[Approx. 12 minutes reading time]
The PCI Compliance landscape is evolving rapidly.
New technologies, new regulations, and compliance requirements are constantly emerging.
This means that organizations need to be able to address changes in the environment while adhering to existing rules and regulations.
This blog post will cover some of the major changes for 2022 including:
- The release of the new version 3.2 of Payment Card Industry Data Security Standard (PCI DSS).
- Changes to TLS/SSL encryption protocols
But, before we get too ahead of ourselves, let’s make sure everyone reading this article is on the same page, and understands the core fundamentals of PCI Compliance as well.
(Hint: Use the links below to skip ahead to the most relevant section for your needs)
- What is PCI Compliance?
- Which companies are required to be PCI DSS compliant?
- How do you maintain PCI compliance?
- What are the penalties for not maintaining PCI compliance?
- What are the 12 requirements of PCI DSS Compliance?
- Build and maintain a secure network
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored credit card and cardholder data
- Encrypt transmission of credit card and cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Implement strong access control measures
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test information security systems and processes.
- Provide staff training on the importance of data protection.
- How much does it cost to become PCI compliant?
- We use a third-party processor. Do we need to be PCI DSS compliant?
- What’s new in Version 3.2 of PCI DSS?
- Changes to TLS/SSL encryption protocols for 2022
1. What is PCI Compliance?
PCI compliance refers to maintaining data security standards, under the requirements as set out by the Payment Card Industry Data Security Standards (PCI DSS) for any companies that process, store, or transmit credit card information.
Due to the privacy and fraud implications of having this sensitive cardholder data, these PCI DSS compliance standards are developed by an independent body but are enforced by the payment card industry itself.
If you deal with any sort of payment cardholder in your organization, PCI DSS compliance management should be a key focus for your compliance team.
Everything from your network resources, firewall configuration, access control system, wireless access points, and more play a role in maintaining PCI compliance.
The requirements are set out by the PCI Security Standards Council (PCI SSC) and are continually being revised in line with changes in the cardholder data environment as industry data security standards shift.
2. Which companies are required to be PCI compliant?
Any organization that accepts, transmits, or stores credit card information is required to be PCI DSS compliant.
It doesn’t matter how many payment transactions you process, what size the transaction is, or anything else.
PCI doesn’t just apply to traditional financial institutions. This is a blanket approach.
This is because the PCI Council wants to promote industry data security standards that protect credit card data at every step of the value chain.
Consumers demand this sort of data security, and it only works if the entire industry pulls in the same direction.
3. How do you maintain PCI compliance?
Maintaining PCI compliance is a continual process that relies on effective internal systems and processes – in line with the 12 PCI DSS requirements.
The first step to achieve PCI compliance is to do an audit of your current workflows and identify any PCI compliance areas where you are lacking – so you can rectify them.
These guidelines can vary depending on your company’s credit card transaction volume, so be sure to check where you stand according to the PCI council guidelines.
On a regular basis, you then should be looking to continually monitor how you are managing these guidelines operationally, and keep up with new developments as they arise.
This should be codified into some form of vulnerability management program which tests the security controls and measures your internal systems against PCI security standards and more general data security standards.
A good way to make this work is to use a self-assessment questionnaire to perform this introspection.
If you’re looking for enhanced accountability, you also can hire the services of a professional firm that:
- Understands the PCI data security standard
- Can improve network security and implement access control measures
- Can validate PCI compliance, and
- Provide recommendations as to what might need to be improved.
4. What are the penalties for not maintaining PCI compliance?
The fines themselves are not published or reported, so it’s difficult to give an accurate answer here.
Some estimates say that penalties vary from $5,000 to $100,000 per month until compliance is validated again, but this doesn’t tell the whole picture.
You’ll often find that on top of the official penalties, non-compliant companies will also face lawsuits, federal investigations, and a number of other financial complications.
Short story, the penalties are severe.
So, it’s imperative that you regularly test security systems and make sure they’re meet the PCI DSS requirements.
5. What are the 12 requirements of PCI DSS Compliance?
These requirements are set out by the PCI SSC, and they range across both technical and operational guidelines that must be adhered to if you are to remain compliant.
We’ll go through each of the requirements in a summarized level of detail.
Build and maintain a secure network.
The PCI Council has stated that the network is now considered to be a component of the PCI DSS compliance.
PCI DSS also now specifies that a PCI compliant business must notify their acquiring bank of any breach to the network within 8 hours after becoming aware of said breach, as well as conducting a penetration test on the PCI compliant business’s POI at least once every 12 months.
This equates to PCI DSS compliance checking for vulnerabilities in your network twice per year.
It’s also important to install a firewall between the credit card terminals and other sensitive computing systems in your company.
Your network firewall configuration should be set to a level high enough to securely transmit payment cardholder data on any type of transaction.
Do not use vendor-supplied defaults for system passwords and other security parameters.
The Council has also added requirements around the usage of default passwords, especially when it comes to IoT devices like printers or cameras that can pose a threat if compromised.
As an example, the PCI Council says that default passwords need to be changed before any device is installed in a PCI environment.
Protect stored credit card and cardholder data.
This PCI DSS policy requires that you maintain a secure environment for all client credit card data and cardholder data.
A secure environment includes physical security, network security, and operating system security.
Encrypt transmission of credit card and cardholder data across open, public networks.
PCI DSS has always been about protecting card data and management of PCI Compliance is no exception.
PCI DSS version 3.2, which was issued in 2013, indicates that encryption of any electronic transmission (in-motion or at-rest) containing cardholder data should be encrypted using strong cryptography.
Strong cryptography is not defined by PCI DSS, but PCI DSS requirement 2.2 does reference FIPS 140-2, and PCI DSS requirement 2.3 references NIST SP 800-52 for guidance on cryptographic key strength and the use of encryption within PCI DSS.
Use and regularly update anti-virus software or programs.
PCI DSS v3.2 requirement 1.1 mandates that all systems must have current anti-virus signatures installed and that they are actively running.
This requirement implies but is not limited to the following:
- All workstations have at least one anti-virus program with an active subscription(s)
- Servers have at least one anti-virus program with an active subscription(s)
- Workstations and servers within the scope of PCI DSS are scanned at least once every thirty days by the anti-virus software or programs.
*** Expert Tip ***
Using an anti-virus is the bare minimum, but ultimately, should NOT be relied upon to keep your essential business data safe and maintain compliance requirements.
An Endpoint Detection & Response system running a back-end Security Operations Centre will provide a much deeper level of information security controls to your business.
Contact our team to find out more, or visit our Cybersecurity page.
Develop and maintain secure systems and applications.
PCI DSS compliance requires that you maintain PCI compliant network services, applications, and operating systems in order to protect cardholder data effectively and securely.
Implement strong access control measures.
Cards are the main source of payment for transactions and provide information such as name address, credit card number/ expiration date.
This information should be properly secured not only from people outside but also from those inside a company.
Assign a unique ID to each person with computer access.
PCI rules require that any individual who has access to cardholder data be identified.
To comply with PCI DSS, a unique identifier must be assigned to each person with computer access – including employees, contractors, and third-party administrators.
Restrict physical access to cardholder data.
PCI Compliance Standards state that if a company saves payment cardholder data, it must take proper precautions to protect it against unauthorized access, and restrict access to card data with strict security controls, in order to uphold cardholder data security guidelines.
Track and monitor all access to network resources and cardholder data.
As it suggests, it’s a requirement to track and monitor all access to resources across your entire network and cardholder data.
Compliance Management tools can help you keep track of this documentation so you always know where your information is being stored or accessed at any time by employees.
You must also track and monitor all access to network resources and cardholder data by vendors, suppliers, or other third-party entities.
Regularly test information systems and processes.
One key requirement is that PCI compliant companies must regularly test their security systems and processes. This could be done by conducting internal PCI penetration tests or hiring external PCI penetration testers to help manage PCI compliance.
*** TIP: We encourage our clients to conduct an initial self-assessment questionnaire, to identify any potential gaps in their technology and potential for PCI Compliance breaches. ***
Provide staff training on the importance of data protection.
Just like is recommended in Cybersecurity Awareness Training, your teams need to be trained on the operational requirements for the effective and compliant management of sensitive data – in this case, credit card data and stored cardholder data.
By keeping teams up-to-date through ongoing and regular training, you reduce the risk of data leaks, and critical process steps falling through the gaps.
Each of these PCI DSS requirements aims to nurture strong access control measures and uphold industry data security standards that protect credit card data and a number of other security parameters.
By achieving these 12 requirements consistently, you can be sure that you have a secure cardholder data environment whose technical and operational standards are secure.
6. How much does it cost to become PCI compliant?
This will depend on a wide variety of factors, such as the size of your organization, the robustness of your information systems, the know-how of your staff, and much more.
Becoming PCI compliant requires the infrastructure of your compliance set-up to be fine-tuned so that your security systems and teams can consistently deliver on the 12 requirements to the industry data security standard.
As you regularly test the security of your systems inside your organization and work to maintain a secure network, you’ll also incur costs as you work to patch security vulnerabilities.
However, these consistent data security measures are crucial to protect stored cardholder data and sensitive authentication data.
However, the costs of PCI compliance violations and /or security breaches of sensitive data come at a considerably higher expense, so it’s a worthy investment in your information security management systems, regardless of where you currently find yourself.
Don’t get caught out because the financial and reputational damage can be dire.
7. We use a third-party processor. Do WE need to be PCI compliant?
The short answer is – YES.
Even if you are using third-party service providers like payment processors, you still have to maintain your PCI DSS requirement.
You might find your compliance risk is reduced when you engage with the payment processing industry, but at the end of the day – you are still responsible for meeting the relevant PCI data security standards.
8. What's new in Version 3.2 of PCI DSS?
PCI DSS 3.2 is the biggest change since the introduction of PCI DSS compliance back in 2004.
PCI 3.2 introduces a new requirement in protecting cardholder data and includes updates to many existing requirements as well as guidance on how organizations can improve their overall security posture.
In PCI 3.2, cardholder data is defined as: “any Personally Identifiable Information (PII) that is used to authenticate a Customer Account or its Owner.”
PCI DSS Requirement 3.2 mandates the protection of such information and calls for all merchants and entities in the PCI Ecosystem to determine the location of cardholder data within their IT environments.
PCI DSS 3.2 applies to all entities that store, process or transmit cardholder data and includes the processing of any sensitive authentication data such as Security Authentication Chips (CHIPs) on Payment cards or PINs/CVs from a chip-enabled Payment Card.
9. Changes to TLS/SSL encryption protocols for 2022.
Starting in 2022, PCI DSS 3.2 will require all website certificates to be signed with TLS 1.3 or higher protocols that are compliant with PCI DSS.
These protocols include TLS 1.3, TLS 1.2, and SSLv3 – all of which have a direct impact on PCI Compliance processes such as vulnerability scanning, network scans, and penetration testing among others.
PCI compliance is a complex and ever-evolving entity that requires you to stay up to date on new regulations.
PCI DSS 3.2 will be in effect for another three years, but the PCI council has already begun drafting standards for PCI compliance 4.0.
Organizations should begin developing their PCI compliance strategy now so they are prepared when 4.0 comes out.
At Continuous Networks, we understand that PCI compliance is a large effort that requires extensive planning, organization, and maintenance on your part as a business.
We’re available to optimize and implement the information security management protocols and processes, to make the technical side of PCI compliance much easier for you.
To find out more, check out our PCI Compliance page.