Some of the most publicized credit card data breaches have impacted big brands like Equifax, British Airways, Marriott Hotels, Target, and Capital One. But, in reality, small businesses are equally as vulnerable to cyber risks.
To help organizations of all sizes protect cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) was established as a global standard to enhance the security of payment account data.
PCI DSS compliance is mandatory for all merchants and service providers, whether you process one or one thousand credit card transactions.
In this article, we break down everything you need to know about PCI DSS and the steps to proving and maintaining compliance.
Our latest webinar on PCI DSS walks you through how to streamline and accelerate your road to compliance.
Why was PCI DSS established?
Let’s start with a bit of background on the PCI DSS framework. While ecommerce dates back to the 1970s, the first versions of the online shopping we know today only emerged in the mid-90s. Amazon and eBay led the way with the launch of their online marketplaces in 1995. Then, once PayPal released its digital payment system three years later, multiple ecommerce sites like Alibaba, IndiaMART, and Etsy began popping up in the years to follow.
These online transactions came with an unintended downside — the rise of data theft and fraud. Cyber criminals quickly found ways to infiltrate payment systems and steal confidential credit card information.
Payment brands responded by implementing security standards to protect their cardholder data. Eventually, the “Big Five” — Mastercard, Visa, American Express, Discovery, and JCB — decided to consolidate efforts and formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006.
What is PCI DSS compliance?
The Payment Card Industry Data Security Standards (PCI DSS) was created by the PCI SSC as a guide for entities that store, process, or transmit cardholder data. With established policies and procedures, the PCI DSS sets global standards to secure payment card transactions and protect the personal information of cardholders.
The PCI DSS is not a law, but it applies to all entities involved in the payment card ecosystem. Its compliance is also mandated by most major payment brands. Many jurisdictions, such as Nevada, Minnesota, and Washington, have also elected to incorporate PCI DSS into their regulations. Failure to comply can result in fines, penalties, or card processing restrictions.
Who needs to be PCI compliant?
PCI DSS compliance is mandatory for merchants, service providers, and any other organization involved in the payment card ecosystem.
PCI DSS defines merchants as “any entity that accepts payment cards bearing the logo of a PCI SSC participating payment brand as payment for goods and/or services.”
Service providers encompass a broader spectrum, including any entity “directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.”
An organization can be both a merchant and a service provider. For example, an internet service provider is a merchant that accepts payment cards for monthly bills and is also a service provider if it hosts other merchants as customers.
4 Levels of PCI DSS compliance
PCI DSS compliance is mandatory for any entity that deals with cardholder data, but not all requirements will be the same. Factors such as the total number of transactions and particular cardholder data environment will determine the organization’s level and exact compliance requirements.
While each payment brand has their own compliance program and classifications, merchants generally fall into one of four levels:
- Level 1 Merchants: More than 6 million payment card transactions annually
- Level 2 Merchants: Between 1 million and 6 million payment card transactions annually
- Level 3 Merchants: Between 20,000 and 1 million payment card transactions annually
- Level 4 Merchants: Fewer than 20,000 online transactions annually
Service providers are classified into two levels:
- Level 1 Service Providers: More than 300,000 payment card transactions annually
- Level 2 Service Providers: Less than 300,000 payment card transactions annually
* Payment card transactions includes all in-person and online transactions
What are the requirements of PCI DSS?
The PCI DSS outlines six goals and 12 requirements for entities to enhance the security of cardholder data:
Build and maintain a secure network and systems
1. Install and maintain network security controls
2. Apply secure configuration to all system components
Protect account data
3. Protect stored accounts data
4. Protect cardholder data with strong cryptography during transmission over open public networks
Maintain a vulnerability management program
5. Protect all systems and network from malicious software
6. Develop and maintain secure systems and software
Implement strong access control measures
7. Restrict access to system components and cardholder data by business need-to-know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
Maintain an information security policy
12. Support information security with organizational policies and programs
There are additional PCI DSS requirements in Appendix A
- Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers
- Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections
- Appendix A3: Designated Entities Supplemental Validation (DESV)
Note: Every payment brand will also have its own audit requirements.
Who are the professionals involved in PCI DSS?
PCI DSS compliance involves assessing and confirming that the security controls and requirements are sufficiently met by the entity. This involves any of the following PCI SSC qualified industry professionals:
- Qualified Security Assessor (QSA): An independent security organization certified by the PCI SSC to assess and validate an entity's adherence to PCI DSS
- Internal Security Assessor (ISA): An employee sponsored by their company to perform internal assessments, recommend remediation solutions, and act as a liaison with external PCI DSS auditors
- Approved Scanning Vendor (ASV): An organization qualified to use a set of data security services and tools to determine if a company is compliant with PCI DSS external scanning requirements
How do entities satisfy PCI DSS requirements?
Validation documents are used to convey an entity’s PCI DSS compliance to acquiring banks or payment brands.
Acquiring banks, also referred to as “acquirers” or “merchant banks,” are typically financial institutions that processes payment card transactions for merchants. Payment brands are the card agencies (e.g., Visa, Mastercard, American Express) responsible for implementing and enforcing PCI DSS.
Depending on its classification level or number of transactions, entities are either required to undergo a detailed PCI DSS assessment (performed by a QSA) and submit a Report on Compliance or may be eligible to conduct a self-assessment and submit a Self-Assessment Questionnaire. Both documents are accompanied by an Attestation of Compliance, signed by the entity and the QSA (if applicable).
Quarterly submission of an ASV scan report for network vulnerability scanning may also be required as part of compliance.
Report on Compliance (ROC): A detailed report that documents the results of a PCI DSS on-site assessment performed by QSA. ROCs are more comprehensive than the Self-Assessment Questionnaires, including information about the entity's cardholder data environment, how each requirement was assessed and validated, and samples selected by the QSA.
Self-Assessment Questionnaire (SAQ): An alternate validation report for entities that meet the SAQ Eligibility Criteria and are eligible to conduct self-assessments to satisfy PCI DSS compliance.
SAQs are relatively simpler compared to ROCs and composed of yes-or-no questions. There are nine different SAQs available — eight for merchants and one for service providers — depending on the entity’s environment.
To determine whether an entity is eligible to complete an SAQ and which SAQ is appropriate, it’s best to contact the acquiring bank or payment brand.
Attestation of Compliance (AOC): A declaration of the results of a PCI DSS assessment or audit, completed and signed by the entity and the QSA (if applicable). AOCs are submitted to the acquiring bank or payment brand, along with the ROC, SAQ, and any other documentation.
The table below shows exactly what’s required for each level of PCI compliance:
| Merchant levels of PCI Compliance | |
| Merchant Level 1 | Validation includes an ROC by a QSA, quarterly network scan by an ASV, and an AOC form |
| Merchant Level 2 | Mostly includes an SAQ, quarterly network scan by an ASV, and an AOC form |
| Merchant Level 3 | Compliance level determined by payment brand and acquirer Mostly includes an SAQ, quarterly network scan by an ASV, and an AOC form |
| Merchant Level 4 | Compliance level determined by payment brand and acquirer Mostly includes an SAQ, quarterly network scan by an ASV, and an AOC form |
| Service Provider levels of PCI Compliance | |
| Service Provider Level 1 | Validation includes an ROC by a QSA, quarterly network scan by an ASV, and an AOC form |
| Service Provider Level 2 | Validation includes an SAQ, quarterly network scan by an ASV, and an AOC form |
Your PCI DSS compliance journey
As you can see, PCI DSS has hundreds of controls and extensive documentation designed to combat data breaches and theft. However, if you’re just starting on your PCI DSS journey, we recommend focusing on a few key points. Here are the four key milestones and estimated timelines to expect on the path to PCI DSS compliance:
1. Scoping
- Determine level of PCI DSS compliance: Merchant Level 1-4, Service provider Level 1-2
- Determine PCI DSS scope: Cardholder data environment, system components, network segments, card data flows, etc.
- Identify applicable SAQ, as applicable
Estimated timeline (without Certification Automation): 2-4 months
Estimated timeline (with Certification Automation): 1-3 months
Save an average of one month’s time scoping for PCI DSS compliance, with Certification Automation’s automated scoping wizard that generates required controls, policies, and evidence tasks, and removes duplicative tasks across security frameworks.
2. Self-assessment
- Perform internal self-assessment
- Fill out SAQ and identify gaps
- Remediate gaps/issues
- Implement controls
- Performs ASV scan (vulnerability scan)
- Engage and appoint QSA, if needed
Estimated timeline (without Certification Automation): 7-12 months
Estimated timeline (with Certification Automation): 2-6 months
Reduce your assessment time by an average of six months by relying on Certification Automation’s automated readiness assessments, expert guidance, intuitive workflows, and centralized policy distribution and attestation tracking.
3. Third-party audit
- QSA performs the review (audit)
- Issues ROC and AOC, if applicable
Estimated timeline (without Certification Automation): 1-2 months
Estimated timeline (with Certification Automation): 1-2 weeks
Save as many as three weeks on the audit process with a central system of record that controls user access and enables real-time collaboration throughout the evidence collection process.
4. Monitoring
- Maintain compliance
- Adhere to evidence collection interval
Estimated timeline (without Certification Automation): 4 months, annually
Estimated timeline (with Certification Automation): 2 months, annually
Save two months every year that you monitor your PCI DSS compliance by automating up to 36% of evidence collection tasks and reinforcing consistent best security practices across your organization.
The next step to PCI DSS compliance
From the outset, all these PCI DSS controls and compliance requirements can be overwhelming. Just remember that PCI DSS is a standardized framework with a range of tools and actionable steps to protect your cardholder data.
Determining your organization’s level of compliance and its specific validation documents will help simplify the process. OneTrust Certification Automation also delivers built-in expertise and automated integrations to speed up the process and guide you through the steps of your PCI DSS compliance journey.
With OneTrust Certification Automation, you can build, scale, and automate your security compliance program, reduce your cost of compliance up to 60%, and obtain certifications 50% faster.
