A huge cyberattack became news in 2020 when Warner Music Group’s payment processes were compromised. In a PCI compliance breach, the hackers planted digital credit card skimmers on Warner’s websites, meaning that they captured the card numbers, CVVs, and expiration dates of more than 1,000 customers. This data was later sold on the dark web. Without specific efforts to become PCI DSS, global enterprises like Warner remain at risk of attacks. Read this blog article and discover the 12 secure system requirements for PCI compliance, and how to find suppliers who work hard to provide a high level of data security, like Trustpair.
To work with a fraud prevention platform that works with the highest security standards, request a demo!
PCI compliance: what is it?
The five biggest global players in the payment card industry (PCI) formed an official group in 2006, known as the PCI Security Standards Council (SSC). This group was made up of representatives from Visa, Mastercard, American Express, Discover and JCB.
It might seem strange that all of the biggest competitors in an industry would join together – but to them, it was the entire reputation of the payment card industry at stake. Creating a standardized international cybersecurity protocol could protect this reputation, and build trust among the public.
It would ensure they all protected their user data, and hold new vendors accountable as they enter the industry. In turn, the security standards should lead to a decrease in data breaches or fraud events, and increase overall trust by cardholders themselves. The members were hoping that this could play a part in increasing wallet share: ensuring consumers and stores paid with cards instead of cash.
The security standards and systems were created on behalf of any company that takes payment by card. They act as a guideline of good practices, and enable smaller and emerging organizations to meet the same level of security as those global conglomerates.
These PCI standards are here to reassure consumers and businesses that execute transactions by card, to buy products or services. They’re here to say “This is a valid business that respects security standards and requirements when it comes to your card data. Your bank details won’t end up on some sketchy website or in the hands of fraudsters.”
Levels of PCI Compliance
There are four levels of PCI DSS Compliance. Of course, any company processing card transactions is advised to comply with the regulation, but it’s not a legal requirement. However, since these are the industry giants, non-compliance could make it hard to win contracts and integrate with third parties.
The level of compliance for each company depends on the volume of payments made annually.
Businesses that process more than six million payments every year come under level 1 compliance, as they operate with the highest level of risk. This level also applies to companies that have experienced a previous data breach, as it’s the most strict level of regulation. Here are the level 1 requirements:
- Undergo an assessment by an external Qualified Security Assessor (QSA) for an annual report
- Undergo a quarterly vendor and network security scan by an Approved Scanning Vendor (ASV) to ensure good supplier management and protect the P2P process
- Attest to their own compliance and eligibility for onsite assessments
Organizations that process under six million transactions per year will fall under levels 2-4, and must comply with the same requirements for the most part. In order to comply, they must:
- Fill out an annual self-assessment questionnaire regarding their security standards
- Undergo a quarterly vendor and network security scan by an Approved Scanning Vendor (ASV)
- Attest to their own compliance (without onsite assessments)
The key differentiator between the case of a merchant that only processes 20,000 card payments (level 4) versus another organization that processes over 1 million (level 2), is the type of self-assessment questionnaire they must fill out.
The 12 requirements to be PCI compliant
There are twelve principles of PCI DSS regulation, and businesses must adhere to each of these rules to prove their compliance (and more than 300 sub-requirements).
The difference between these and the levels of compliance you just read, is that the 12 data security standards (DSS) mirror the PCI security framework. The measures range across the payment process, from payment initiation to data storage after the transaction. Each principle includes examples of steps that organizations can take to ensure they comply, and the reporting steps above work to approve their efforts.
1. Network security controls
Network in this case refers to the internet connection, and ensuring that even on public wifi, the transaction can occur securely. Organizations must control the connections between trusted and untrusted networks, and use security controls like firewalls to mitigate risks.
2. Secure configurations for systems
Each component of the payment system must be clearly defined, and secured. For example, businesses should be able to change their passwords from the default settings as part of their security process. Plus, removing unnecessary software that may be found, read, and serve as a point of exploitation for fraudsters.
3. Protect stored account data
This requirement ensures that cardholder account data storage is kept to only what’s necessary and defined. Moreover, confidential authentication data cannot be stored or copied at all.
The protection of stored data usually occurs through encryption called cryptography. This enables the data to be anonymized even if it is accessed by an unauthorized party since it will require translation using a cryptographic key.
4. Protect data during transmission over public networks
Similar to the last requirement, this rule means that card payment merchants should use cryptography to disguise the primary credit card account number (also known as the long card number).
Since public networks are “open”, in that they can be accessed by anyone, data transferred over these networks are considered less secure (even in this age of digital transformation). By encrypting this data, firms continue to protect it even if malicious parties intercept the data.
5. Protect against malicious software
Businesses must implement anti-malware and anti-phishing controls to protect against malicious software attacks. They should assess the entire process from start to finish to determine any vulnerabilities. From there, it’s about putting anti-malware blockades into the system to prevent compromise.
6. Develop secure systems
While this requirement may seem fairly broad, it has several key constraints:
- Develop bespoke and customized software to secure the payment, cardholder data, and storage systems
- Risk assessment for vulnerabilities
- Protect public-facing websites or apps against attacks
- Ensure that any updates or changes are managed securely
7. Restrict digital systems and data access
This rule lends well to the creation of access rights, which give certain individuals access to the system or its data, based on their credentials. By providing ‘least privileges’, each member of staff only has the minimum amount of access required for them to complete their job.
Hospital workers in the UK made recent headlines after they attempted to access the private medical records of Kate Middleton – abusing their roles and responsibilities by accessing extra information. Not only should restrictions prevent unauthorized access from outsiders, but also means that you’ve put in place internal controls to prevent fraud.
8. Identify and authenticate users
As part of any card payment, merchants must establish who the payee is, and authenticate that they are in fact who they claim to be. Account identification is typically managed through multi-factor authentication (MFA or 2FA).
Under Strong Customer Authentication (SCA) regulation, two of the following three account validation measures must be satisfied:
- Something you know (such as password)
- Something you are (such as a fingerprint or facial ID scan)
- Something you have (such as a one-time code sent to the phone number)
9. Restrict physical access
Company HQs, hard drive storage centers, and any physical site from where data can be accessed must be restricted. This rule has three separate parts:
- Restrictions to sensitive areas of the business, where only a small number of people are authorized to access: such as automatic doors that require a specific employee ID badge scanned to open
- Restrictions to the cardholder data environment: such as ensuring any media is not tampered with or destroyed
- Restrictions outside the physical boundary of a business premise: such as a security guard who checks visitor ID and logs these records in case they’re required in the future
10. Monitor and log access
Access must be monitored and logged for later auditing. These audit logs should be made available at any time and should follow the WORM (write once, read many) rule, as found in other regulations such as FINRA’s Know Your Supplier. This should ensure they cannot be edited after being recorded.
Logging benefits card payment institutions in two primary ways:
- By having accurate records, auditors can find what they need quickly when they are investigating a data breach
- By recording access permanently, potential fraudsters are warned away from committing crimes and attempting to gain unauthorized access
11. Test security systems regularly
Penetration testing is a requirement for most technologies since it enables businesses to plug points of exploitation. This ensures that internal and external vulnerabilities can be identified, prioritized, and addressed. Testing is a crucial part of fraud prevention.
Moreover, companies can set up controls to detect unauthorized access, changes to digital infrastructure, and intrusion into their wireless network access points.
12. Implement organizational policies
Finally, as part of governance requirements, the payment card industry requires its members to develop policies and procedures around:
- Protecting the entity’s information assets
- End-user technology guidance
- How their compliance with PCI DSS is managed
- Ongoing education and training for data security
- Anti-money laundering due diligence
- Relationships with third-party service providers (TPSPs)
- Response plans for post-incident detection
Payment Card Industry Compliance
PCI compliance requires companies to know their regulations and map data flows preemptively. By implementing controls and security protocols, entities can ensure they comply with PCI DSS. Plus, always use trusted vendors; Trustpair is PCI compliant and works hard to provide a high level of data security, protecting businesses from payment fraud. Our fraud prevention software ensures maximum security of the entire payment chain, thanks to automated account validation.