PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS), is a set of security standards ensuring that all companies accepting, processing, storing or transmitting credit card information or who could impact the security of cardholder data as service providers are maintaining a secure environment. Being noncompliant, either through assessment by your QSA (Qualified Security Assessor) or after a data breach, can result in fines in excess of US $100,000 per month.

Planet Network

Quasar Scan can support you to easily remain PCI compliant, to avoid these damaging fines, and protect your valued customers’ personal data

The PCI DSS (Payment Card Industry Data Security Standard) is a standard developed by the card schemes to help make sure that there is a baseline level of security for all credit and debit card transactions. You have a contractual obligation you have made with your acquiring bank to abide by the controls in PCI DSS. By facilitating cardholder data payments, you have signed an agreement to be PCI compliant. As the number of transactions increase, so too does your acquirer’s scrutiny on your operations. If you are not on top of your obligations, it really is a case of ‘when’ you’re caught out, not ‘if’!

If you store cardholder data (or even if you think you’re not), you are at risk of experiencing a data breach. To mitigate that risk, PCI compliance is the minimum obligation you’ve agreed to meet with your acquiring bank. By not being PCI compliant, you are in danger of operational disruptions, crippling fines, and damage to your valued customers’ lives and your business’ reputation. You can also be fined in excess of US $100,000 per month after a data breach from the time your non-compliance started until the non-compliance is resolved.

The PCI Security Standards Council (SSC) defines account data as consisting of cardholder data and/or sensitive authentication data.

At a minimum, ‘cardholder data’ consists of the full PAN (the unique payment card number that identifies the issuer and cardholder account). It can also include the full PAN plus any of the following:

  • Cardholder name
  • Expiration date
  • Service code

Sensitive Authentication Data is the information used to authenticate cardholders and/or authorise payment card transactions. It includes: full track data (magnetic stripe or equivalent on a chip), CAV2, CVC2, CVV2, CID, PINs, and PIN blocks.

We get asked this question by a large number of companies and organisations. Even if you never touch card data, in every case there is a minimum standard of obligation you need to meet. The first thing you need to do though if you want to reduce your compliance requirements is to make sure that you aren’t actually storing cardholder data. We often find that even people who don’t intentionally store cardholder data do so without realising it! In any case, the answer is yes, if you are a merchant facilitating payments or if you’re a service provider that could impact your customers cardholder data environment, you do have to do PCI DSS.

Merchants of all sizes are categorised into one of the four merchant levels. Where you sit is based on your transaction volume in a 12-month period as defined by the individual card schemes.

Visa and Mastercard define the merchant levels as:

  1. Any merchant processing over 1 million credit / debit transactions per year
  2. Any merchant processing 1 to 6 million credit / debit transactions per year
  3. Any merchant processing 20,000 to 1 million credit / debit e-commerce transactions per year
  4. Any merchant processing fewer than 20,000 credit / debit e-commerce transactions per year, and all other merchants processing up to 1 million credit / debit transactions per year.

Note that any merchant that has experienced a data breach may get moved to a higher level.

PCI DSS has up to 256 requirements that could apply to your environment, depending on how you accept payments, whether you are a merchant, service provider, issuer, or multi-tenant service provider, and whether you store account data. By not storing account data, approximately 25 of these requirements immediately become not applicable. The best way to to reduce your scope and make it easier to maintain PCI compliance is to make sure you don’t store account data.

One of the tenets of PCI compliance is that if you don’t need the account data, then don’t store it. Unfortunately though, that’s a lot easier said than done! Businesses and organisations are busy and ever-changing. At-risk data hides in hard-to-reach or inconsistent places, and credit card details are difficult to separate from similar data such as phone numbers and other codes.

There are two ways to stay on top of your knowing if you have stored credit card data: either manually (as in someone eyeballing millions of files and folders) or via a scanner. Having to search through your enterprise’s data manually can take many hours, and be extremely expensive. So that’s where a scanning tool can save you time and money. But you’ve got to choose wisely, as low-quality scanners will still leave you with hours of expensive labour sorting through false-positive results. Quasar Scan will discover and report back where risk areas are in your enterprise, with extremely high precision.

No, doing card scanning is not mandatory as part of PCI. However using a card scanning tool like Quasar Scan is recommended, as it will definitely support your ability to always remain compliant. There are two main ways that Quasar scan can help meet your PCI requirements:

  • Allows you to attest to the fact that you are not storing cardholder data and generates evidence to show this – a key foundation for using a reduced scope such as a Self-Assessment Questionnaire (SAQ)
  • Helps you define your PCI scope to meet Reqs. 12.5.2 and 12.5.3 which consider the use of a data discovery tool as a good practice to identify all sources and locations of PAN as well as to find PAN that resides outside of the currently defined CDE

Making sure that your organisation or business isn’t storing data you don’t need is the best first step you can take, and also reduces the effort of achieving compliance. Taking PCI compliance seriously also shows your commitment to keeping your customer’s data safe, and protects your business against damaging data breaches.

The first time your bank tells you need to demonstrate PCI DSS compliance is usually quite stressful because you may not even know what that means. Before you even start considering what you need to do to be PCI compliant, you need to understand if there are any key area of risk due to storing account / cardholder data. If you haven’t been on top of your data with a tool like Quasar Scan, you’ll want to identify any locations where you are storing cardholder data so you can identify if you really need this data or if you can get rid of it and hopefully minimise your scope.

After that, you can focus on the systems that process or transmit cardholder data. But by understanding where you might have the highest levels of risk then taking steps to minimise it, you can make the next steps of your PCI compliance journey significantly easier.

If you have a data breach, your acquiring bank will be breathing down your neck asking for proof of PCI DSS compliance. If you’ve said in the past that you aren’t storing cardholder data (remember when you attested to that in your SAQ?), you’ll need to prove that you are not storing cardholder data if you can.

You’ll need to get a QSA (Qualified Security Assessor) involved to complete an assessment of your enterprise’s environment and the scope. Depending on the scale of your data breach, you may need to get forensics (such as a PFI – PCI Forensics Investigator) involved. Once safe to do so and any forensic investigation is complete, the QSA would then perform a scan (this is what Quasar Scan does), to make sure there is no cardholder data at risk. By getting rid of any cardholder data as soon as possible, you lessen the risk for further data to be compromised.

Even small-scale merchants, for example a one-person retailer, are required to be PCI compliant. If you have a breach, even if you only have fewer than 1,000 transactions per year, your bank will still ask for proof of your PCI compliance signed off by a QSA.

Even in normal circumstances, according to pcisecuritystandards.org, to satisfy the requirements of PCI compliance, a Level 4 merchant must:

  1. Determine which Self-assessment Questionnaire (SAQ) your business should use to validate compliance, and then complete the questionnaire
  2. Complete, obtain, and submit evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), along with any other requested documentation to your acquirer.

Every one of the SAQs (except for SAQ D with all of the PCI controls) will ask you to attest to the fact that you aren’t storing account data and therefore are eligible to use that SAQ. When you sign the SAQ, you are confirming that you have validated that you don’t store account data.

Eliminate the fear of the unknown. Find your at-risk cardholder data now!