Everything you need to know about PCI compliance in 2022: A checklist

PCI Compliance: A Definition

The Payment Card Industry Data Security Standard (PCI DSS) is a global security requirement for any organization that processes, stores or transmits credit cardholder information. Released in 2006, the standard serves as a minimum set of requirements needed to protect customers’ payment data from being compromised and ensures the security of credit card transactions in the payments industry.

Ongoing challenges to implementing PCI DSS 4.0

Following the dot-com bubble, merchants were eager to leverage the Internet to increase revenues through e-commerce, a tactic that is well-known in today’s fully digital world. But at this time, it was the “Wild West” when it came to regulating how this was done. Additionally, cybercriminals were already finding ways to infiltrate e-commerce websites, payment card processing systems and electronic retail point of sale networks. Thus, PCI compliance was born out of necessity. 

PCI DSS is continuously evolving and adapting to the current world as the PCI Standard Security Council (PCI SSC) deems appropriate in consultation with industry stakeholders including PCI QSAs (Qualified Security Assessors), payment processors, large merchants and other payment industry participants. American Express, Visa, MasterCard and Discover are the four main payment card brands overseeing the council. 

Who does PCI Compliance apply to?

PCI compliance applies to any organization, regardless of size or number of transactions, that transmits, accepts, or stores cardholder data.

What are the four PCI Compliance levels?

Regulations surrounding PCI DSS impact every aspect of a business accepting card payments. It is applicable to both the hardware and software that merchants use– systems as intricate as the computers managing payments all the way to the PIN pad you swipe your credit card through. This is in addition to a variety of other technology and people processes, including security policy, procedures, security controls, and general data awareness.

But the same requirements don’t apply universally to all merchants. In fact, there are four PCI compliance levels that are determined by the number of transactions the organization handles each year. They are broken down as such: 

• Level 1 Merchant: Any merchant processing over 6M Visa transactions per year, and any merchant that Visa determines should meet the Level 1 merchant requirements to minimize risk to the payment brands ecosystem. 
• Level 2 Merchant: Any merchant processing 1M to 6M transactions per year. 
• Level 3 Merchant: Any merchant processing 20,000 to 1M e-commerce transactions per year. 
• Level 4 Merchant: Any merchant processing fewer than 20,000 e-commerce transactions per year and all other merchants processing up to 1M transactions per year. 

Requirements for PCI Compliance

There are 12 different PCI compliance requirements that covered entities must follow in order to handle credit card information in a secure matter. Failure to follow these requirements greatly increase your company’s chance of hacking, fraudulent activity, or data breach. 

1. Implement firewalls to protect data
2. Appropriate password protection
3. Protect cardholder data
4. Encryption of transmitted cardholder data
5. Utilize antivirus software
6. Update software and maintain security systems
7. Restrict access to cardholder data
8. Unique IDs assigned to those with access to data
9. Restrict physical access to data
10. Create and monitor access logs
11. Test security systems on a regular basis
12. Create a policy that is documented and that can be followed

Benefits of PCI Compliance

Maintaining PCI compliance is about more than just avoiding hefty fines. Consistently assessing any gaps in your security program ensures the protection of sensitive cardholder information and the avoidance of theft, data breach. 

Additionally, companies are required to regularly provide compliance reports as part of their card processing agreements. By regularly monitoring and assessing your security program for PCI compliance you can ensure that these compliance reports will be ready.

Other benefits of PCI compliance include maintaining a strong brand reputation, keeping customers happy, minimizing the risk of identity theft, and showing the public that you’re a responsible company dedicated to making security a priority. 

Why update to PCI DSS 4.0?

Here are the four main reasons: 

1. The security threat landscape is evolving constantly. The new PCI DSS 4.0 offers a strong modern framework to defend against these threats.
2. Your compliance with the PCI DSS is not a once-off event. It is a continuous journey that must be built into Business As Usual (BAU) practices.
3. PCI DSS validation occurs annually. Whilst the old version will continue to exist for a period of time, it will be retired deeming any program complying to the old standard version obsolete and thus non-compliant.
4. Complying with the latest version of your standard provides a clear signal to both your customers, and the community that your organization takes data security seriously and is continually improving its practices in how cardholder data is stored, transmitted and processed.

However, businesses must plan ahead now. Some organizations may need to accommodate budgetary changes to adapt to the redesign of the PCI requirements with a focus on additional data management as well as security testing. Executing on these changes will likely require staff training and upskilling, as well as new tools and data discovery tools and solutions to more thoroughly validate PCI DSS scope on an automated recurring basis.

What’s changing from v3.2.1 to 4.0? 

With version 4.0, PCI DSS is evolving to support a range of evolving payment environments, technologies, and methodologies for achieving security. The ultimate goal of version 4.0 is to ensure that the standard continues to meet the ever-changing security needs of the high-risk financial services industry. 

PCI DSS 4.0 places greater emphasis on security as a continuous process and will promote fluid data management practices that integrate with an organization’s overall security and compliance posture. The majority of changes to its requirements is achieved by changing the language from stating what ‘must’ be implemented to what the resulting security outcome ‘is’. Other changes include: 

• Authentication, specific consideration for the NIST MFA/password guidance
• Broader applicability for encrypting cardholder data on trusted networks
• Monitoring requirements to consider technology advancement 
• Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements
• Elimination of Compensating Controls in favour of a customised compliance approach that can be tailored to an organization's unique situation.

Preparing for PCI DSS 4.0 Compliance: A checklist

If you are already compliant with PCI DSS 3.2.1, then you have a solid baseline to work from. However, PCI version 4.0 is expected to be stronger than the already comprehensive v3.2.1 and organizations will first need to understand how to quickly get organized and evaluate what is needed to achieve PCI compliance. Here is a quick PCI compliance checklist for you to get started.

1. Understand which compliance level applies to your business 
2. Have protocols and processes in place for privacy and compliance
3. Establish accountability within the organization
4. Provide compliance training for employees
5. Appoint a Data Protection Officer (DPO)
6. Regularly test your security systems
7. Have a response plan in the case of a data breach
8. Enforce both physical and technical safeguards 
9. Ensure your security policy is up to date
10. Understand the full scope of all cardholder data without assumption through the use of a data discovery tool

Get ready for PCI DSS Compliance with Ground Labs

Resources and support are available to navigate version 4.0. In fact, the core of our Ground Labs Enterprise Recon PCI solution is deeply rooted in PCI compliance since 2007 and is the global leader in PCI card data scanning. It allows organizations to discover and remediate cardholder data information, as well as over 300 data types, including predefined and variants that include sensitive, personal and confidential data across an organization’s entire network, both on-premise and in the cloud. The remediation functions are available to mask, encrypt or delete sensitive data and is an effective solution to help organizations achieve and maintain PCI DSS compliance.  

PCI DSS 4.0 represents the most comprehensive data security standard in PCI SSC’s 15 year history  — get ahead of the official release and ensure your organization is ready for it with the help of Ground Labs. 

Have questions about PCI DSS 4.0 or are curious to learn more about Enterprise Recon PCI help you succeed? Schedule a demo with a PCI data discovery expert today.