall configuration that protects PCI and cardholder data.
  2. Do not use default settings of the vendor for system passwords and other security parameters.
  3. Protect stored cardholder and PCI data. Include additional policies, methods, and processes for retaining and disposing of data to ensure it is current and accurate. Some PCI data should never be stored, such as the contents of the magnetic stripe, card verification number, or personal identification number. 
  4. Encrypt transmission of cardholder data on open, public networks. Examples include the Internet, wireless technologies such as Bluetooth, GPRS, and satellite communications.
  5. Use anti-virus software or programs and update them regularly. Systems must be protected from malware and antivirus programs must be updated regularly to ward off viruses, worms, and Trojans. 
  6. Develop and maintain secure systems and applications. Check for updates to keep the software current. 
  7. Restrict access to PCI data according to the business needs. To ensure this, one needs to know WHO has access to this data and WHY they need access. 
  8. Assign a unique ID to each person with computer access. This means making sure you always know who has access to what. This way, you ensure that only people with the proper authorization can access certain systems, components and PCI data. One way to ensure proper authorization is through two-factor authentication using, for example, smart cards, tokens or biometrics to increase the level of general security and PCI data security.
  9. Restrict physical access to PCI and cardholder data. Data loss is also possible through physical security breaches. 
  10. Log and monitor access to network resources and cardholder data. Only by logging all access can you identify and mitigate risks for PCI data breaches. Secure and controlled audit trails help to log all actions of individual users.
  11. Review security systems and processes on a regular basis. Penetration testing is an important tool of the IT security. It should be performed regularly and after any significant change to the network. 
  12. Maintain a policy that addresses information security and PCI security standards for employees and contractors. It should be reviewed and updated twice a year. This should include conducting a risk assessment to identify threats or vulnerabilities and establishing an incident response plan. This should be accompanied by ongoing employee training to communicate new PCI security protocols in a timely manner.

 

What does PCI DSS mean for my company specifically?

The terms of PCI DSS compliance are in line with general cybersecurity best practices. If you are not yet sufficiently familiar with the EU General Data Protection Regulation, you should know that it contains many of these best practice guidelines. Regardless of the size of your business, you should protect your network and infrastructure as comprehensively as possible. In addition, to be compliant with PCI DSS, you should secure your corporate digital assets and data.

How online merchants can circumvent PCI certification

Small store operators in particular often ask themselves whether they actually have to deal with PCI certification or whether this should not be done by the payment provider. The prerequisite for this, however, is that no cardholder data or peripheral data, such as the three-digit security code of the credit card, is processed or stored at any point in the merchant's own system. Only then can the online merchant avoid the obligation to obtain PCI certification. In concrete terms, this means only using plug-ins provided by the payment provider or acquirer. Online merchants should also make sure that the PCI data is not received in the plug-ins, but is transferred directly from the end customer's browser to the payment provider's system. In addition, no PCI data or credit card data of any kind may be stored internally. This also applies to direct or telephone sales. If the relevant data is required for manual transactions, it is advisable to print it out and keep it – and only until the retention period expires.

Online merchants can also bypass PCI certification by handing over the entire payment process to a payment processor that does have PCI-DSS certification. If none of these criteria are met, i.e. the online merchant manages cardholder data itself or stores credit card data, PCI certification is unavoidable. The costs for an annual PCI certification to Level 4 (lowest level) are in the three-digit range if the company in question does not carry out more than 20,000 credit card transactions per year. Higher-level PCI certification up to Level 1 is significantly more expensive. The guidelines on which PCI certification is based are reviewed and renewed every year.

Consequences of not having PCI certification

Failure of online merchants to obtain PCI certification, even though they process or store PCI and cardholder data, can have far-reaching consequences. As a rule, PCI non-compliance will result in penalties from the acquirer. In addition, however, there is a risk that online merchants without PCI certification will lose their permission to accept credit card payments. As a result, the online merchants non-compliant with PCI DSS will never again be able to accept card payments, as no other acquirer is likely to sign an acceptance agreement. The choice will then be limited to payment processors that allow acceptance of a credit card payment even without an acquiring contract. However, this measure is more likely to be the exception. If the merchant systems have been broken into and no PCI certification was available, the requirement is usually imposed that the merchant in question must undergo PCI Level 1 certification. The costs incurred for this certification can amount to several thousand euros and are due anew every year, as the merchant's own systems must be checked at regular intervals from this moment on.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.