PCI compliance: the complete guide

Lukas Grigas
Cybersecurity Content Writer
payment card industry data security standard compliant

The world of commerce has always been one fraught with danger. Fraud, scams, and deceit lurk around every corner, waiting to strike unsuspecting consumers and businesses alike. With the rise of electronic payment methods, the threat of fraud has only grown more dire.

To combat this pervasive danger, the five major credit card companies have collaborated to formulate the Payment Card Industry Data Security Standard (PCI DSS), a comprehensive and rigorous set of guidelines aimed at shoring up the card-processing ecosystem against an array of vulnerabilities.

Today, we offer an in-depth guide that clarifies the standard's compliance requirements and can help companies meet the PCI DSS requirements and so ensure the security of financial data they handle.

What is PCI DSS compliance?

Launched in 2006, the PCI Security Standards Council (PCI SSC) requirements were created to ensure that any organization processing, storing, or transmitting credit card information does so in a secure environment. The PCI SSC has provided a comprehensive framework as well as an array of tools and support resources to help organizations safely accept payment card data.

Originally intended for merchant processing, the PCI SSC requirements have since been expanded to include encrypted internet transactions, and so the Payment Card Industry Data Security Standard (PCI DSS) has become the core component of any credit card company's security protocol.

In short, the work of the PCI SSC is critical to ensuring the safety and security of electronic payment transactions. In a world where cybercrime is becoming increasingly sophisticated, it is more important than ever to protect our financial information. The PCI DSS provides a much-needed layer of protection for consumers and businesses alike, helping to keep our personal and financial data out of the hands of those who would use it for ill-gotten gain.

Who must be PCI compliant?

All businesses that accept, store, or transmit credit card information are required to comply with PCI standards. This includes merchants, service providers, and any other entity that stores or processes credit card data. The size of the business does not matter. All businesses must adhere to the standards, regardless of the number of transactions they process. However, there’s an expectation of sorts, and it applies to businesses that only process credit card payments through a third-party payment processor, which already complies with PCI DSS standards.

Is PCI compliance required by law?

PCI compliance is not required by law, yet it is mandated by the payment card industry to protect sensitive payment card information. Payment card companies such as Visa, MasterCard, American Express, and Discover jointly created the PCI Security Standards Council to establish the PCI DSS requirements. These requirements are enforced through contracts between payment card companies and merchants, which dictate that merchants must comply with the PCI DSS guidelines in order to accept payment card transactions.

While there is no federal law that mandates PCI compliance, individual states may have their own data security laws that require compliance with PCI DSS guidelines. Additionally, failure to comply with PCI DSS guidelines can result in hefty fines — which depend on the scope and severity of the violation and can be as high as $500,000 per month — from payment card companies as well as damage to a merchant's reputation. So, while PCI compliance is not technically required by law, it is a critical component of protecting payment card information and avoiding significant financial consequences.

PCI compliance for businesses

To achieve PCI compliance, businesses must adhere to a set of requirements outlined by the PCI SSC. These requirements cover a range of security measures that businesses must implement to protect payment card data. It is also important to note that PCI compliance for small business or large organizations don’t differ all that much. In most instances, organizations, regardless of their size, will have to implement the same security measures.

What is the current PCI DSS standard?

The current PCI DSS standard is version 3.2.1, which was released in May 2018. The standard includes 12 detailed requirements — along with specific guidelines for businesses that process payments through e-commerce platforms, mobile devices, and other emerging technologies — that are organized into six categories:

  1. Build and maintain a secure network and systems.

  2. Protect cardholder data.

  3. Maintain a vulnerability management program.

  4. Implement strong access control measures.

  5. Regularly monitor and test networks.

  6. Maintain an information security policy.

PCI DSS 12 requirements

The following are the 12 requirements of PCI DSS:

  • Install and maintain a firewall configuration to protect cardholder data

    Firewalls must be implemented to secure data from external threats. Firewalls can be hardware or software based and act as a barrier between a business's internal network and the internet.

  • Do not use vendor-supplied defaults for system passwords and other security parameters

    Default passwords must be changed to unique, complex passwords to prevent unauthorized access. Businesses should use two-factor authentication for added security.

  • Protect stored cardholder data

    Cardholder data should be encrypted during transmission and storage to prevent unauthorized access. Encryption keys must be securely stored and managed.

  • Encrypt transmission of cardholder data across open, public networks

    Sensitive data should be transmitted using secure protocols such as SSL or TLS. Businesses should avoid transmitting sensitive data via email or unencrypted FTP to limit the chances of unintended exposure.

  • Use and regularly update anti-virus software

    Antivirus software must be installed on all systems that store, process, or transmit cardholder data. The software should be updated regularly to ensure it is effective against the latest threats.

  • Develop and maintain secure systems and applications

    Businesses must develop and maintain secure systems and applications that are free of vulnerabilities that could be exploited by attackers.

  • Restrict access to cardholder data to only those who need to know

    Access to cardholder data should be restricted to individuals with a business need to access such data. Businesses must implement strict access controls to ensure that only authorized individuals can access cardholder data.

  • Assign a unique ID to each person with computer access

    Each individual with computer access must have a unique user ID to ensure accountability and traceability. Shared user IDs must be avoided.

  • Restrict physical access to cardholder data

    Businesses must restrict physical access to cardholder data by implementing physical security measures such as locks, surveillance cameras, and access control systems.

  • Track and monitor all access to network resources and cardholder data

    Businesses must monitor all access to network resources and cardholder data to detect and respond to any unauthorized access or activity.

PCI Approved Scanning Vendor (ASV)

To ensure that businesses are complying with PCI DSS requirements, the PCI SSC has approved a number of third-party vendors to conduct vulnerability scans and penetration testing.

These vendors are known as Approved Scanning Vendors (ASVs) and must meet strict requirements to be approved by the PCI SSC. Businesses must engage an ASV to conduct quarterly vulnerability scans to identify any security vulnerabilities in their systems and provide reports that businesses can use to improve their security.

NordPass Business and PCI DSS compliance

NordPass Business is designed in such a way that it can significantly help organizations comply with the PCI DSS.

With NordPass Business, companies can create strong, unique passwords for each account, assign roles and permissions to control access to sensitive data, support multi-factor authentication, track password-related activity, and store passwords securely with advanced encryption and security protocols.

These features help companies meet several PCI DSS requirements, such as not using default passwords, restricting access to payment card data, authenticating access to system components, monitoring access to network resources and cardholder data, and maintaining information security policies for all personnel.

Overall, NordPass Business is a powerful solution for organizations looking to achieve and maintain PCI DSS compliance while improving overall security and productivity.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.