PCI DSS compliance can seem confusing. This article breaks down PCI DSS requirements and how small businesses can meet them.
What Is PCI DSS? Compliance & Requirements for SMBs
This article is part of a larger series on Payments.
The Payment Card Industry Data Security Standard (PCI DSS) is a 12-point security standard that regulates the technical and operational requirements of credit card transactions to protect cardholder data. Merchants who intend to accept credit card payments are required to submit to an annual PCI compliance evaluation.
Key takeaways:
- The PCI Security Standards Council regulates global payment security.
- Any business element involved in payment processing is covered by and should meet PCI DSS guidelines.
- PCI DSS requirements apply to technology, people, and processes that may or may not store, have unrestricted access to, process, or transmit account data.
- Small businesses can work with payment processors that take on some of the responsibilities of PCI compliance.
The 12 PCI DSS Requirements
Goal | Requirements |
|---|---|
Build and Maintain a Secure Physical Network | 1.Install and maintain network security controls 2. Apply secure configurations to all system components |
Protect Account Data | 3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission over open, public networks |
Maintain a Vulnerability Management Program | 5. Protect all systems and networks from malicious software 6. Develop and maintain secure systems and software |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know 8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data |
Regularly Monitor and Test Networks | 10. Log and monitor all access to system components and cardholder data 11. Test security of systems and networks regularly |
Maintain an Information Security Policy | 12. Support information security with organizational policies and programs |
PCI DSS v3.2.1 will be retired March 31, 2024, and PCI DSS v4.0 will officially be implemented by March 31, 2025. The standards and summary of changes are already available so those up for annual PCI compliance validation should follow the v4.0 requirements to ensure compliance upon its full implementation. Our article reflects the requirements of v4.0.
Most of the security requirements, in general, require setting up policies and procedures. So ensure that you create documentation for guidelines you set in place based on each requirement and to regularly update them.
1. Install and maintain network security controls
Network security controls (NSCs), such as firewalls and other network security technologies Virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technology , control the exchange of information between two or more systems with access to account data through established rules.
Small business tips for maintaining network security control:
- Identify and monitor the internet connection with access to your business software as well as the security system in place.
- Ensure that strict security measures are imposed on areas where there is an exchange of customer data with outside networks.
- Limit the personnel with access to customer account data to only those whose role includes the actual processing of information.
- Ensure that every computer device with access to customer account data is equipped with security features.
2. Apply secure configurations to all system components
Establish rules against using default passwords, remove unnecessary software, functions, and accounts, and disable unnecessary services to create a secure configuration that reduces the risk of unauthorized access to cardholder and sensitive authentication data.
Small business tips for securing network configurations:
- Implement a regular resetting of passwords for all business computer systems.
- Set rules for creating new passwords.
- Create and document policies that outline a secure process for employees requesting password resets.
- Use secure software for storing passwords for all employees.
- Set up a security system for computer devices that use a wireless internet connection.
3. Protect stored account data
It is necessary to refrain from storing account data unless necessary to maintain normal business operations. All stored account data should be encrypted/unreadable. Sensitive authentication data must never be stored after authorization.
Small business tips for protecting stored customer account data:
- Avoid saving customer account data unless necessary for processing day-to-day transactions.
- Do not store authentication data such as card verification values (CVV).
- Use encryption technology to securely store primary account number (PAN) data.
- Set up policies for the processing and use of encryption when storing customer’s card and authentication data.
4. Protect cardholder data with strong cryptography The process of using mathematical formula to encrypt cardholder data being stored or transmitted over a network. during transmission over open, public networks
Primary account numbers (PANs) must be encrypted during transmission over untrusted and public networks. Encryption should be added to the data itself as well as the session over which the data is transmitted.
Small business tips for protecting shared customer account data:
- Work with a payment processor that uses encryption technology when sharing cardholder’s PAN, credit card data, and sensitive authentication data.
- Make sure to have your payment processor explain and document the encryption being used for sharing customers’ card and authentication data.
5. Protect all systems and networks from malicious software
Establish protocols and policies that detect and contain malicious software Software or firmware designed to infiltrate a computer system to compromise the confidentiality, and availability of the owner’s data, applications, or operating system. Examples: viruses, Trojans, spyware, ransomware, keyloggers, rootkits, malicious code, scripts, and links. (malware) to prevent the exploitation of a system’s vulnerabilities.
Small business tips for protecting your network from malware:
- Create an outline of your business plan for detecting and eliminating malware.
- Install, monitor, and regularly update your anti-malware software.
- Identify, create policies, and train staff to protect your computer network from phishing attacks.
6. Develop and maintain secure systems and software
All system components with access to account data must have a security system that is regularly updated with the most recently released critical security patches. Patches should also be applied to less-critical systems in an appropriate time frame, based on a formal risk analysis. Applications must be developed according to secure development and coding practices, and changes to systems in the cardholder data environment must follow change control procedures.
Small business tips for securing your system and software:
- Create policies, action plans, and regular activities for securing your business system and software.
- Ensure that security measures are in place if implementing custom business software.
- Conduct regular testing to identify and resolve any vulnerabilities in your security system.
- Install security measures for accessing your customer-facing business software.
- Regularly maintain and track all changes to your business software systems.
Related reading: How to secure your payment system
7. Restrict access to cardholder data by business need-to-know
Systems and processes must be in place to limit access based on need-to-know and least privileges in terms of job responsibilities. “Need to know” refers to providing access to only the least amount of data needed to perform a job. “Least privileges” refers to providing only the minimum level of privileges needed to perform a job.
Small business tips for restricting access to cardholder data:
- Create guidelines that specify the roles that can access customer account data.
- Install a secure storage area (whether software or physical location) to house customer account data.
- Set up a system that records and tracks users who access customer account data.
- Create different user levels with appropriate access settings in your point-of-sale (POS) system to help automate this process.
8. Identify users and authenticate access to system components
Assign a unique identification (ID) to each person with access to system components to ensure that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Small business tips for authenticating access to business systems:
- Create policies for authenticating access to your business software.
- Schedule regular account renewals/updates including resetting of passwords.
- Create a policy for using strong passwords and authentication methods such as two-factor authentication (2FA).
9. Restrict physical access to cardholder data
Physical access to cardholder data or systems that store, process, or transmit cardholder data should be restricted so that unauthorized individuals cannot access or remove systems or hardcopies containing this data.
Small business tips for restricting direct access to cardholder data:
- Create policies for physical access to systems that store, process, or transmit cardholder data.
- Identify roles that can have access to cardholder data.
- Set control systems (manage passwords, records, monitoring) that will regulate the access to facilities and systems that contain cardholder data.
- Removable storage such as memory sticks, removable hard drives, and record notebooks that contain cardholder data should be stored in a secure location. Access should also be monitored and regulated. Devices should be destroyed when no longer used.
- Ensure that your payment processor employs encryption and authentication tools, particularly in areas/sections where cardholder data is exchanged.
10. Log and monitor all access to system components and cardholder data
Logging mechanisms and the ability to track user activities are critical for detection of anomalies and suspicious activities, and for effective forensic analysis. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong.
Small business tips for monitoring access to cardholder data:
- Create policies and procedures for logging and monitoring users with access to your business software and cardholder data.
- Multiple security measures such as access cards and PIN access pads with time stamps should be implemented to access systems with cardholder data.
- Create, maintain, and audit logs of user access to systems that contain cardholder data.
- Maintain and secure all audit logs and historical records from being destroyed.
- Set real-time notification measures in case of security downtime or breach and document an action plan.
11. Test the security of systems and networks regularly
System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
Small business tips for regular testing of business systems:
- Create policies and procedures for testing your business system and network.
- Identify, secure, and monitor wireless network connections that have access to your business system.
- Conduct regular testing of the security you have in place for connections that allow access to your business systems.
- Install a security system that can monitor, detect, and disable unauthorized access to your network and attempts to make changes to your online payment pages.
12. Support information security with organizational policies and programs
All employees should be aware of the sensitivity of payment account data and their responsibilities for protecting it.
Small business tips for creating information security policies and programs:
- Regularly evaluate and update policies to comply with PCI DSS.
- Regularly conduct security awareness education for all employees.
- Conduct background checks on new employees and identify potential threats to information security.
- Ensure that all third-party service providers with access to your business systems are PCI-compliant and regularly monitored.
Benefits of PCI DSS Compliance
The PCI data security standards facilitate better protection of cardholder and sensitive authentication data across all channels with clear and actionable guidelines. These guidelines are versatile—applicable to all types and sizes of organizations, and able to adapt with the growing sophistication of hacking technology.
PCI compliance creates layers of credit card transaction security and lowers the risk of small businesses becoming victims of payment fraud and malicious chargeback claims.
Did you know? The 2023 AFP Payments Fraud and Control Survey showed that 65% of organizations around the world experienced payment fraud attacks in 2022, half of which were unable to recover the funds lost.
How Small Businesses Can Become PCI-compliant
Anyone involved in processing payments—merchants, service providers, payment processors, and payment gateways—all need to adhere to PCI DSS guidelines.
To obtain a PCI certificate/ DSS certification, merchants should first know their compliance level. PCI DSS compliance levels are divided according to annual business processing volume. Naturally, larger transaction volume involves bigger networks and systems that exchange cardholder and sensitive authentication data, requiring more compliance requirements.
PCI DSS Compliance Levels
Level 1 | Businesses processing 6 million+ annual Visa transactions |
Level 2 | Businesses processing 1 to 6 million annual Visa transactions |
Level 3 | Businesses processing 20,000 to 1 million annual Visa ecommerce transactions |
Level 4 | Businesses processing <20,000 annual Visa ecommerce transactions; businesses processing up to 1 million annual Visa transactions (non-ecommerce) |
Small brick-and-mortar businesses usually fall under Level 4 PCI compliance and online businesses will most likely belong to Level 3. However, merchants with a history of security breaches that resulted in compromised account data compromise may be required a higher level of PCI compliance.
After this, merchants can begin to fulfill PCI DSS requirements by completing the self-assessment questionnaire, undergoing vulnerability scans, and submitting their documentation. Some payment processors can take on some of the merchant’s PCI compliance responsibilities by providing encrypted data security and offering secure cardholder data storage
Visit our complete guide to PCI compliance for small businesses for details.
Frequently Asked Questions (FAQs)
These are some of the most common questions we encounter about PCI data security standards.
PCI DSS is a set of guidelines that creates high-level protection of cardholder data (account number, cardholder name, expiration date, and service codes) and sensitive authentication data (magnetic stripe and EMV chip data, card verification code, PINs and PIN blocks) against unauthorized access (hackers).
All organizations involved in the collection and exchange of credit card data information—merchants, service providers, payment processors, and payment gateways—are required to observe PCI DSS guidelines.
Unless you run a cash-only business, there is no way to avoid PCI DSS compliance. Non-compliance can cost you anywhere from $20 to hundreds of thousands of dollars per month if a security breach occurs until such time you prove otherwise.
Bottom Line
PCI DSS requirements ensure that every hardware and software system with access to cardholder information is aptly protected against data breaches. With hacking technology becoming more sophisticated, knowing what PCI DSS is and obtaining a PCI compliance certification is a small price to pay for protecting your merchant account, and ultimately, your business from losing thousands of dollars to credit card fraud.
