Understanding PCI DSS Compliance

The PCI Security Standards Council (PCI SSC) has created more than 250 technical and operational requirements to protect credit card data known as Payment Card Industry Data Security Standards (PCI DSS).

Understanding PCI DSS Compliance

PCI DSS standards form a comprehensive cybersecurity framework and outline best practices your organization should implement to protect sensitive cardholder data from being stolen and misused by attackers.

If your organization accepts, stores, processes, or transmits credit card information, you are subject to PCI compliance.

Whether you’re new to PCI compliance or you’re wanting to streamline and mature your existing framework and procedures, you’ll find this PCI compliance page a great resource for all of your PCI DSS needs.

See What’s Inside This Resource Center

What is PCI Compliance?

The Payment Card Industry Data Security Standards (PCI DSS) is a set of more than 250 technical and operational requirements established by the PCI Security Standards Council (PCI SSC).

You can use PCI DSS as best practice measures to develop your PCI DSS framework to help your organization meet industry requirements to protect sensitive cardholder data from theft or misuse.

All organizations that accept, store, process, or transmit credit card information, should meet PCI compliance standards.

PCI Compliance and Organizational Accountability

Meeting or exceeding PCI DSS shows your customers, partners, and insurers that you have a PCI-compliant and robust program to protect cardholder data.

Your organization can emphasize how well you meet these compliance standards by completing an assessment from an independent qualified security assessor (QSA) who can certify that your organization’s existing security procedures meet PCI DSS requirements. An approved scanning vendor (ASV) can validate if your vulnerability scan practices meet PCI scan requirements.

If you successfully meet those requirements, your organization can receive an Attestation of Compliance report, which you must review each year.

What is PCI Compliance

If you are not required to submit a Report on Compliance (ROC), you can complete a self-assessment questionnaire to self-assess how well you’re meeting compliance standards.

Failing to meet PCI compliance standards can have a range of negative consequences including significant financial penalties, potential risk of data breaches, and damage to your brand and reputation.

Simplify Your PCI DSS Compliance with Apptega

You can easily build, manage, and report your PCI DSS compliance procedures and overall cybersecurity program within a cybersecurity management software solution like Apptega. Say goodbye to complex GRCs, spreadsheets, and word processing documents and say hello to a single program that will enable you to map all your cybersecurity frameworks in one place.

PCI DSS Compliance Dashboard
Here’s a quick overview of how it works:
  • Log into the solution and select the “PCI DSS framework”
    option.
  • Apptega will instantly design your entire program.
  • If you are using additional cybersecurity frameworks such as NIST, SOC 2, ISO and others, you can use the Harmony capability in Apptega to automatically crosswalk all frameworks to minimize your compliance overhead.
  • From there, you can manage your PCI compliance program including real-time compliance scoring, task management, budgeting, collaboration, and more.
  • Finally, generate one-click reports for audits, board meetings, and customer requests.

Understanding PCI Compliance

When cyber criminals began targeting credit card data in the late 1990s, industry professionals quickly understood they needed to work together to create standards to help protect this sensitive data from would-be attackers. From there, the idea of a credit card security framework was borne.

The first version of the PCI DSS framework unveiled in 2001 was representative of cybersecurity frameworks used by a variety of companies in the credit card industry. The most recent version, represents a unification of the industry’s technical and operational requirements to protect cardholder data.

There are 12 core requirements and 251 sub-controls that comprise PCI DSS, including:
  • Firewall configurations
  • Changing vendor-supplied defaults
  • Protection of stored data
  • Data transmission encryption
  • Use of anti-virus software
  • Developing and maintaining secure systems
  • Data access restrictions
  • Identification and authentication requirements
  • Physical access restrictions
  • Data access tracking and monitoring
  • Tests of security systems
  • Creating and maintain a security policy
In this PCI DSS compliance guide, you’ll learn more about best practices including:
PCI DSS Guide
  • An overview and history of PCI DSS
  • Risks related to non-compliance
  • What merchant levels are and what they do
  • Roles and responsibilities for stakeholders
  • PCI DSS requirements
  • Methods for scoping and descoping
  • Audit processes
  • Milestones

PCI DSS Compliance Video Demo

Managing PCI DSS compliance is challenging. With more than 12 requirements and 251 sub-controls, many organizations just aren’t sure where to begin. Others have built their programs from scratch and struggle with updates, improvements, gap analyses, and responding to audits because they lack consistency and reliability with how they document their compliance procedures.

If your organization still uses a complex GRC, spreadsheets, or static word processing documents to manage your PCI compliance framework, you may feel frustrated and inefficient. But you don’t have to.

Watch the Video Demo Now
A cybersecurity management platform can help your organization—large or small—more accurately and efficiently report on PCI DSS compliance, whether you’re just getting started or you’ve been managing PCI since its release.
PCI DSS Video Demo
In this video demo, you’ll learn more about how a cybersecurity framework solution can help you:
  • Prepare for your next audit
  • Track and manage all of your tasks, risks, and controls
  • Simplify your program management
  • Monitor your compliance
  • Generate reports that are easy to understand by all your key stakeholders.

Leap Credit Case Study

Leap Credit LLC provides a variety of credit services for customers, including tools that enable clients to quickly apply for and get approval on short-term loans. The company’s loan management platform can write loans within six seconds and can fund those loans within five minutes. In less than a year, the company grew from operating in one state to eight.

With that quick growth, the company was suddenly required to comply with a broad range of regulatory standards, including Payment Card Industry Data Security Standards, and prove it had proper controls in place to meet all of those standards.

Before its growth, Leap Credit used spreadsheets to manage compliance but soon found itself in need of a better and more efficient solution. Enter Apptega.

Want to learn how they did it? Download the Leap Credit case study for the full story.
This case study explores how Leap Credit implemented Apptega to:
PCI DSS Case Study
  • Evaluate cybersecurity vulnerabilities within the organization and record progress on remediation efforts
  • Encourage collaboration across multiple departments such as human resources, legal, operations, and accounting
  • Easily report metrics to executives and stakeholders

Should Your Organization Be PCI Compliant?

Regardless of industry, if your organization accepts, stores, processes, or transmits credit card information, you are subject to PCI compliance. Based on the industry you’re in, here are a few ways a cybersecurity and compliance platform can help you manage your PCI DSS compliance framework:

Retail-Icon@2x
Retail

Maintain your professional reputation while keeping your clients’ financial data secure.

Dining-Icon@2x
Dining, Travel, & Leisure

Protect your brand and reputation by ensuring you’re protecting your customers’ credit card information.

Healthcare-Icon@2x
Healthcare

Cyber-attacks on the healthcare industry are on the rise, so provide your patients with peace of mind with PCI-compliant data security standards.

IT-Icon@2x
Internet & Technology Providers

Receive and maintain credit card data with confidence while protecting your brand and company reputation.

Non-Profit-Icon@2x
Nonprofits

Nonprofit agencies process thousands of credit cards per year, so it’s crucial to include PCI DSS compliance standards in your overall security program.

FinServices-Iocn@2x
Financial Services & Insurance

As heavily-regulated sectors, it's imperative you demonstrate that you have the right security protocols in place.

Retail-Icon@2x
Energy & Utilities

Demonstrate that your company maintains the highest standards for financial data security.

ProfServices-Icon@2x
Professional Services

Safeguard your clients' credit card information and protect your brand and reputation.

Other-Icon@2x
Other Industries

Include PCI DSS compliance as your part of insurance plans and protection against data theft.

PCI Compliance Made Easy

With Apptega, organizations of all sizes are saving time and money and eliminating PCI DSS compliance frustrations. Apptega is a comprehensive platform that enables you to build, manage, and report your cybersecurity program’s success, including a variety of compliance frameworks such as PCI DSS.

PCI Scoring Trend History Dashboard
Here are some of its core benefits:
  • Reduce overhead of aligning with multiple frameworks
  • Promote accountability and accelerate adoption
  • Streamline implementation and expansion
  • Reduce the risk of audit findings and the resulting cost of remediation
  • Improve customer retention
  • Reduce the cost of cybersecurity risk assessments
  • Rely on our award-winning customer support and services teams

Understanding PCC DSS Controls

The PCI Security Standards Council was formed in 2006, representing credit card industry leaders American Express, MasterCard, Discover, Visa, and JCB International.

Together, they draw on industry expertise and best practices to develop standards to protect sensitive credit card data. PCI DSS represents those standards and creates a framework all organizations can implement to protect cardholder information.

PCI DSS represents 251 requirements organized into 12 core areas. These 12 requirements are “controls.” To achieve PCI DSS compliance you must demonstrate you meet these requirements and successfully pass an assessment from a qualified security assessor.

Here is a quick look at those 12 controls and what they mean for compliant organizations:
Build and Maintain a Secure Network
  • Firewall Configurations
    Install and maintain a firewall configuration to protect all cardholder data
  • System Defaults Management
    Ensure vendor-supplied defaults are changed and unnecessary default accounts are disabled before installing systems on your network
Protect Cardholder Data
  • Stored Cardholder Data Protection
    Use industry-accepted algorithms to encrypt stored cardholder data and limit data retention time.
  • Encrypt Cardholder Data
    Incorporate encrypted transmissions for sending cardholders’ primary account numbers (PAN) over public and open networks.
Maintain a Vulnerability Management Program
  • Anti-virus Software
    Use and regularly update anti-virus software or programs, including use on all systems vulnerable to malware, breaches, compromise, or attacks. Make sure your point-of-sale (POS) and other third-party vendors also employ updated anti-virus software.
  • Secure Systems and Applications
    Keep your systems and applications updated with the latest patches and security fixes so hackers cannot penetrate security vulnerabilities.
Implement Strong Access Control Measures
  • Restrict Access to Cardholder Data
    Maintain a need-to-know policy for cardholder data, including a role-based access control (RBAC) system.
  • ID Management
    Make sure every person with computer access has a unique, complex, and detailed ID.
  • Restrict Access to Cardholder Data
    Restrict physical access to cardholder data. Don’t keep sensitive files in the open, and always maintain a current list of authorized payment device users.
Regularly Monitor and Test Networks
  • Track and Monitor Networks
    Track and monitor all access to network resources and cardholder data. For example, install log management technologies to monitor access and review logs daily.
  • Test Security Systems
    Regularly test security systems and processes. For example, plan penetration tests and conduct ongoing vulnerability scans.
Maintain an Information Security Policy
  • Information Security Policy
    Keep updated documentation of your policies and procedures. They can be used as evidence for compliance proof. Your policy should address information security for employees and contractors.

Steps for PCI DSS Compliance

While the Payment Card Industry Security Standards Council manages PCI standards, each credit card company has leeway to enforce its own compliance measures. While the payment card company’s requirements should guide your PCI DSS compliance procedures, here are some basic steps, as outlined by PCI SSC, you can take toward compliance.

1

Determine Scope

Determine which of your devices, systems, components, and networks are in scope for PCI DSS

2

Assess Compliance

Assess compliance by completing the testing steps determined for each PCI DSS requirement

3

Complete Reports

Complete (or have your assessor complete) required reports, including documenting all controls

4

Complete AOC

Complete an Attestation of Compliance (AOC)

5

Submit Self-assessment

Submit your self-assessment questionnaire, AOC, report on compliance, ASV scan report, and other documents to your acquirer or payment brand requestor

6

Remediate Gaps

If gaps are discovered, implement actions to remediate requirements and then complete an updated report

How to Map PCI DSS to the NIST Cybersecurity Framework

Many organizations in a variety of industries rely on the National Institute of Technology’s (NIST) Cybersecurity Framework to develop their cybersecurity programs and then mature them over time. The NIST framework provides a solid foundation for cybersecurity, and coupled with PCI DSS, they share common goals—to protect sensitive data and improve data security.

PCI Dashboard - NIST Cybersecurity Framework

Mapping Made Simple

If you already have the NIST Cybersecurity Framework in place, you may be curious to know if you can map PCI DSS to it? The answer is, yes! Aligning the two can help you align your organization’s overall cybersecurity and compliance objectives and create a better understanding the effectiveness of your security procedures.

Apptega's Intelligent Framework Mapping, known as Harmony, allows you to automatically crosswalk and consolidate all shared  controls, sub controls, resources and activities across multiple frameworks within your program. With this powerful capability, you can significantly improve efficiency and reduce overhead.

The PCI Security Standards Council created an in-depth guide that outlines how to map PCI DSS v3.2.1 to NIST’s Cybersecurity Framework v1.1.

PCI DSS Merchant Compliance Levels

All PCI merchants are classified into one of four compliance levels. These levels are based on credit or debit card transaction volume during a 12-month period. This includes the transaction volume for all credit, debit, and prepaid transactions.

1
Merchant Level 1

Any merchant—regardless of acceptance channel—processing more than 6 million credit or debit card transactions per year. Level 1 merchants should conduct an annual internal audit and each quarter should have an ASV conduct a PCI scan.

2
Merchant Level 2

Any merchant—regardless of acceptance channel—processing 1-6 million transactions per year. Level 2 merchants should do a self-assessment questionnaire each year and could be subject to a quarterly ASV PCI scan.

3
Merchant Level 3

Any merchant processing 20,000 to 1 million ecommerce transactions per year. Level 3 merchants should do an annual self-assessment and may be required to have quarterly ASV PCI scans.

4
Merchant Level 4

Any merchant processing fewer than 20,000 ecommerce transactions per year and all other merchants—regardless of acceptance channel—processing up to 1 million transactions per year. Level 4 merchants should conduct an annual self-assessment questionnaire and may need to have a quarterly ASV PCI scan.

PCI Compliance Blog Snapshots

9 Quick Tips for PCI Compliance

PCI compliance is an integral part of ensuring your customers’ credit card information is safe. But how do you ensure you’re compliant and your systems are secure? PCI SSC has 9 tips to help you fight against credit card data breaches. Tips range from using validated payment software for all point-of-sale systems and websites to regularly checking devices to ensuring no one has installed unapproved or malicious software or skimming devices. This blog highlights those tips and takes a deeper dive into PCI DSS from a broad scope, including compliance requirements, what happens when you’re not in compliance, and how you can ensure compliance regardless of business phase.

Read More

Why Internal Audit and IT Should Fight Together Against Cyber Breaches

Organizations of all sizes create departmental—and as a result, data—silos, often fueled by disparate technologies, various schedules, and geographically dispersed teams. But today’s cybersecurity requires cross-collaboration across multiple teams and stakeholders. Internal auditors play an important role in collaboration and encouraging teams to work together and they can help find gaps in your IT and cybersecurity programs so you can resolve them before a breach or before proving program success to an external auditor or assessment. Improving communications between internal audit and IT teams can lead to a thorough security examination of your security and compliance programs to better mitigate risks and improve your security posture.

Read More

SOC 2, CIS, NIST, ISO 27001, PCI and more. How do you choose?

Because of an increasing number of data breaches and cyber-attacks across all industries, more organizations are investing time, resources, and talent into building robust and resilient cybersecurity and compliance programs. While some work with outside teams, many build their programs on-site using a variety of security frameworks to help protect their systems and data. From SOC2 to NIST, from ISO to PCI, which security framework is right for you? This blog takes a quick look at 11 different security frameworks that are applicable across many industries and outlines what makes each unique and highlights the potential benefits each can add to your cybersecurity program.

Read More
PCI Compliance Webinars

How to Choose Which Cybersecurity Framework to Follow

When it comes to creating compliance and cybersecurity programs, there are a number of frameworks you can choose from, or you can draw on the best practices of several, to construct a unique program that works best for your organization. But if you’re new to this, how do you know which one to choose? This on-demand webinar will give you an overview of more than 20 major frameworks, talk about similarities and differences in some, and then outline how you can manage multiple frameworks within a single platform for unprecedented visibility and insight.

Watch Now

Secrets to Passing a Cybersecurity Audit: An Auditor's Perspective

It’s one word that makes teams across industries hold their collective breath: audit. That’s because audit preparation is time-consuming and resource-depleting, and pulls your team members away from daily tasks so you have everything ready when your audit begins. In this on-demand webinar, learn from industry professionals who’ve been involved in audits at organizations around the globe. They’ll share pitfalls and tips to help you avoid them, including recommendations to mitigate risks for a successful audit. You’ll also learn new approaches to engage with auditors and provide them the with the data they need that supports your success.

Watch Now

PCI Compliance Made Easy with Apptega

PCI has almost 100 security elements, or 100 separate projects, that should be documented, staffed, managed, and solved all together. Apptega is a cybersecurity framework helps you organize your entire program—who’s accountable, what your policies are, when you need to complete tasks, how much you’re spending, and if you’re on track, including real-time scoring down to the sub-control level.

Companies across all industries use Apptega to implement and report PCI DSS compliance. With ever-changing regulations and evolving business conditions, Apptega will help be prepared for your next audit and customer inquiries.
Build Your PCI Framework
How to Build Your PCI Framework with Apptega
  • Select from existing industry cybersecurity and privacy frameworks or create your own consolidated framework with configurable controls
  • Manage multiple cybersecurity frameworks in one place
  • Access real-time scoring, task management, calendar events, collaboration, budgets and vendor management all in one solution
  • Build, manage, and report on all your cybersecurity process easily through a series of apps representing important controls within your program
With Apptega, you’ll have access to:
  • Simplified management of your vendor ecosystem
  • Granular tracking for specific frameworks or policies
  • Easy-to-understand dashboards to help you quickly identify gaps and improve your security posture
  • Preset checklists
  • Policy and plan templates
  • Audit-ready compliance reports
  • Certified cybersecurity professionals for additional support
PCI Dashboard and Reports

PCI Frequently Asked Questions

PCI DSS is an abbreviation for Payment Card Industry Data Security Standards. These standards are technical and operational requirements established by the PCI Standards Council (PCI SSC) to protect cardholder data. Any organization that accepts stores, processes, or transmits credit card information must meet PCI DSS standards. There are also requirements that directly affect software and app developers (Payment Application Data Security Standard (PA-DSS)), as well as those that create devices used for credit card transactions (PIN Transaction Security (PTS) requirements).

PCI DSS sets six core goals achieved through 12 individual requirements. While PCI SSC sets the security standards, each credit card brand determines compliance, validation levels, and enforcement. PCI DSS compliance is assessed by qualified security assessors (QSAs). Approved scanning vendors (ASVs) validate PCI DSS vulnerability scan requirements. The first version of PCI DSS debuted in 2001, representing best practices and frameworks in use by the industry’s major credit card companies. The most current version is v3.2.1.

PCI SCC is an abbreviation for the Payment Card Industry Security Standards Council. In 2006, American Express, Discover, MasterCard, Visa, and JCB International united to found the council. As a result, each credit card company includes PCI DSS in their individual data security compliance requirements. PCI SSC guides creation of PCI DSS with a mission to “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.” Learn more about PCI SSC at https://www.pcisecuritystandards.org/about_us.

Cardholder data, according to PCI SSC, is at a minimum the full primary account number (PAN) of a credit card or the full PAN along with any of these: cardholder name, expiration date, or service code. PCI SSC also requires protection of security-related information including sensitive authentication data such as the magnetic stripe data, chip data, PINs, PIN blocks, card validation codes, card validation values, and more.

To be PCI DSS compliant, any organization that accepts, stores, processes, or transmits credit card data must follow and adhere to all of the Payment Card Industry Data Security Standards, including its six goals, 12 core requirements, all of its base requirements, and hundreds of test procedures.

Any organization, regardless of size or industry, that accepts, stores, transmits, or processes cardholder data is subject to PCI DSS compliance.

Yes. As with many cybersecurity standards, if your organization uses third-party processors, PCI DSS applies to each of them. Utilizing third-party processors that are PCI DSS compliant helps reduce your risks for an potential data breach. While you should always ensure third-party compliance, don’t stop there. Always look down your supply chain. Do your vendors use other vendors that may access you cardholder data? If yes, you will want to make sure they’re compliant too to help reduce your risks and exposures.

The primary purpose of PCI DSS is to protect sensitive cardholder data and reduce the likelihood of a data breach and risks associated with the loss of credit card information. Payment Card Industry Data Security Standards outline how you can prevent potential attacks or breaches, how these attacks can be detected within your systems, and what you should do in the event of a breach. In addition to reducing risks, being PCI DSS compliant builds trust with your customers, key stakeholders, and vendors. It demonstrates that you are taking proactive and industry-approved actions to keep their sensitive data safe.

If your organization, regardless of size or industry, accepts, stores, transmits, or processes cardholder data, then you should rely on PCI DSS to help you protect that data and reduce risks related to breaches and improper access to cardholder information.

PCI DSS essentially covers all of the technical and operational parts of your organization that are connected to or include credit cardholder information.

No. PCI DSS is a not a federal law. It is a set of standards created by the Payment Card Industry Security Standards Council to help protect cardholder information and reduce the potential of a breach. While the government does not mandate PCI DSS compliance, some states include some PCI DSS requirements in their credit card protect laws. Although not a law itself, PCI DSS is part of merchants’ contractual agreements with credit card companies.

PCI compliance violations can create a range of financial and other penalties for organizations. In general, payment brands can choose to fine the merchant banks or acquiring financial institution that processes card transactions, between $5,000 and $100,000 per month for violations. Banks often pass these fines along and they end up directly affecting merchants. In the event of violations, a bank may choose to terminate its relationship with a merchant or impose higher transaction fees.

The four PCI compliance levels are based on credit or debit card transaction volume during a 12-month period. This includes the transaction volume for all credit, debit, and prepaid transactions. Organizations can use these levels to determine what they need to do to be PCI compliant. Level 1 is for merchants that process more than 6 million credit or debit card transactions each year. Level 2 is one to 6 million transactions each year. Level 3 is 20,000 to 1 million annual transactions. Level 4 is fewer than 20,000 annual transactions.

The newest version of the Payment Card Industry Data Security Standard is version 3.2. This update addresses new exploits and provides more clarity about how organizations can implement and maintain their PCI DSS controls. The most current version include five new sub-requirements for service providers and two new appendices. PCI SSC retired version 3.1 in 2016.

PCI DSS in itself is a compliance framework for credit cardholder data and security. Additionally, if your organization uses the NIST Cybersecurity Framework, you can map your PCI DSS to your NIST framework. Mapping PCI DSS to your NIST Framework can help you align your organization’s cybersecurity and compliance objectives to create a better understanding of your overall security posture.