UNITED STATES 

FEATURE

PCI DSS explained: Requirements, fines, and steps to

compliance

Anyone who takes credit card payments needs to adhere to PCI DSS—and
may face fines if they fail
By Josh Fruhlinger

Contributing writer, CSO

MAY 16, 2022 12:12 PM PDT

PCI DSS meaning

PCI DSS is a cybersecurity standard backed by all the major credit card and payment
processing companies that aims to keep credit and debit card numbers safe. PCI DSS
stands for Payment Card Industry Data Security Standard.

Companies can demonstrate that they've implemented the standard by meeting the
reporting requirements laid out by the standard; those organizations that fail to meet the
requirements, or who are found to be in violation of the standard, may be fined.

What is PCI DSS used for?

PCI DSS, which is administered by the Payment Card Industry Security Standards
Council, establishes cybersecurity controls and business practices that any company that
accepts credit card payments must implement.

[ Learn 8 pitfalls that undermine security program success and 12 tips for effectively presenting
cybersecurity to the board. | Sign up for CSO newsletters. ]

Credit and debit card numbers are probably the most valuable sequences of digits
around: anyone with access to them can immediately make fraudulent purchases and
drain money from user accounts. Because banks and other credit card issuers will
generally refund their customers in these situations, they have a vested interest in
ensuring that credit card numbers remain secure as they are transmitted across the
economic ecosystem.

The PCI Security Standards Council was created by these industry players to make sure
that transactions involving credit card numbers are secure as possible. The Council lays
down several security standards that organizations in different industry segments must
implement: for instance, PCI PTS covers manufacturers of PIN-based devices, and PCI
PA-DSS governs software developers writing code that manages cardholder data.

Who does PCI DSS apply to?

PCI DSS, the most wide-ranging of the Council's standards, applies to "any entity that
stores, processes, and/or transmits cardholder data," which means that any organization
that accepts credit card payments—which is to say, any virtually any organization that
sells anything or accepts donations—must adhere to the standard.

Compliance with PCI DSS represents a baseline of security, and is certainly not a
guarantee against being hacked. As we'll see, compliance can be quite complex, and it's
difficult to say with certainty that every aspect of an organization's security is compliant
100% of the time. Some have argued that the credit card and payment companies that
make up the PCI Security Standards Council use PCI DSS to shift security responsibilities
and the financial burden of breaches onto retailers.

Nominations are open for the 2024 Best Places to Work in IT

When did PCI DSS become mandatory?

PCI DSS compliance became mandatory with the rollout of version 1.0 of the standard on
December 15, 2004. But we should pause here to talk about what we mean by
"mandatory" in this context. PCI DSS is a security standard, not a law. Compliance with it
is mandated by the contracts that merchants sign with the card brands (Visa, MasterCard,
etc.) and with the banks that actually handle their payment processing.
And, as we'll see, for most companies compliance with the standard is achieved by filling
out self-reported questionnaires. For those merchants, PCI DSS compliance mainly
becomes "mandatory" in retrospect: if a breach occurs that can be traced back to a failure
to implement the standard correctly, the merchant can be sanctioned by their payment
processors and the card brands. Merchants may be required to undergo (and pay for) an
assessment to ensure that they've improved their security, which we'll discuss in more
detail later in this article; they may also be required to pay fines. Very large companies
may be required to undergo assessments conducted by third parties even if they haven't
suffered a breach.

PCI DSS fines

When merchants sign a contract with a payment processor, they agree to be subject to
fines if they fail to maintain PCI DSS compliance. Fines can vary from payment processor
to payment processor, and are larger for companies with a higher volume of payments. It
can be difficult pin down a typical fine amount, but IS Partners provides some ranges in a
blog post. For instance, fines are assessed per month of non-compliance and the per-
month charge increases for longer periods, so a company might pay $5,000 a month if
they're out of compliance for three months, but $50,000 a month if they go as long as
seven months. In addition, fines ranging from $50 to $90 can be imposed for each
customer who's affected in some way by a data breach.

Again, keep in mind that these aren't "fines" in the same sense that, say, you'd pay for
violating some government regulation or traffic law; they're penalties built into a contract
between merchants, payment processors, and card brands. Generally the card brands
fine the payment processors, who in turn fine the merchants, and the whole process is not
necessarily based on the same standards of evidence one would expect in a criminal
court, though disputes can end up in civil court.

A 2012 case involving Utah restaurateurs Stephen and Cissy McComb brought some of
the murky world of PCI DSS fines into the limelight; the McCombs claimed that they had
been accused of lax security based on no evidence and that $10,000 had been improperly
siphoned from their bank account by their payment processor. In 2013, Tennessee shoe
retailer Genesco fought back against a $13 million dollar PCI DSS fine leveled in the wake
of a major data breach, eventually recovering $9 million in court.
Still, most merchants seek to avoid having to pay these fines by ensuring that they comply
with the PCI DSS standard. So let's dive into the details of what that entails.

PCI DSS requirements

The PCI DSS standard lays out 12 fundamental requirements for merchants. We're listing
the requirements for version 4.0 here, though they largely parallel the requirements in 3.2.
(We'll discuss this transition in more detail in a moment.)

1. Install and maintain network security controls to prevent unauthorized access to

systems.

2. Apply secure configuration to all system components. It may seem obvious to

say this, but it’s particularly important to not use vendor-supplied defaults for system
passwords and other security parameters.

3. Protect stored account data; and...

4. Use strong cryptography when transmitting cardholder data across open,

public networks. These two requirements ensure that you protect data both at rest
and in motion.

5. Protect systems and networks from malicious software. Malware is a tool

hackers use to gain access to stored data, so constant vigilance is required.

6. Develop and maintain secure systems and applications. You need to not only roll
out security measures, but make sure they're up to date.

7. Restrict access to cardholder data by business need-to-know. This is a

fundamental basis of data security generally, but is especially important when it
comes to financial data.

8. Identify users and authenticate access to system components. Not only will this
protect against unauthorized data access, but it will allow investigators to determine
if an authorized insider misused data. It’s particularly important that each authorized
user have their own access ID, rather than a single shared ID for all employees who
access an account.
 9. Restrict physical access to cardholder data. Not all data theft is a result of high-
tech hacking. Make sure nobody can simply walk off with your hard drive or a box of
receipts.

10. Log and monitor all access to network resources and cardholder data. This is
one of the most commonly violated requirements, but it's crucial.

11. Regularly test security systems and processes, and...

12. Maintain a policy that addresses information security. These last two
requirements ensure that the steps you take to meet the previous ten are effective
and become part of your organization's institutional culture.

What does it mean to be PCI DSS compliant?

PCI DSS compliance comes from meeting the obligations laid down by these
requirements in the way best suited to your organization, and the PCI Security Standards
Council gives you the tools to do so. The RSI security blog breaks down the steps in
some detail, but the process in essence goes like this:

1. Determine your organization's PCI DSS level. Organizations are divided into
levels (more on which in a moment) based on how many credit card transactions
they handle annually.

2. Complete a self-assessment questionnaire. These are available from the PCI

Security Standards Council website, and there are various questionnaires tailored to
how different companies interact with credit card data. If you only take card
payments online via a third party, you'd fill out Questionnaire A, for instance; if you
use a standalone payment terminal connected to the internet, you'd go with
Questionnaire B-IP. Each questionnaire determines how well your organization
adheres to the PCI DSS requirements, tailored as appropriate by the ways in which
you interact with customer credit card data.

3. Build a secure network. The answers you give on your questionnaire will reveal any
weak spots in your credit card infrastructure and requirements you fail to meet, and
will guide you in plugging those holes.

4. Formally attest your compliance. An AOC (attestation of compliance) is the form

you use to signal that you've achieved PCI DSS compliance. Finishing your
 questionnaire with no "wrong" answers means that you're ready to go.

As should be clear, the questionnaires provide a sort of PCI DSS compliance checklist.
However, don't let this be the end of your security journey. As David Ames, principal in the
cybersecurity and privacy practice at PricewaterhouseCoopers, told CSO Online's Maria
Korolov, "we have seen that concentrating strictly on standalone compliance efforts can
produce a false sense of security and an inappropriate allocation of resources. Use the
PCI DSS as a baseline controls framework that is supplemented with risk management
practices."

PCI DSS levels

As noted, the PCI DSS standard recognizes that not all organizations have equal risk
factors or equal capability to roll out security infrastructure. The specific requirements for
meeting the standard that your organization will need to meet will depend on your
company's level, which is in turn determined by how many credit card transactions you
process annually:

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

What's new in PCI DSS 4.0?

The PCS DSS standard has of course had to evolve with the times, as both security
technology and hacker techniques have evolved. As John Bambenek, a principal threat
hunter at IT and digital security operations company Netenrich, puts it, "One of the
problems with crafting regulations or pseudo-regulations, like PCI-DSS, is that technology
changes and what was once a meaningful security control ceased to be one."

Still, PCI DSS 3.2 had been the most up-to-date version of the standard since 2016. But
PCI DSS 4.0 was in the works for a while, developed with industry feedback, and was
finalized in April of 2022. Changes include:
 Terminology around firewalls has been updated to refer to network security controls
more generally, to support a broader range of technologies used to fill firewalls'
traditional role. "Firewalls mattered 20 years ago," says Bambenek. "You can’t get rid
of them, but what you really want are network security controls that can do
meaningful analysis and policy on a per-session basis, so the regulations needed to
be changed."

Requirement 8 now goes beyond just requiring a unique ID for each person with
computer access—a requirement generally fulfilled by assigning a username and
password—and now mandatesmulti-factor authentication (MFA) for all access into
the cardholder data environment

Organizations now have increased flexibility to demonstrate how they are using
different methods to achieve the security objectives outlined in the standard.

Organizations can now also conduct targeted risk analyses, making it more flexible
for them to define how frequently they perform certain activities. This allows them to
better match their security posture with their business needs and risk exposure

If you're still using PCI DSS 3.2, don't panic: the older version of the standard won't be
retired until March of 2024, leaving you plenty of time to transition.

Who is responsible for PCI compliance?

Every organization will have a somewhat different take on who should lead its PCI
compliance team, based on its structure and size. Very small businesses who have
outsourced most of their payment infrastructures to third parties generally can rely on
those vendors to handle PCI compliance as well. At the other end of the spectrum, very
large organizations may need to involve executives, IT, legal, and business unit
managers. The PCI Standards Security Council has an in-depth document, "PCI DSS for
Large Organizations," with advice on this topic; check out section 4, beginning on page 8.

PCI DSS certification vs PCI DSS assessment

There’s no such thing, in the world of PCI DSS, as "certification." As we've discussed, the
most common means of showing compliance with the PCI DSS is by completing the
appropriate questionnaire and completing an attestation of compliance (AOC). This
process is known as self-assessment.

Page 1 of 2 ▻

💡 7 hot cybersecurity trends (and 2 going cold)

Copyright © 2023 IDG Communications, Inc.