What is PCI DSS and why do I need it?

Written by Joseph Poppy on 18/01/2019

The importance of PCI DSS

PCI DSS is an incredibly important compliance standard for those processing card payments. It stands for Payment Card Industry Data Security Standard. Whilst that doesn’t exactly roll off the tongue, it is a very resilient set of standard requirements that aims to make a business more secure. A 2018 payment security report revealed that no company affected by a data breach was completely compliant with PCI DSS.

It’s a bit of a jump to suggest that this shows PCI DSS compliance will prevent a business from being hacked. However, it’s interesting to note that in the case of the British Airways hack (in which over 300,000 payment cards were compromised), the flaws that allowed hackers to get in would be grounds for automatic failure where PCI DSS is concerned. The fact is, those who are PCI compliant are going to be more secure than those who aren’t. Should the unfortunate occur for those who are, customers may feel reassured that it’s not down to a business’s negligence.

But what is PCI DSS? What does it involve? Why is it good for businesses? Well, Bulletproof have been providing consultancy services regarding PCI for a long time, so let’s find out.

Whilst it is primarily to protect credit and debit card information, the principles of PCI DSS could be used to protect data of any kind

So what is PCI DSS?

Broadly speaking, PCI DSS is a set of standard requirements covering the technical defences and management processes of a company processing payment card data. Established by the leading card brands, it helps businesses who take and process card payments reduce fraud and protect data. Whilst it is primarily to protect credit and debit card information, the principles of PCI DSS could be used to protect data of any kind.

PCI DSS essentially lays down the foundations of solid security by defining data retention policies, establishing the right encryption and physical security, as well as setting the relevant access control and authentication procedures.

PCI Security Standards Council
PCI DSS compliance was developed by the PCI Security Standards Council.

GDPR is now a legal requirement
Being GDPR compliant is now a legal requirement

Do I need to be PCI DSS compliant?

Without PCI DSS compliance, merchants won’t be able to process any card transactions. In today’s retail environment, that counts for a substantial number of transactions. Card data is also considered personal data, making it subject to GDPR, which mandates that keeping personal information secure is a legal requirement. PCI DSS is the preferred standard and one of the most reliable ways of ensuring this and is often the first thing the Information Commissioner’s Office looks at in the wake of a data breach involving card data.

The global card brands can levy fines against the acquiring banks as a result of non-compliance. These banks can in turn levy fines against merchants if the responsibility of a breach can be shown to be with them. Not being compliant can have devastating financial and reputational consequences if a breach occurs. And as non-compliance indicates a lack of basic security processes, a breach is likely.

Not being compliant can have devastating financial and reputational consequences if a breach occurs

The journey to compliance

PCI DSS compliance is an on-going process. Unlike other areas of compliance, it is always evolving, never sticking to outdated processes. This means that it is not a simple case of getting the certificate to say you’re PCI DSS compliant and then forgetting about it. Processes and technology must be continually assessed and improved upon. Your firewall policy may be perfect now, but in the future, you may find it is riddled with holes.

There are three primary functions to PCI DSS: assessment, remediation and reporting. This should cover all technical controls, management processes and business procedures in all areas where card data is used. Within these three functions there are a number of elements to consider.

The journey to PCI compliance
View full size (29 KB)

Let's talk about scope

The amount of work and the expense that will go into achieving PCI DSS compliance is dependent entirely on the set scope. The scope will vary depending on the Self-Assessment Questionnaire (SAQ) you are required to fill in and the number of transactions you process each year.

In order to identify your scope, a certain level of data mapping should be carried out. You must identify all the locations where card data exists. This can include systems that provide services to the cardholder data environment (CDE) and even the website or application where the data is directly entered. If much of this is outsourced to third parties, as is often the case, then the scope is reduced. However, that does not mean the responsibility is passed solely to the third party (more on that later).

Steps can be taken to reduce the scope, such as segmentation and segregation. Bulletproof recommends isolating the environment in which cardholder data sits, as it provides:

  • A reduced surface area that could be attacked, thus lowering the risk of a breach
  • A reduced workload when achieving and maintaining compliance
  • Reduced costs for any hardware, software and management support needed
  • Reduced risk to the business
A Self-Assessment Questionnaire identifies your scope
Identifying your scope is the first step of the process

This is not a requirement of the standard per se, but if it’s not done, then chances are the entire network will be deemed within scope. This one neat trick, along with enforcing some strict access control policies, can save a company both time and money in the long run.

The 12 PCI requirements

There are 12 PCI DSS requirements, with each one having many subsections. For the sake of brevity, we will give a general overview, but the full and up-to-date version of the certification can be found here.

1. Install and maintain a firewall configuration to protect cardholder data

This means that the firewalls and routers within your network infrastructure must be appropriately implemented, tested and managed. The right settings should be in place and these should be regularly updated.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

This one is largely common sense, but you’ll be surprised at how often our penetration testers discover the use of default credentials. This is a big security no-no and is easily remedied. Default credentials must be changed, and default or unnecessary accounts must be removed before anything is implemented into the network.

3. Protect stored cardholder data

If you don’t have to store cardholder data, then don’t. This is one way to avoid the hassle of protecting data and avoid the wrath of the ICO. If you have to store card data however, ensure that the security in place is enough to satisfy the various legal, regulatory and compliance requirements. This will involve a mix of technical controls and management processes. Implementing a data retention policy will help ensure that data is kept for no longer than necessary.

Protecting your cardholder data isn’t optional
Protecting your cardholder data isn’t optional
PCI Security Standards Council
Unique ID’s allow you to have appropriate level of accountability

4. Encrypt transmission of cardholder data across open, public networks

If or when stored card data must be transmitted over networks that are easily accessible, it must be encrypted with strong cryptography. Only trusted keys and certificates should be used. Out-of-date protocols should definitely not.

5. Use and regularly update anti-virus software

It’s best practise to have up-to-date anti-virus and anti-malware tools operating on all systems throughout a network. For PCI DSS compliance, these certainly have to be applied to systems containing card data. They must be regularly assessed for efficacy, as the threat landscape is always evolving.

6. Develop and maintain secure systems and applications

Change management processes and update schedules are a must. This should be an on-going process. The change management process should be documented, and reputable sources should be checked regularly for information regarding vulnerabilities. All vendor released patches must be installed as and when they are released. This can be rolled out by policy.

7. Restrict access to cardholder data by business need to know

Only those who need to view stored data in order to carry out their job should have access. This should be a documented system and staff should be aware of any consequences should they try and gain unauthorised access. Ideally, this is a practice that should be present across the entire business. The sales department should not have access to HR records for example. It’s the same principle when it comes to payment data. If you get into the habit of enforcing strong access control measures, you should have no trouble gaining PCI compliance in this regard.

8. Identify and authenticate access to system components

All non-consumer users should be assigned a unique ID, so their actions on the systems can be tracked. This allows for the appropriate level of accountability. If combined with a good password policy, then only those who should have access will have access.

9. Restrict physical access to card holder data

Physical access to data or, more accurately, to the systems that house cardholder data can allow users to create copies. For this reason, physical access to servers or computers containing data should be restricted to only authorised members of staff and their access should be closely monitored. This can be done through log collection and monitoring as part of a SIEM solution. Electronic locks or other access control mechanisms should be in place and CCTV cameras will add an extra element of security.

Tracking and monitoring cardholder data is essential
Tracking and monitoring cardholder data is essential
Testing your security and processes should be conducted when any change is made
Testing your security and processes should be conducted when any change is made

10. Track and monitor all access to network resources and cardholder data

Similar to the above, log monitoring (through a SIEM) and the ability to track user activity is critical in detecting and ultimately preventing unlawful or destructive behaviour. With the right alerting in place and with proper analysis all activity can be traced back to a time, a place and even to a specific user.

11. Regularly test security systems and processes

New vulnerabilities and methods of attack are always coming to light, so it’s important to regularly test your security systems for any flaws that could be exploited. This could be from vulnerability scans, regular penetration tests or even red team tests. Tests should be performed on any new system added to the network and risk assessments should be conducted when any change is made.

12. Maintain a policy that addresses information security for all personnel

A strong information security policy should be implemented throughout the business. This will inform staff of their responsibilities regarding cyber security and let them know what they can and cannot do.

That was a lot to get through. But if a lot of that sounds like common sense, it’s because it is. Rules such as ‘test your security’ and ‘don’t send sensitive data unencrypted’ should be basic advice followed by everyone, regardless of if they’re handling card data or not.

If a lot of that sounds like common sense, it’s because it is

Defining the PCI compliance SAQs

The self-assessment questionnaires (SAQs) are the first step towards achieving PCI compliance. There are several different SAQs aimed at a range of businesses or for alternative methods of card processing. Knowing which form you are supposed to fill out can be a puzzler, but your acquiring bank can advise you on which SAQ you need to complete.

Below is a brief overview of each PCI SAQ:

Data Protection Officer costs
SAQ Description
A This is aimed at ‘card-not-present’ merchants. These are primarily traders who have outsourced the transmission, processing and/or storage of all card data. Essentially, if you can show that you have nothing to do with the payment information your business takes, you will fill out this SAQ.
A-EP This is only for e-commerce traders who use a third party as their payment processor (Such as SagePay or PayPal). You will fall into this category if you have a website that doesn’t directly receive cardholder data but can have an effect on the security of the transaction. No information is stored or processed (or even transferred through) the merchant’s systems or premises.
B Merchants who only use:
  • Imprint machines with no electric cardholder data storage and/or
  • Dial-out terminals with no electronic cardholder data storage
B-IP Merchants using only PTS-approved payment terminals with an IP connection directly to the payment processor. No electronic cardholder data storage onsite.
C-VT Similar to B-IP, but applicable if you’re instead manually entering transaction details into an internet-based solution provided by a third party, generally via a web browser. This doesn’t apply to e-commerce traders or those who store cardholder data.
C This is for those working with a payment application system connected to the internet. This is not applicable to e-commerce merchants.
P2PE-HW Those using payment terminals managed via a validated, PCI SSC listed P2PE solution and who don’t store or process electronic cardholder data, would opt for this SAQ. Not applicable to e-commerce merchants.
D Merchants: This is for any merchant that does not fit into any of the above descriptions
Service Providers: service providers, as defined by a legitimate payment brand, are eligible to fill out this SAQ
Ultimately, you can’t outsource responsibility for PCI DSS compliance

Does outsourcing card payments mean PCI is outsourced?

Most merchants, big and small, find it’s a lot more cost-effective to outsource card processing to companies already set up to manage it. Not only does this save money, but it saves a great deal of time and effort.

However, there is a misconception that outsourcing payment card processing equals compliance. Whilst this will somewhat simplify the process, there will still be some work required. For example, you must ensure that the applications and payment terminals used by your provider are compliant. You must ensure you in no way store any card data and have the relevant processes and procedures in place. Even if processing is outsourced to a third party, you are responsible for ensuring you are PCI DSS compliant.

Does outsourcing card payments mean PCI is outsourced too
Outsourcing? It’s still need to ensure that the apps and terminals you use are compliant

Apply it across the business

The work doesn’t stop once you’ve achieved compliance. It’s an ongoing process and PCI DSS is always updating, and your business will be expected to update with it. New vulnerabilities are always emerging, meaning security has to adapt to keep up. Regular audits are to be expected and proactive changes to processes and procedures will help to no end.

Many elements of PCI compliance can be applied across the business to improve your security. We often say that if you’re doing security right to start with, then becoming PCI compliant won’t require much work. Make compliance work for you and get the most out of it.

Now go forth and be PCI DSS compliant

PCI DSS compliance is by no means a simple process. Some companies are initially put off by the cost, but compliance does not have to be expensive. Adequate scoping can simplify it all, reducing it to the bare minimum. If enough time is taken initially to analyse your organisation (from its tech to its processes), and the Card Data Environment (CDE), gaining compliance can be an affordable and efficient process. What’s more, PCI DSS can end up saving you from some quite hefty fines, meaning the initial cost may be well worth it.

PCI Compliance is an on-going, auditable process that is designed to ensure companies are managing all possible risks associated with collecting, storing, transmitting and processing cardholder information. It exists to help protect both your business and your customers.

PCI DSS Certified
We’re PCI DSS Certified… are you?

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.